Best Practices to Protect Against Conti Ransomware, from Case Study to Recovery

Carrying on from our recent work on Prometheus Ransomware, we have new thoughts and intelligence to share on Conti Ransomware. However, considering the current climate and chatter across the global cyber landscape, we thought it best to also discuss how enterprises today should approach best practices regarding protection against ransomware.

Part I – Conti Ransomware Case Study

When our post-breach Digital Forensic Incident Response (DFIR) investigation began, several domain controllers (DC) had already been compromised; a large amount of data had also been encrypted and exfiltrated as well.

Fig 1. A screenshot of our AIR’s initial automated IR report of the customer’s environment.

Our investigation was further complicated due to an affected DC being reinstalled unexpectedly as well as the active directory (AD) not being directly managed by the customer but through a 3rd party IT service provider.

This campaign consisted of two main waves of attacks.

Fig 2. Cyber situation graph of customer’s affected environment

First Wave Operation

As soon as we began our investigation, we immediately detected an oci.dll backdoor on an endpoint. It was still active.

Fig 3. CobaltStrike DLL Side Loading

The oci.dll functioned as a CobaltStrike Beacon. It’s very common for threat actors to leverage msdtc.exe to side-load a malign dll (such as oce.dll) in order to evade detection and maintain persistence.

Fig 4. CobaltStrike Beacon oci.dll via DLL SideLoading

On the above dates in October, the attackers attempted to execute PSEXEC to conduct lateral movement and RAR for data compression.

Fig 5. PSEXEC and RAR

The attackers executed PROCDUMP to dump the memory of lsass.exe, which contained Windows authentication information. Via offline brute-force, the attackers could have harvested credentials of high-privileged accounts.

Fig 6. Procdump execution

On endpoint EP-5, the attackers used lpg.dll as the main backdoor. Later, the WMI and SCHTASKS were utilized for initiating a series of attacks and then laterally moving to other endpoints.

Fig 7. Process tree to launch ransomware

On the customer-controlled AD server, DC-1, several artifacts regarding lateral movement were found between the dates of 11/20 and 11/21. Malware was implanted to other 4 endpoints: EP-5, EP-4, EP-3, and EP-6.

Fig 8. Command-line information

Fig 9. Conti Ransomware – 1

Fig 10. Conti Ransomware – 2

Several files were remotely copied to endpoint EP-5 along with several logon activities from the compromised DC server.

Fig 11. Timeline Analysis in EP5

Afterward, the malware connected back to C2, 173[.]234.155.85 (arcnew[.]com).

Fig 12. Execution Event for Launching Ransomware

CobaltStrike Config

BeaconType – HTTPS

Port – 443

SleepTime – 5000

MaxGetSize – 1401323

Jitter – 10

MaxDNS – 235

PublicKey – b’0\x81\x9f0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x81\x8d\x000\x81\x89\x02\x81\x81\x00\x8b6g;+\r(\xe3\xbb\xfa\xab&\xab\xf5/\xa0\x83dw\xaf\x81xd4cX\x8b\xcev&<“\x93}\xdet\n\xb0\x10\xdc\x03\xc8\xc0\xe52P\x80\x02\xd1\xc0M-\xe9C\xb6\xa7\x01\x943b\xe4Nj~\xd3)O\x02\xff\xc7\xe0\xa1\xa0\x92=\xb2@ \xf7\x8c\x98\xe3%\x07\x8c\\\xed\xe7/\xbdRO\x90\x1d\xb5R\x7f\x15\x84\xbe\x872\xdf\xd8\x17]”\x1d\xc7r\xdd4\x12Y\xa0r\x15\x8c\x1e\x9e[\x96\xd5\xbfs \xf0}\x02\x03\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00′

C2Server – arcnew.com,/us/ky/louisville/312-s-fourth-st.html

UserAgent – Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)

