# Cybereason vs. Conti Ransomware **cybereason.com/blog/cybereason-vs.-conti-ransomware** Written By Cybereason Nocturnus January 12, 2021 | 5 minute read [Conti is a relatively new player in the ransomware field. Since first emerging in May 2020, the ransomware operators (aka. the Conti Gang)](https://malpedia.caad.fkie.fraunhofer.de/details/win.conti) claim more than 150 successful attacks, which equates to millions of dollars in extortion fees. [Like other ransomware syndicates that have emerged recently, the Conti gang follows the growing trend of double extortion: they steal](https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware) sensitive files and information from their victims and later use it to extort their victims by threatening to publish the data unless the ransom is paid ----- ### ey eta s **Emerging Threat: In a short amount of time, Conti ransomware has caused a great deal of damage and made headlines across the world.** **High Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential of the attacks** **Low-and-Slow: Prior to the deployment of the ransomware, the attackers attempt to infiltrate and move laterally throughout the organization,** carrying out a fully-fledged hacking operation, or RansomOp. **Rapid Development Cycle: In just a few months, the Conti gang has released 3 new versions of the ransomware, improving the malware in** each version. **The Successor of Ryuk: The Conti Gang collaborated with the TrickBot Gang, which are now using Conti as their ransomware of choice.** **Spreading across the network: Conti is not satisfied with causing damage to just the infected machines. Instead, it spreads in the network** via SMB and encrypts files on remote machines as well. **Detected and Prevented:** [The Cybereason Defense Platform fully detects and prevents the Conti ransomware.](https://www.cybereason.com/platform) [Similar to ransomware such as Egregor (“Egregor News”) and Maze (“Maze News”), the Conti Gang has their own website, “Conti News,”](https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware) which stores a list of their victims, and it is where they publish the stolen data: _Conti News website_ Conti is a very destructive threat. Besides the double extortion that puts information and reputation at risk, the Conti operators equip it with a spreading capability, which means that Conti not only encrypts the files on the infected host but also spreads via SMB and encrypts files on different hosts, potentially compromising the entire network. The rapid encryption routine takes just a few seconds to minutes due to its use of multithreading, which also makes it very difficult to stop once the encryption routine starts. [Another major factor that contributes to the popularity of Conti is the collaboration with the TrickBot Gang. Conti is sold as a Ransomware-as-](https://www.databreachtoday.com/trickbot-rebounds-after-takedown-a-15213) a-Service in underground forums to exclusive buyers and partners such as the TrickBot gang, which replaced Ryuk and adopted Conti as their new ransomware of choice. In addition to the sophisticated capabilities and the collaboration with the TrickBot gang, the increased number of Conti attacks against big companies such as Advantech, which was extorted for $13.8M, and other attacks against big North American based companies as listed in [this article, contributed to Conti making its way into the news this year. With a rapid development cycle that keeps the malware up-to-date and](https://www.blackfog.com/the-state-of-ransomware-in-2020/) equipped with advanced capabilities, along with the promotion done by the TrickBot gang, it is no wonder why Conti is referred to as the successor of [Ryuk.](https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware) ### Breaking Down the Attack ## From Bazar Backdoor to Ransomware ----- e c ot Ga g as o to use t e a ous c ot a a e to sta t te act e ac g ope at o s a d dep oy g seco da y [payloads such as Ryuk and](https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware) [Anchor. Earlier this year, the group shifted to using the Bazar backdoor to launch an interactive attack and deploy](https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware) Ryuk, and since July 2020 their new ransomware of favor has been Conti. Although the payloads and tools of the TrickBot Gang have changed over time, the initial infection vector for the Bazar loader and backdoor has remained the same: a phishing email containing a link to Google Drive which stores the payload: _Conti attack diagram - from Bazar to ransomware_ ### Rapid Development Cycle Since Conti was first discovered in July 2020, three different versions have been observed. With each new version, the Conti Gang added more capabilities which make the ransomware more