Conti ransomware first appeared on the scene in May 2020. What differentiates this strain of ransomware from other strains is the speed at which it is able to encrypt files and spread to different systems. Conti ransomware also uses a “double-extortion” technique, which not only encrypts the victims’ data and demands payment but also takes copies of the victims’ data, which the attackers will expose or sell if the victim refuses to pay.
The Anatomy of a Conti Ransomware Attack
Conti ransomware attackers will use a variety of methods to get their “foot in the door”. They will often start by trying to trick an employee into handing over credentials, typically through some form of social engineering technique. In some cases, they will seek to exploit vulnerable firewalls or target any internet-facing RDP (Remote Desktop Protocol) servers, in order to gain access to the network.
Once the attacker has gained access to the network, they will typically try to gain access to a domain admin account, which will enable them to execute the ransomware code. They will also try to gain access to any privileged accounts that will enable them to steal sensitive data (including backups). In some cases, they will try to disable security management software, enabling them to move laterally through the network without getting detected.
The Conti ransomware attackers will typically scan your network for servers, endpoints, backups, sensitive data, applications, and security software, to help them establish a plan of attack. They will generate a list of IP addresses using popular port scanners, such as ‘Angry IP Scanner’ or ‘Advanced Port Scanner’. Likewise, they will compile a list of server names which they will examine for clues about their purpose. For example, a server called DC1 is likely to be a Domain Controller.
The attackers will often use popular post-exploitation tools such as Mimikatz, which dumps credentials from memory. They may also try to purposely break something in order to capture the admin’s credentials when they log in to investigate the issue.
Attackers will attempt to install backdoors, which will allow them to take their time, and revisit the network to install other tools and for further reconnaissance. Backdoors will also enable them to upload data to their Command & Control (C&C) servers and monitor network activity, which will help them determine what the victim is doing to recover from the attack. To assist them with remote access and control, they will often use tools such as AnyDesk and Cobalt Strike and set up Tor proxies to help them mask their communication with the C&C server.
The attackers will try to steal as much business-critical data as possible before executing the ransomware code. Attackers will often use data discovery tools to help them locate sensitive data. As you can imagine, there are numerous ways that an attacker can exfiltrate data. They can upload the files to their own server, to one or more anonymous cloud storage containers, or even send them via email.
Once they have exfiltrated as much data as possible, deleted/encrypted any backups, disabled the relevant security features, and so on, they will initiate the ransomware attack. In most cases, they will deploy the ransomware program when there are no admins online, and typically do so using some form of remote code execution technique. They will use batch scripts to iterate through the list of discovered IP addresses to deploy the code on as many servers and endpoints as they can. In some cases, they will infect a Group Policy Object (GPO) logon script, which executes the code each time the machine boots up and connects to the domain.
As mentioned, attackers will install backdoors that enable them to monitor how the victim responds to the attack. They may also monitor emails to help them determine how the victim plans to proceed with the recovery process. If the victim tries to restore their files and thus avoid paying the ransom, the attackers may launch a second attack in order to illustrate the level of visibility and control they have over the victim’s network.
Exposing Data & Emotional Pressure
To scare the victims into paying the ransom, the Conti attackers will threaten to publish their data online for other cyber-criminals to access, and perhaps use to launch their own attacks. Given that data privacy regulations have become increasingly more stringent in recent years, with hefty fines for non-compliance, many companies may find it cheaper to simply pay the ransom. Of course, even if they do, there’s no guarantee that the attackers will give them a decryption key or delete the stolen data from their servers.
How to Protect Yourself Against Conti Ransomware Attacks
Of course, there’s no magic bullet when it comes to protecting yourself against ransomware attacks, or any other form of cyber-attack for that matter. A full breakdown of how to keep your systems and data secure is clearly beyond the scope of this article. However, below are some of the key steps to follow to help protect yourself against Conti ransomware.
Ensure that you are not already infected
You will need to scan your entire network for signs of compromise. This includes identifying the presence of MimiKatz, and any tools that could be used to disable your security software or scan your network for sensitive data.
Monitor your network 24/7
You must continuously monitor your network for any suspicious patterns of behavior. This includes suspicious network traffic, sensitive data being accessed outside of office hours, unauthorized configuration changes, and any repeating patterns that may suggest that automated tools are being used to perform reconnaissance or harvesting operations. You should also watch out for test attacks, which attackers will sometimes deploy on a small scale to check that the ransomware executes successfully.
Restrict access rights and RDP
As always, you should enforce “least privilege” access in order to make it difficult for attackers to move laterally throughout your network. Likewise, you should disable remote desktop protocol (RDP) on any servers or endpoints when it is not absolutely necessary. If you do need to use RDP, you should enforce the use of Multi-Factor Authentication (MFA).
Backups and patch management
This includes ensuring that all systems and software are patched in a timely manner and that you are periodically backing up your sensitive data. Remember, you will need to keep a copy of your backups offline, otherwise, the attackers may be able to find them and encrypt/delete them.
Security awareness training
Ensure that all employees are given the proper training to help them identify phishing emails and other credential harvesting techniques.
Make sure that you have the ability to automatically detect and respond to events that match a pre-defined threshold condition. For example, if X number of files are encrypted within Y period of time, you can execute a custom script that can disconnect endpoints from the internet, disable accounts and processes, change the firewall settings, or shut down the affected server(s).
Make sure that you have a tried and tested incident response plan (IRP) in place to help you respond to ransomware attacks in a fast and efficient manner.