HttpPostUri – /OrderEntryService.asmx/AddOrderLine

HttpGet_Metadata – Accept: */*

Accept-Language: en-US,en;q=0.5

Referer: https://locations.smashburger.com/us/ky/louisville.html

Connection: close

Cookie

HttpPost_Metadata – Accept: */*

Accept-Language: en-US,en;q=0.5

X-Requested-With: XMLHttpRequest

Cookie

SpawnTo – b’\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00′

PipeName –

DNS_Idle – 8.8.8.8

DNS_Sleep – 0

SSH_Host – None

SSH_Port – None

SSH_Username – None

SSH_Password_Plaintext – None

SSH_Password_Pubkey – None

HttpGet_Verb – GET

HttpPost_Verb – POST

HttpPostChunk – 0

Spawnto_x86 – %windir%\syswow64\mstsc.exe

Spawnto_x64 – %windir%\sysnative\mstsc.exe

CryptoScheme – 0

Proxy_Config – None

Proxy_User – None

Proxy_Password – None

Proxy_Behavior – Use IE settings

Watermark – 0

bStageCleanup – True

bCFGCaution – True

KillDate – 0

bProcInject_StartRWX – True

bProcInject_UseRWX – False

bProcInject_MinAllocSize – 16700

ProcInject_PrependAppend_x86 – b’\x90\x90\x90′

Empty

ProcInject_PrependAppend_x64 – b’\x90\x90\x90′

Empty

ProcInject_Execute – ntdll:RtlUserThreadStart

CreateThread

NtQueueApcThread

CreateRemoteThread

RtlCreateUserThread

ProcInject_AllocationMethod – NtMapViewOfSection

bUsesCookies – True

HostHeader –

Second Wave Operation

The second wave of attacks was launched in December, demonstrating the attackers’ persistence and sophistication.

C2 173.34.155[.]85 had been used in the first wave of attacks, connecting to endpoint EP-5; this C2 would be used again in the second wave of attacks. The second wave would be launched from one malicious file (rez64.dll) on DC-2.

  • 2020-12-06 07:32:00 DC-2, C:\ProgramData\left.dll
  • 2020-12-06 08:04:18 DC-2, C:\ProgramData\left.dll,StartW
  • 2020-12-06 09:10:41 AP-1, C:\ProgramData\left.dll
  • 2020-12-06 10:12:11 EP-7 , C:\ProgramData\rez64.dll
  • 2020-12-07 07:36:53 DC-2, C:\ProgramData\rez64.dll,StartW
  • 2020-12-07 07:42:33 DC-2, C:\ProgramData\sql.dll
  • 2020-12-07 10:42:07 AP-1, C:\ProgramData\sql.dll

Fig 13. Time Bomb for Conti Ransomware

The attack compromised AP-1 and utilized both WMIC and SCHTASKS to dump lsass processes on remote host EP-8. The corresponding process dump activities seen on EP-8 are listed below.

Fig 14. The other privilege escalation commands

The attackers scheduled the ransomware to launch at midnight on 1 January 2021. In order to fully prevent this attack, we reversed the Conti ransomware variant and developed a digital vaccine against Conti, increasing the victim’s resilience and preventing any further attacks of a similar nature on their system.

In addition, we observed that in the second wave of attacks in December, the attackers also exploited FortiGate VPNs. Cybersecurity researcher and active window screenshot enthusiast, PeterM, tweeted in January of the same discovery, suggesting that the threat actor behind these attacks had been abusing this technique across the globe. In August 2021, The Record reported leaked material regarding affiliate partners of Conti. After reviewing these documents, we found many similar or identical activities in our case.

Fig 15. Discussion of Conti in Twitter @PeterM

Part II – Brief Analysis of Conti Ransomware

While still relatively young in the ransomware game, Conti ransomware has proven to be quite advanced compared to other active ransomware today. We will now take a closer look into three aspects of Conti ransomware that highlight the severity of this threat: sped-up encryption, an increased number of encrypted files, and detection evasion techniques.

