Best Practices to Protect Against Conti Ransomware, from Case Study to Recovery
Carrying on from our recent work on Prometheus Ransomware, we have new thoughts and intelligence to share on Conti Ransomware. However, considering the current climate and chatter across the global cyber landscape, we thought it best to also discuss how enterprises today should approach best practices regarding protection against ransomware.
Part I – Conti Ransomware Case Study
When our post-breach Digital Forensic Incident Response (DFIR) investigation began, several domain controllers (DC) had already been compromised; a large amount of data had also been encrypted and exfiltrated as well.
Our investigation was further complicated due to an affected DC being reinstalled unexpectedly as well as the active directory (AD) not being directly managed by the customer but through a 3rd party IT service provider.
This campaign consisted of two main waves of attacks.
Fig 2. Cyber situation graph of customer’s affected environment
First Wave Operation
As soon as we began our investigation, we immediately detected an oci.dll backdoor on an endpoint. It was still active.
Fig 3. CobaltStrike DLL Side Loading
The oci.dll functioned as a CobaltStrike Beacon. It’s very common for threat actors to leverage msdtc.exe to side-load a malign dll (such as oce.dll) in order to evade detection and maintain persistence.
Fig 4. CobaltStrike Beacon oci.dll via DLL SideLoading
On the above dates in October, the attackers attempted to execute PSEXEC to conduct lateral movement and RAR for data compression.
Fig 5. PSEXEC and RAR
The attackers executed PROCDUMP to dump the memory of lsass.exe, which contained Windows authentication information. Via offline brute-force, the attackers could have harvested credentials of high-privileged accounts.
Fig 6. Procdump execution
On endpoint EP-5, the attackers used lpg.dll as the main backdoor. Later, the WMI and SCHTASKS were utilized for initiating a series of attacks and then laterally moving to other endpoints.
Fig 7. Process tree to launch ransomware
On the customer-controlled AD server, DC-1, several artifacts regarding lateral movement were found between the dates of 11/20 and 11/21. Malware was implanted to other 4 endpoints: EP-5, EP-4, EP-3, and EP-6.
Fig 8. Command-line information
Fig 9. Conti Ransomware – 1
Fig 10. Conti Ransomware – 2
Several files were remotely copied to endpoint EP-5 along with several logon activities from the compromised DC server.
Fig 11. Timeline Analysis in EP5
Afterward, the malware connected back to C2, 173[.]234.155.85 (arcnew[.]com).
Fig 12. Execution Event for Launching Ransomware
BeaconType – HTTPS
Port – 443
SleepTime – 5000
MaxGetSize – 1401323
Jitter – 10
MaxDNS – 235
PublicKey – b’0\x81\x9f0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x81\x8d\x000\x81\x89\x02\x81\x81\x00\x8b6g;+\r(\xe3\xbb\xfa\xab&\xab\xf5/\xa0\x83dw\xaf\x81xd4cX\x8b\xcev&<“\x93}\xdet\n\xb0\x10\xdc\x03\xc8\xc0\xe52P\x80\x02\xd1\xc0M-\xe9C\xb6\xa7\x01\x943b\xe4Nj~\xd3)O\x02\xff\xc7\xe0\xa1\xa0\x92=\xb2@ \xf7\x8c\x98\xe3%\x07\x8c\\\xed\xe7/\xbdRO\x90\x1d\xb5R\x7f\x15\x84\xbe\x872\xdf\xd8\x17]”\x1d\xc7r\xdd4\x12Y\xa0r\x15\x8c\x1e\x9e[\x96\xd5\xbfs \xf0}\x02\x03\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00′
C2Server – arcnew.com,/us/ky/louisville/312-s-fourth-st.html
UserAgent – Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
HttpPostUri – /OrderEntryService.asmx/AddOrderLine
HttpGet_Metadata – Accept: */*
HttpPost_Metadata – Accept: */*
SpawnTo – b’\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00′
DNS_Idle – 18.104.22.168
DNS_Sleep – 0
SSH_Host – None
SSH_Port – None
SSH_Username – None
SSH_Password_Plaintext – None
SSH_Password_Pubkey – None
HttpGet_Verb – GET
HttpPost_Verb – POST
HttpPostChunk – 0
Spawnto_x86 – %windir%\syswow64\mstsc.exe
Spawnto_x64 – %windir%\sysnative\mstsc.exe
CryptoScheme – 0
Proxy_Config – None
Proxy_User – None
Proxy_Password – None
Proxy_Behavior – Use IE settings
Watermark – 0
bStageCleanup – True
bCFGCaution – True
KillDate – 0
bProcInject_StartRWX – True
bProcInject_UseRWX – False
bProcInject_MinAllocSize – 16700
ProcInject_PrependAppend_x86 – b’\x90\x90\x90′
ProcInject_PrependAppend_x64 – b’\x90\x90\x90′
ProcInject_Execute – ntdll:RtlUserThreadStart
ProcInject_AllocationMethod – NtMapViewOfSection
bUsesCookies – True
Second Wave Operation
The second wave of attacks was launched in December, demonstrating the attackers’ persistence and sophistication.
