HC3-TLP White Analyst Note: Conti Ransomware May 25, 2021

Conti ransomware has recently been brought back into the spotlight due to its attack on Ireland’s national health system - the Health Service Executive (HSE). Conti leverages many of the tools and techniques common among major ransomware operators such as encryption, double-extortion via the use of a leak site, ransomware-as-a-service partnerships and many of the frequently-successful infection vectors such as phishing and remote desktop protocol (RDP) compromise, among others. One of several recommendations given by Sophos security researchers to protect networks from Conti is to keep regular backups of important and current data on an offline storage device.

Report

On May 14, 2021, Ireland’s HSE shut down “all national and local IT systems” in response to a Conti ransomware attack detected on their networks. The shutdown was an effort to contain the ransomware and “to protect [the systems] from encryption by attackers.” Additionally, all HSE employees were instructed to turn off their computers and not turn on computers that were already powered down.

Conti ransomware is ransomware-as-a-service malware that targets victims primarily in North America and Western Europe. According to Sophos, the industries most frequently targeted by Conti are retail, manufacturing, construction, and the public sector but, any sector/industry can be targeted. Conti was found to have one of the biggest market shares of all ransomware operators in the first quarter of 2021 by Coveware. Conti is generally considered a successor to the Ryuk ransomware; however, one significant distinction between the two malwares is Conti ransomware uses the double-extortion technique.

The double-extortion technique demands a ransom payment from the victim for the decryption key that will allow the victim to regain access to their encrypted files. If the ransom is not paid, the attackers will leak some or all of the victim’s stolen information on the Conti leaks website—where anyone can download the information. In other instances, the attackers will sell the stolen data to other criminals for their use to further exploit the victim. Conti is known to use the cloud storage provider Mega to store victims’ data.

Conti gains access to their victims’ network through various means to include vulnerable firewalls, exposed remote desktop protocol (RDP) services, and phishing user credentials via spam emails. After initial access, Conti uses a two-stage process to infect the victim’s network. The first stage uses a Cobalt Strike DLL “that allocates the memory space needed to decrypt and load meterpreter shellcode into system memory.” After contacting the command-and-control (C2) the second stage occurs when “another Cobalt Strike shellcode loader that contains the reflective DLL loader instructions” is sent to the victim. Conti’s manner of delivery makes it difficult for network defenders to identify it. As Sophos researchers explain, “[b]ecause the reflective loaders deliver the ransomware payload into memory, never writing the ransomware binary to the infected computer’s file system. . ..[t]here is no artifact of the ransomware left behind for even a diligent malware analyst to discover and study.”

After infection the ransomware can immediately begin to encrypt the victim’s files (Conti uses a unique AES-256 encryption key per file, which is then encrypted with an RSA-4096 encryption key) while, “at the same time, sequentially attempting to connect to other computers on the same network subnet, in order to spread to nearby machines, using the SMB port.” It can take attackers 15 minutes to move from server to server within a compromised network. Conti takes less than 20 minutes to setup communications with the C2 but even if those communications cannot be established, it can encrypt the victim’s files without C2 instructions. According to researchers at Sophos, because the encryption process can take hours “most targeted ransomware attacks are launched in the middle of the night, over a weekend or on a holiday, when fewer people are watching.” View the entire report below.