Sped up Encryption

  • Increased strength of the encryption key
  • Prioritizes speed; leverages encryption algorithm ChaCha
  • Chooses different encryption methods according to the size of the targeted file
  • Multi-threaded encryption

Conti ransomware leverages ChaCha encryption, which is able to encrypt faster than other algorithms, such as AES. Before encrypting the targeted files, Conti ransomware will generate an independent encryption key for each file and use RSA to not only encrypt the key but also write it at the end of the file together with the targeted file’s original file size.

Encrypting larger files typically takes more time. Conti Ransomware’s solution to this is to adopt different encryption methods for files of different sizes and extensions. High-value targets will need to be completely encrypted; high-value targets could include database files, HR endpoints, Enterprise Resource Planning (ERP), or Manufacturing Execution Systems (MES). Files that are too large (such as disk images or files larger than 5MB) will only be partially encrypted.

Modern CPUs typically have multiple cores. In order to use computing resources more efficiently, Conti ransomware will typically use independent threads while searching for encryption targets and create the same number of threads as the number of CPU cores, thus allowing for the ransomware to use multiple cores to encrypt files simultaneously. This increased speed of encryption leads directly to the next problem.

Increased Number of Encrypted Files Per Attack

  • Special unlock system to lock files
  • Find network drives
  • PortScan

Conti ransomware avoids noisy scans of a target environment by port scanning for previously (more commonly used) connected network segments from the ARP cache, locating more connected network drives for encryption, and ultimately encrypting more files. For Files exclusively owned by other applications, Conti ransomware will use Restart Manager to close running programs, allowing for even more files to become encrypted.

Detection Evasion Techniques

  • Turns off restore and antivirus programs
  • Program packing, coding

In order to reduce the probability of data being restored, Conti ransomware will use WMIC to delete shadow copies. The ransomware also utilizes a unique program obfuscation strategy. Each string in the program will be decrypted using a unique algorithm, and none of the import table contents will be hidden. While dynamically referencing an API, a variant of MurmurHash will be used to locate the API, making static features challenging to observe.

IoC List

HashDescription
eb3fbab995fe3d4c57d4859f1268876cWwarc64.dll, conti ransomware
68fe03eb79f5813dccb006699dd1f468b32a4d9eSHA1 of eb3fbab995fe3d4c57d4859f1268876c
5c278c04bb19196dc8559d45b9728b3ba0c1bc5cdd20a766f56248e561c6f5a6SHA256 of eb3fbab995fe3d4c57d4859f1268876c
0a31b41b97eec43f1fa2f477dc881b35Lgp.dll, XX2.DL_, CobaltStrike stager, loads Menus.aspx
67310359595875992eec3f7cde96fd126e5a0f56SHA1 of 0a31b41b97eec43f1fa2f477dc881b35
ab46cd9c8281c665c2400a14ead3a49eb3068b4871ef4b86513a009b20c28e0dSHA256 of 0a31b41b97eec43f1fa2f477dc881b35
2588c7551246da0049be325015480ee5v2_2.exe, CobaltStrike stager, loads Menus.aspx
10fd36feae808a3a8c7375611c0099a9a75044abSHA1 of 2588c7551246da0049be325015480ee5
7c8868721c86228a3567ebe77460445e1a812270180bcf5a5020a86afa0ff708SHA256 of 2588c7551246da0049be325015480ee5
2a084ac8d6f8ce3c0f088e594dd9344amenus.aspx, packed CobaltStrike beacon (x86 32bits shellcode)
b4ca2e13aace6b79b91aa92f2ce6630418a9e598SHA1 of 2a084ac8d6f8ce3c0f088e594dd9344a
0a65dcccffb00c2874041401c137d13624ad470fc3980dfba16c282155adf40dSHA256 of 2a084ac8d6f8ce3c0f088e594dd9344a
f971660ac1331a37cbbfa68ab3aedb76oci.dll, Cobalt Strike
36537644eca6bb6ab9e83a5fd5b68ae7Serv9.dll, Cobalt Strike
76B6C7BFA9CDF229E858FBBB2306ADB5rez64.dll, sql.dll, conti related malware
0A31B41B97EEC43F1FA2F477DC881B35left.dll
6E0AF9590C71328A7197377EA5CCB23BVIE.EXE
4385E56300890FFDE03A8F553A6B07C12.DLL, conti related malware