C2 173.34.155[.]85 had been used in the first wave of attacks, connecting to endpoint EP-5; this C2 would be used again in the second wave of attacks. The second wave would be launched from one malicious file (rez64.dll) on DC-2.
- 2020-12-06 07:32:00 DC-2, C:\ProgramData\left.dll
- 2020-12-06 08:04:18 DC-2, C:\ProgramData\left.dll,StartW
- 2020-12-06 09:10:41 AP-1, C:\ProgramData\left.dll
- 2020-12-06 10:12:11 EP-7 , C:\ProgramData\rez64.dll
- 2020-12-07 07:36:53 DC-2, C:\ProgramData\rez64.dll,StartW
- 2020-12-07 07:42:33 DC-2, C:\ProgramData\sql.dll
- 2020-12-07 10:42:07 AP-1, C:\ProgramData\sql.dll
Fig 13. Time Bomb for Conti Ransomware
The attack compromised AP-1 and utilized both WMIC and SCHTASKS to dump lsass processes on remote host EP-8. The corresponding process dump activities seen on EP-8 are listed below.
Fig 14. The other privilege escalation commands
The attackers scheduled the ransomware to launch at midnight on 1 January 2021. In order to fully prevent this attack, we reversed the Conti ransomware variant and developed a digital vaccine against Conti, increasing the victim’s resilience and preventing any further attacks of a similar nature on their system.
In addition, we observed that in the second wave of attacks in December, the attackers also exploited FortiGate VPNs. Cybersecurity researcher and active window screenshot enthusiast, PeterM, tweeted in January of the same discovery, suggesting that the threat actor behind these attacks had been abusing this technique across the globe. In August 2021, The Record reported leaked material regarding affiliate partners of Conti. After reviewing these documents, we found many similar or identical activities in our case.
Fig 15. Discussion of Conti in Twitter @PeterM
Part II – Brief Analysis of Conti Ransomware
While still relatively young in the ransomware game, Conti ransomware has proven to be quite advanced compared to other active ransomware today. We will now take a closer look into three aspects of Conti ransomware that highlight the severity of this threat: sped-up encryption, an increased number of encrypted files, and detection evasion techniques.
Sped up Encryption
- Increased strength of the encryption key
- Prioritizes speed; leverages encryption algorithm ChaCha
- Chooses different encryption methods according to the size of the targeted file
- Multi-threaded encryption
Conti ransomware leverages ChaCha encryption, which is able to encrypt faster than other algorithms, such as AES. Before encrypting the targeted files, Conti ransomware will generate an independent encryption key for each file and use RSA to not only encrypt the key but also write it at the end of the file together with the targeted file’s original file size.
Encrypting larger files typically takes more time. Conti Ransomware’s solution to this is to adopt different encryption methods for files of different sizes and extensions. High-value targets will need to be completely encrypted; high-value targets could include database files, HR endpoints, Enterprise Resource Planning (ERP), or Manufacturing Execution Systems (MES). Files that are too large (such as disk images or files larger than 5MB) will only be partially encrypted.
Modern CPUs typically have multiple cores. In order to use computing resources more efficiently, Conti ransomware will typically use independent threads while searching for encryption targets and create the same number of threads as the number of CPU cores, thus allowing for the ransomware to use multiple cores to encrypt files simultaneously. This increased speed of encryption leads directly to the next problem.
