Skip to main content

Conti Ransomware

Brucert alert thumbnail

8 APR 2022

Background
Conti is a ransomware-as-a-service (RaaS) group, which allows affiliates to rent access to its infrastructure to launch attacks. This group has encrypted the networks of hospitals, businesses and government agencies, and in many cases, receiving a significant ransom payment in exchange for the decryption key.

Conti ransomware automatically scans networks for valuable targets, encrypting every file it finds and infecting all Windows operating systems. It acts in a similar manner to most ransomware, but it has been engineered to be even more efficient and evasive. Once executed on the victim’s endpoint, Conti works by:

  • Immediately encrypting files and changing the file extension of the encrypted files. Each sample has a unique extension that the malware adds to the encrypted files.
  • Attempting to connect to other computers on the same network subnet using the SMB port (445).
  • Leaving a ransom note in every folder that has the filename readme.txt/conti_readme.txt

Modus Operandi
Conti actors often gain initial access to networks through:

  • Spear phishing campaigns using tailored emails that contain malicious attachments or malicious links
  • Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware (such as TrickBot, IcedID or Cobalt Strike) to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware.
  • Stolen or weak Remote Desktop Protocol (RDP) credentials
  • Phone calls
  • Fake software promoted via search engine optimization
  • Other malware distribution networks (e.g. ZLoader)
  • Common vulnerabilities in external assets

Impact

  • Data loss and leakage
  • Encrypts files on different hosts, potentially compromising an entire network.
  • Extorting ransom

Recommendations

  • Regularly backup data. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Use multi-factor authentication to remotely access networks from external sources.
  • Implement network segmentation and filter traffic.
    • Implement and ensure robust network segmentation between networks and functions to reduce the spread of the ransomware. Define a demilitarized zone that eliminates unregulated communication between networks.
    • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses.
    • Enable strong spam filters to prevent phishing emails from reaching end users. Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments. Filter emails containing executable files to prevent them from reaching end users.
    • Implement a URL blocklist and/or allowlist to prevent users from accessing malicious websites.
  • Scan for vulnerabilities and keep software updated.
    • Set antivirus/anti-malware programs to conduct regular scans of network assets using up-to-date signatures.
    • Upgrade software and operating systems, applications, and firmware on network assets in a timely manner. Consider using a centralized patch management system.
  • Remove unnecessary applications and apply controls.
    • Remove any application not deemed necessary for day-to-day operations. Conti threat actors leverage legitimate applications such as remote monitoring and management software and remote desktop software applications, to aid in the malicious exploitation of an organization’s enterprise.
    • Investigate any unauthorized software, particularly remote desktop or remote monitoring and management software.
    • Implement application allow listing, which only allows systems to execute programs known and permitted by the organization's security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs.
    • Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
  • Implement endpoint and detection response tools.
    • Endpoint and detection response tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors.
  • Limit access to resources over the network, especially by restricting RDP.
    • After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources, and require multi-factor authentication.
  • Secure user accounts.
    • Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties.
    • Regularly audit logs to ensure new accounts are legitimate users.