C2 Information

IoCType
173[.]234.155.85C2 IP
arcnew[.]comC2 Domain
74[.]118.138.144C2 IP


Further Research on Conti Ransomware

For a further granular forensic breakdown of Conti ransomware, its obfuscation techniques, execution flow, encryption scheme, as well as the observed attacks, read our report on Conti Ransomware in Taiwan here.

Part III – Best Practices for Enterprises Today

Security is no longer the sole responsibility of one department or one person; it requires effort and diligence from everyone. Even opening one malicious file/link from one email could give multiple attackers and threat groups access to your system.

Organizations no longer face lone hackers—or even hacker groups—but face the collaborative efforts of a thriving underground economy of script kiddies, ransomware gangs, nation-states, access brokers, cryptocurrency launderers, zero-day brokers, and more.

Here is a quick, actionable list of best practices to aid you in increasing your cyber resilience against ransomware attacks.

1. Do Not Pay the Ransom

Don’t do it. Paying the ransom does not guarantee access to a working decryption key, nor does it guarantee the attackers won’t just launch yet another ransomware attack on you or releasing your exfiltrated data out into the open.

Although the cybersecurity community strongly disapproves of ransom payment, some leadership do choose to go this route. Targeted ransomware attacks typically do a lot of reconnaissance prior to launching their attack and could ask anywhere from 5 to 15 percent of your annual income. Often, the support team (collections team) for the attackers will recommend the services of a negotiator that they’ve worked with in the past to help represent you.

While some cyber insurance policies cover ransomware payments, this can easily backfire for organizations as it can encourage targeted ransomware attacks as the attackers know their target will pay the ransom.

One of the founding members of REvil, known as Unknown, was asked in a recent interview if REvil targets organizations that have cyber insurance.

“Yes, this is one of the tastiest morsels. Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”

However, the tide is changing. AXA, a French insurance company, stated they would no longer cover ransomware payments. In addition, now, in the aftermath of the SolarWinds incident, the U.S. has begun heavily investing in cybersecurity and ransomware prevention with stricter laws requiring companies hit with ransomware to report to the government immediately.

2. Endpoint Security

While a zero-trust environment with limited and restricted user access helps prevent many attacks, preventive solutions (such as NGAV, firewalls, of threat intelligence gateways) do inevitably fail.

Some cybersecurity vendors use a metric known as “breakout time” (or however they wish to name it) which measures the time from the first initial access to the first lateral movement. The average breakout time for an attack is approximately 2 hours.

Only a mature endpoint detection and response system is capable of consistently preventing intrusions from escalating into business-altering incidents.

For more information regarding MDR and how to evaluate and choose an MDR provider, please refer to our article: What is MDR?

Endpoint security solutions not only reduce MTTD (mean-time-to-detect) and MTTR (mean-time-to-respond) but also generate large amounts of telemetry data. APT-level attacks (which now include ransomware and supply chain attack campaigns) can go months without detection. Without telemetry generating security tools coupled with long-term data retention, researchers and responders (DFIR services) won’t have much to work with in a post-breach investigation.

3. Data Retention & Data Recovery

Is your team experienced in fully restoring your entire environment from backups? If not, we strongly recommend routinely executing your data recovery plan.

