Conti Ransomware

Conti is an advanced ransomware tool that uses a unique encryption routine to identify and encrypt files incredibly quickly.

Threat ID:: CC-3544
Category:: Ransomware
Threat Severity:: Medium
Threat Vector:: Download, Insecure network
Published:: 9 July 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Conti is an advanced ransomware tool that uses a unique encryption routine to identify and encrypt files incredibly quickly.

Affected platforms

The following platforms are known to be affected:

Versions: all

Microsoft Windows

Threat details

Introduction

Conti is a ransomware tool used in human-operated attacks against targets in North America and Europe. Conti is operated by Wizard Spider group and is offered to affiliates as Ransomware-as-a-Service (RaaS). Unlike the vast majority of ransomware, Conti uses an entirely bespoke encryption implementation.

Delivery

Conti is delivered through phishing emails containing links to Google docs, which, when clicked, download and execute either Bazar backdoor or IcedID trojan. In other attacks, Conti is delivered directly to target networks via exposed vulnerable services, such as RDP.

Activities

Once present on a system, Conti will attempt to delete Volume Shadow Copies and terminate a number of services, using the Windows Restart Manager to ensure any files used by these services are able to be encrypted.

By default, Conti will encrypt all files on local and networked SMB drives, but will ignore any files with DLL, EXE, LNK, or SYS extensions. Files are encrypted with a unique AES-256 implementation that uses up to 32 individual logical threads, resulting in Conti performing far faster than most ransomware.

Conti is also able to target specific drives, both local and networked, when provided with the required parameters. It is even able to target individual local IP addresses, a capability it shares with the older Sodinokibi ransomware.

Threat updates

Date	Update
17 May 2021	Conti used in ransomware attack on Irish Health Service Executive A variant of Conti has been attributed to a recent ransomware attack on the Irish Health Service Executive. Conti now use double extortion tactics to coerce an organisation into paying the ransom. Data is extracted from compromised systems prior to encryption, with the threat of publication should the organisation choose not to pay the ransom. The Conti operators are known to gain initial access via phishing campaigns and have also been observed targeting vulnerabilities in software running on internet-facing devices. After gaining access, operators commonly use Cobalt Strike tools for lateral movement and extraction of data. Fileless deployment via reflective Dynamic-Link Library (DLL) injection has been used to launch the Conti payload on compromised endpoints. Command and control is used to deliver the ransomware code, which is executed directly into memory, resulting in encryption without the malware being written to disk. Once deployed, Conti performs sandbox evasion via system checks to determine if it is running on a virtual machine environment or sandbox. There is evidence of some variants of Conti achieving this via calls to bogus WINAPI to intentionally generate exceptions.

Date

Update

17 May 2021

Conti used in ransomware attack on Irish Health Service Executive

A variant of Conti has been attributed to a recent ransomware attack on the Irish Health Service Executive.

Conti now use double extortion tactics to coerce an organisation into paying the ransom. Data is extracted from compromised systems prior to encryption, with the threat of publication should the organisation choose not to pay the ransom.

The Conti operators are known to gain initial access via phishing campaigns and have also been observed targeting vulnerabilities in software running on internet-facing devices. After gaining access, operators commonly use Cobalt Strike tools for lateral movement and extraction of data. Fileless deployment via reflective Dynamic-Link Library (DLL) injection has been used to launch the Conti payload on compromised endpoints. Command and control is used to deliver the ransomware code, which is executed directly into memory, resulting in encryption without the malware being written to disk. Once deployed, Conti performs sandbox evasion via system checks to determine if it is running on a virtual machine environment or sandbox. There is evidence of some variants of Conti achieving this via calls to bogus WINAPI to intentionally generate exceptions.

Remediation advice

If a device on your network becomes infected with ransomware it will begin encrypting files, which may also include remote files on network locations. The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup.

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

To limit the impact of a ransomware infection, NHS Digital advises that:

Critical data is frequently saved in multiple backup locations.
At least one backup is kept offline at any time (separated from live systems).
Backups and incident recovery plans are tested to ensure that data can be restored when needed.
User account permissions for modifying data are regularly reviewed and restricted to the minimum necessary.
Infected systems are disconnected from the network and powered down as soon as practicable.
Any user account credentials that may have been compromised should be reset on a clean device
Where infected systems cannot be quarantined with confidence, then an affected organisation should disconnect from national networks to limit propagation.

Indicators of compromise

Host indicators

Filenames

conti.exe
_EXE.bat
_COPY.bat

MD5 hashes

b7b5e1253710d8927cbe07d52d2d2e10

SHA1 hashes

596f1fdb5a3de40cccfe1d8183692928b94b8afb

SHA256 hashes

1429190cf3b36dae7e439b4314fe160e435ea42c0f3e6f45f8a0a33e1e12258f
234e4df3d9304136224f2a6c37cb6b5f6d8336c4e105afce857832015e97f27a
5a2e947aace9e081ecd2cfa7bc2e485528238555c7eeb6bcca560576d4750a50
63625702e63e333f235b5025078cea1545f29b1ad42b1e46031911321779b6be
8837868b6279df6a700b3931c31e4542a47f7476f50484bdf907450a8d8e9408
a390038e21cbf92c36987041511dcd8dcfe836ebbabee733349e0b17af9ad4eb
d21c71a090cd6759efc1f258b4d087e82c281ce65a9d76f20a24857901e694fc
d4a1cd9de04334e989418b75f64fb2cfbacaa5b650197432ca277132677308ce
eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe

Definitive source of threat updates

https://www.ic3.gov/Media/News/2021/210521.pdf

Last edited: 1 June 2021 2:51 pm