Increased Number of Encrypted Files Per Attack
- Special unlock system to lock files
- Find network drives
Conti ransomware avoids noisy scans of a target environment by port scanning for previously (more commonly used) connected network segments from the ARP cache, locating more connected network drives for encryption, and ultimately encrypting more files. For Files exclusively owned by other applications, Conti ransomware will use Restart Manager to close running programs, allowing for even more files to become encrypted.
Detection Evasion Techniques
- Turns off restore and antivirus programs
- Program packing, coding
In order to reduce the probability of data being restored, Conti ransomware will use WMIC to delete shadow copies. The ransomware also utilizes a unique program obfuscation strategy. Each string in the program will be decrypted using a unique algorithm, and none of the import table contents will be hidden. While dynamically referencing an API, a variant of MurmurHash will be used to locate the API, making static features challenging to observe.
|Wwarc64.dll, conti ransomware
|SHA1 of eb3fbab995fe3d4c57d4859f1268876c
|SHA256 of eb3fbab995fe3d4c57d4859f1268876c
|Lgp.dll, XX2.DL_, CobaltStrike stager, loads Menus.aspx
|SHA1 of 0a31b41b97eec43f1fa2f477dc881b35
|SHA256 of 0a31b41b97eec43f1fa2f477dc881b35
|v2_2.exe, CobaltStrike stager, loads Menus.aspx
|SHA1 of 2588c7551246da0049be325015480ee5
|SHA256 of 2588c7551246da0049be325015480ee5
|menus.aspx, packed CobaltStrike beacon (x86 32bits shellcode)
|SHA1 of 2a084ac8d6f8ce3c0f088e594dd9344a
|SHA256 of 2a084ac8d6f8ce3c0f088e594dd9344a
|oci.dll, Cobalt Strike
|Serv9.dll, Cobalt Strike
|rez64.dll, sql.dll, conti related malware
|2.DLL, conti related malware
Further Research on Conti Ransomware
For a further granular forensic breakdown of Conti ransomware, its obfuscation techniques, execution flow, encryption scheme, as well as the observed attacks, read our report on Conti Ransomware in Taiwan here.
Part III – Best Practices for Enterprises Today
Security is no longer the sole responsibility of one department or one person; it requires effort and diligence from everyone. Even opening one malicious file/link from one email could give multiple attackers and threat groups access to your system.
Organizations no longer face lone hackers—or even hacker groups—but face the collaborative efforts of a thriving underground economy of script kiddies, ransomware gangs, nation-states, access brokers, cryptocurrency launderers, zero-day brokers, and more.
Here is a quick, actionable list of best practices to aid you in increasing your cyber resilience against ransomware attacks.
1. Do Not Pay the Ransom
Don’t do it. Paying the ransom does not guarantee access to a working decryption key, nor does it guarantee the attackers won’t just launch yet another ransomware attack on you or releasing your exfiltrated data out into the open.
Although the cybersecurity community strongly disapproves of ransom payment, some leadership do choose to go this route. Targeted ransomware attacks typically do a lot of reconnaissance prior to launching their attack and could ask anywhere from 5 to 15 percent of your annual income. Often, the support team (collections team) for the attackers will recommend the services of a negotiator that they’ve worked with in the past to help represent you.
While some cyber insurance policies cover ransomware payments, this can easily backfire for organizations as it can encourage targeted ransomware attacks as the attackers know their target will pay the ransom.
One of the founding members of REvil, known as Unknown, was asked in a recent interview if REvil targets organizations that have cyber insurance.
“Yes, this is one of the tastiest morsels. Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”
However, the tide is changing. AXA, a French insurance company, stated they would no longer cover ransomware payments. In addition, now, in the aftermath of the SolarWinds incident, the U.S. has begun heavily investing in cybersecurity and ransomware prevention with stricter laws requiring companies hit with ransomware to report to the government immediately.
2. Endpoint Security
While a zero-trust environment with limited and restricted user access helps prevent many attacks, preventive solutions (such as NGAV, firewalls, of threat intelligence gateways) do inevitably fail.
Some cybersecurity vendors use a metric known as “breakout time” (or however they wish to name it) which measures the time from the first initial access to the first lateral movement. The average breakout time for an attack is approximately 2 hours.
Only a mature endpoint detection and response system is capable of consistently preventing intrusions from escalating into business-altering incidents.