Having backups has been standard operating procedure for decades; however, many organizations do not have rehearsed remediation protocols in place nor have real estimates (and not just wild speculations) on how long it would take to rebuild their networks from backups. Lacking a proper backup protocol defeats the purpose of having backups.

Blue Team drills should be a part of every SOC, and these drills should include full restoration of an environment from backups. Drills help locate procedural holes in your defense.

Ransomware typically searches for and encrypts files in network drives. In a few cases we’ve observed, the victim had non-isolated backups, which unfortunately allowed the attackers to encrypt the backups. In some cases, the backups were isolated/air-gapped; however, the digital key to decrypt the backups was located in the local file-sharing network that got encrypted by the ransomware. In one case, the backups and digital key were successfully air-gapped from the targeted network; however, they were located offsite hundreds of kilometers away, further adding major logistical difficulties for full remediation.

Useful Tips for Better Data Retention & Recovery

  • Understand what data you have, and define specific policies for each. Attackers typically prioritize data from Human Resources (HR), Enterprise Resource Planning (ERP), Manufacturing Execution System (MES), or Financial-related Information(FI).
  • Mounting multiple network-attached storage (NAS) is not an effective backup remediation strategy. However, meticulous tracking of each backup version is extremely helpful. File synchronization tools are your friends.
  • Sharing folders via Network Drive without proper access control may increase your day-to-day productivity, but it is extremely insecure. Sharing folders with multiple users and devices increases the likelihood of ransomware encrypting those files. Even worse, in cases where several machines are infected, files in a shared folder may be encrypted numerous times, increasing the difficulty to decrypt or even making it impossible to recover at all.
  • Once hit, accept that downtown could be longer than expected. At this point, thoroughness of security should take priority over efficiency or usability.
  • Once hit by ransomware, recovering from damage and resuming day-to-day business operations are always paramount; however, preventing the next intrusion (which has been known to happen, especially in targeted ransomware attacks) is also important. Nobody wants to lose all their progress and start all over again.
  • Resuming services is the first priority; however, preserving application logs, memory snapshots, or even whole disk dumps is necessary for a thorough and successful IR investigation. The scorched earth approach could aid you in getting clean faster; however, it also hinders you and the IR team in answering some of the more important questions: What was the initial access point? How did the attackers remain undetected? How long were they in your system? What endpoints did the attackers have access to? Are any of your partners in your supply chain affected?
  • Prioritize your remediation policy according to the importance of the endpoints or assets.
  • Endpoints that do not contain sensitive data should still be carefully isolated until remediation is completed to prevent further diffusion. Keeping the endpoints on, as opposed to off, could help with providing a more thorough and detailed IR report.
  • Simply shutting down an endpoint is not an effective method as the ransomware could have hooked onto the system shutdown procedure, allowing the ransomware to clean up after itself and remove related artifacts to increase its stealth.

4. Continuous Incident Response

Ransomware attacks (especially the big game hunters) typically lurk in their target’s environment for quite some time prior to the launch of the ransomware attack. In order to maintain their foothold, these attackers tend to mask their entry vector and implant several backdoors.

Incident response investigations are never a one-and-done solution when it comes to ransomware. If your IR investigation fails to locate just one backdoor, your adversaries will only return in a matter of time. Therefore, a continuous IR solution with robust monitoring is needed to rapidly identify the root cause of attacks and root out each stealthy backdoor.

Maintaining a long-term monitoring defense after the initial IR investigation would reveal an adversary’s hidden backdoor before/when the attackers use it, thus revealing their initial access vector to the defenders.

A mature detection and response system is needed to reduce both MTTD (mean-time-to-detection) and MTTR (mean-time-to-respond), ensuring your organization remains resilient and healthy.

get the latest threat intelligence and cybersecurity news

Subscribe to our newsletter to get updates on our latest analyst reports, webinars, whitepapers and case studies related to the cybersecurity world.

more cybersecurity updates

OUR CYBERSECURITY SOLUTIONS AT A GLANCE​