For more information regarding MDR and how to evaluate and choose an MDR provider, please refer to our article: What is MDR?
Endpoint security solutions not only reduce MTTD (mean-time-to-detect) and MTTR (mean-time-to-respond) but also generate large amounts of telemetry data. APT-level attacks (which now include ransomware and supply chain attack campaigns) can go months without detection. Without telemetry generating security tools coupled with long-term data retention, researchers and responders (DFIR services) won’t have much to work with in a post-breach investigation.
3. Data Retention & Data Recovery
Is your team experienced in fully restoring your entire environment from backups? If not, we strongly recommend routinely executing your data recovery plan.
Having backups has been standard operating procedure for decades; however, many organizations do not have rehearsed remediation protocols in place nor have real estimates (and not just wild speculations) on how long it would take to rebuild their networks from backups. Lacking a proper backup protocol defeats the purpose of having backups.
Blue Team drills should be a part of every SOC, and these drills should include full restoration of an environment from backups. Drills help locate procedural holes in your defense.
Ransomware typically searches for and encrypts files in network drives. In a few cases we’ve observed, the victim had non-isolated backups, which unfortunately allowed the attackers to encrypt the backups. In some cases, the backups were isolated/air-gapped; however, the digital key to decrypt the backups was located in the local file-sharing network that got encrypted by the ransomware. In one case, the backups and digital key were successfully air-gapped from the targeted network; however, they were located offsite hundreds of kilometers away, further adding major logistical difficulties for full remediation.
Useful Tips for Better Data Retention & Recovery
- Understand what data you have, and define specific policies for each. Attackers typically prioritize data from Human Resources (HR), Enterprise Resource Planning (ERP), Manufacturing Execution System (MES), or Financial-related Information(FI).
- Mounting multiple network-attached storage (NAS) is not an effective backup remediation strategy. However, meticulous tracking of each backup version is extremely helpful. File synchronization tools are your friends.
- Sharing folders via Network Drive without proper access control may increase your day-to-day productivity, but it is extremely insecure. Sharing folders with multiple users and devices increases the likelihood of ransomware encrypting those files. Even worse, in cases where several machines are infected, files in a shared folder may be encrypted numerous times, increasing the difficulty to decrypt or even making it impossible to recover at all.
- Once hit, accept that downtown could be longer than expected. At this point, thoroughness of security should take priority over efficiency or usability.
- Once hit by ransomware, recovering from damage and resuming day-to-day business operations are always paramount; however, preventing the next intrusion (which has been known to happen, especially in targeted ransomware attacks) is also important. Nobody wants to lose all their progress and start all over again.
- Resuming services is the first priority; however, preserving application logs, memory snapshots, or even whole disk dumps is necessary for a thorough and successful IR investigation. The scorched earth approach could aid you in getting clean faster; however, it also hinders you and the IR team in answering some of the more important questions: What was the initial access point? How did the attackers remain undetected? How long were they in your system? What endpoints did the attackers have access to? Are any of your partners in your supply chain affected?
- Prioritize your remediation policy according to the importance of the endpoints or assets.
- Endpoints that do not contain sensitive data should still be carefully isolated until remediation is completed to prevent further diffusion. Keeping the endpoints on, as opposed to off, could help with providing a more thorough and detailed IR report.
- Simply shutting down an endpoint is not an effective method as the ransomware could have hooked onto the system shutdown procedure, allowing the ransomware to clean up after itself and remove related artifacts to increase its stealth.
4. Continuous Incident Response
Ransomware attacks (especially the big game hunters) typically lurk in their target’s environment for quite some time prior to the launch of the ransomware attack. In order to maintain their foothold, these attackers tend to mask their entry vector and implant several backdoors.
Incident response investigations are never a one-and-done solution when it comes to ransomware. If your IR investigation fails to locate just one backdoor, your adversaries will only return in a matter of time. Therefore, a continuous IR solution with robust monitoring is needed to rapidly identify the root cause of attacks and root out each stealthy backdoor.
Maintaining a long-term monitoring defense after the initial IR investigation would reveal an adversary’s hidden backdoor before/when the attackers use it, thus revealing their initial access vector to the defenders.
A mature detection and response system is needed to reduce both MTTD (mean-time-to-detection) and MTTR (mean-time-to-respond), ensuring your organization remains resilient and healthy.