dangerous and destructive. The following table summarizes the main changes between the three versions: **Version 1** **Version 2** **Version 3** Earliest to oldest creation times (Based on VT) Ransom Note file name 2020-05-29 2020-08-18 Conti_readme.txt CONTI.txt 2020-10-09 2020-10-21 R3adm3.txt readme.txt 2020-11-06 2020-12-07 readme.txt ----- Extension .CONTI Changes per sample Changes per s Mutex _CONTI_ lslaif8aisuuugnzxbvmdjk Kjkbmusop9iqk ojkxjfsu812090 Embedded emails / URLs flapalinta1950@protonmail.com xersami@protonmail.com Ksarepont@protonmail.com cokeremie@protonmail.com hawhunrocu1982@protonmail.com consfronepun1983@protonmail.com viegesobou1977@protonmail.com hardsandspikab1971@protonmail.com stargoacompte1970@protonmail.com muddkarhersmo1973@protonmail.com versmohubfast1972@protonmail.com ceslingvafi1973@protonmail.com Andrea.Davis.1989@protonmail.com forrestdane79@protonmail.com http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid[.]onion https://contirecovery[.]info http://m232fdxb https://contirec https://contirec heibeaufranin1 polzarutu1982@ niggchiphoter1 An independen Loader + DLL Form An independent executable An independent executable Loader + DLL Spreading via SMB Spreading via SMB if instructed by command line arguments. Spreading via SMB even without command line arguments. Spreading via S Unique Not using a website, just an email Observed the use of icons: PDB: A:\source\conti Observed the u Ransom Note ### Conti Ransomware Execution ----- s sect o ocuses o e s o a d e s o 3 s e t o ed t e tab e abo e, e s o 3 as t o o s o e s a depe de t e ecutab e, and the other is a loader that loads a DLL from the resources section and executes it. Even before doing any static / dynamic analysis, we can use VirusTotal to determine that the resources section probably contains more data, in this case an encrypted DLL that is loaded into memory: _Screenshot of VirusTotal file’s section information_ The APIs for interacting with the resources are dynamically resolved using GetProcAddress: _Dynamically resolved API used to interact with the resources_ The loader then decrypts the payload using an hardcoded key, and loads it into memory: _Decryption key of the Conti payload_ Once the DLL is loaded, Conti starts it’s encryption and spreading routines. The ransomware scans the network for SMB (port 445). If it finds any shared folders it can access, it will try to encrypt the files on the remote machines as well: ----- _Wireshark pcap of Conti spreading via SMB_ Conti uses a multithreading technique to fast encrypt all the files. This routine takes seconds to just a few minutes depending on the number of files on the machine. Each sample has a unique extension that the malware adds to the encrypted files. While using Cybereason with prevention mode off to allow investigation of the ransomware execution, it is possible to see the encryption activity and the creation of new files: _File Events feature in the Cybereason Defense Platform shows the encryption of the files_ After the files are encrypted, the malware leaves the ransom note in every folder, making sure it is noticeable to the victim. The Conti Gang usually sets a deadline for the victim to pay the ransom, and if the deadline passes without payment, they leak the victim data on their website “Conti News.” ### Cybereason Detection and Prevention The [Cybereason Defense Platform is able to prevent the execution of Conti Ransomware using multi-layer protection that detects and blocks](https://www.cybereason.com/platform) malware with threat intelligence, machine learning, and next-gen (NGAV) capabilities. Additionally, when the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are able to detect and prevent any attempt to encrypt files and generates a MalopTM for it: _Ransomware Malop triggered due to the malicious activity_ Using the Anti-Malware feature with the right configurations (listed in the recommendations below), The Cybereason Defense Platform will also detect and prevent the execution of the ransomware and ensure that it cannot encrypt targeted files. The prevention is based on machine learning, which prevents both known and unknown hashes: ----- _Anti-Malware alert - preventing Conti ransomware_ _User notification, blocking the execution of the ransomware in the endpoint_ ### Security Recommendations **• Enable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware protection mode to Prevent -** more information for customers can be found here **• Enable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to Prevent and set the detection mode to** _[Moderate and above - more information can be found here](https://nest.cybereason.com/documentation/product-documentation/190/anti-malware-settings)_ **• Keep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities** **• Regularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to regain access to your data** **• Use Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering, and mail filtering** **• Indicator's of Compromise: Includes C2 Domains, IP addresses, Docx files SHA-1 hashes, and Msi files. Open the chatbot on the lower** right-hand side of this blog to download your copy. ### MITRE ATT&CK TECHNIQUES **Initial** **Access** [Phishing](https://attack.mitre.org/techniques/T1566/) **Lateral** **Movement** Taint Shared Content **Defense Evasion** **Discovery** **Command and Control** **Impact** Deobfuscate / Decode Files or Information [Account Discovery](https://attack.mitre.org/techniques/T1087) [Commonly Used Port](https://attack.mitre.org/techniques/T1043) Data Encrypted for Impact ----- [Masquerading](https://attack.mitre.org/techniques/T1036) Application Window Discovery [Modify Registry](https://attack.mitre.org/techniques/T1112) File and Directory Discovery [Remote File Copy](https://attack.mitre.org/techniques/T1105) Standard Application Layer Protocol Obfuscated Files or Information [Process Discovery](https://attack.mitre.org/techniques/T1057) Standard Cryptographic Protocol System Information Discovery Standard Non-Application Layer Protocol **Lior Rochberger** Lior is a senior threat researcher at Cybereason, focusing on threat hunting and malware research. Lior began her career as a team leader in the security operations center in the Israeli Air Force, where she mostly focused on incident response and malware analysis. ## Conti Ransomware | Indicator's of Compromise **Indicator** **Type** **Comment** c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4 004ede55a972e10d9a21bcf338b4907d6eed65bf5ad6abbbd5aec7d8484bdedf eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe 6fce6b5f101ab504115f1251a842d55c50a046d7fd92d1fe0f42e430900bc8c5 81792fcbaad868d2e4aca1ed372f4a5abb34372d3265d5712a65cdfe05e42df8 1c4da8bf2089e82a1665f7ac350eeea291dae7509d58dbfc2037ddc1997bfd13 f52508176ff68555ba4c7b39e0d9e23a11e3ac0c3e1ef0755408ed1c0670fc21 040fcbd360c7498756519cb0e687120bd623da80784034ea89178409491b1c44 3ab3c4ffcf366dcbe660506295dcef82d058cb25b1c0b362cc62371a19a0d5f8 e16fea1b8874cc6b26e7e2df9697f03f86efa82247bb3b2922f1d05052dbcbb4 98a09f7896a7c20229e696d6e8344fe9593fd70afada5d986e04c0d6933cc4db 1490e74b93b40176975836156dc62210b7670ab5eb38f153a21cda8c72bebc76 0b0b902af452e1c949a609a3b29a9de21dac639846c77427de06e6e63c1fe904 633b9d373da7d2916f4d3b2902d4817c0f3ad5de5466ac85f34bdd37a8d3dd37 e64e350861b86d4e05668bc25e6c952880f6b39ca921496ccce1487dbf6acab6 7c6463f86027bf1d6a787f787282b5ff87bc98389c3b48181c7e84cd71684b1f ebeca2df24a55c629cf0ce0d4b703ed632819d8ac101b1b930ec666760036124 fe39822a460d96b5cd0287a371cc238933a6f7765dc165606c78bf70c4483c2a 2a6cd292fe8d850a69cc67cc417f63926896305f8eb9647a9c5aee85efd6587a 3402d9d20bc4622a87c2533484fb98889a5a85bf3191192faf4ef8431f7a4b9c 6ed577361d0db8b085c54efef19fec4055ecdaaaf65b7ec63134275d93d6f09b 1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3 9826b386065f8312a7a7ef431c735a66e85a9c144692907f5909f81f837c65f4 bbb58c0ac016bf5d8c06099b39035ccc8658c1f1630ed3fd9979ae932f67551e 0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862 d236d64b7bf9510ea1746d10a4c164a2ef2c724cc62b2bca91d72bdf24821e40 dbf2380de4e4ac4ae259aa01b0a1c10ab81e246d895e290a5031709837f219eb f3ee2a9fe1aae1a566ec663969ee9e7577f790fc9ae0085620e502b680d8acd3 260709f0aad63cc84ea3e64a26b149a3b6c769697a958645b66de5137821af1e f25961cf6e019d95740c13e1b0718d6e0c8753a22106e8d61479877a31da9e18 afa77a9049000a105d744dfb9bcaeedfdc837cc93aaf045db4f819c3da445b79 0a7e7f12d79130da067fd39ede7ff4dc3dc6665d88f5278745074d77132312bf SHA256 Conti Version1 SHA256 Conti Version2 ----- e7ce83a1a5163487d86538344c4f37c72a795b07b03a40db7d36ec81a442d685 90cfbbe316c94611fdb48029b5302df0980395528a812404cacbc39ef1a6bde0 d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c f092b985b75a702c784f0936ce892595b91d025b26f3387a712b76dcc3a4bc81 5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251 c67ba4c6e872dbcd2b1281c33fb033f886d8472ea021cf3974a445c4b804fec2 64a3a3ec70d20636299b8fe4f50c2b4d077f9934ee2d6ccf7d440b05b9770f56 707b752f6bd89d4f97d08602d0546a56d27acfe00e6d5df2a2cb67c5e2eeee30 c41babd8fa4fc96822f72066ba2af781e5c381a58017f72c8fec301436745b01 26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce 68d45d7973277c4a3095929a06c3defa40adf7bf592ede0557a89f724a290395 24347befc0663e75a848982d22f76c2b0f9dc8d26c77d6b13c78530446aa6246 73bd8c2aa71f5dcd9d2ddd79e53656c6ae3db2535e08cf9dab1cd13bdd6d5ea3 626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce 49b2c44d9a304035e586a15c1eb06101dcd64cdc17b64a0d69d253e653ff25a7 http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid[.]onion https://contirecovery[.]info https://contirecovery[.]best SHA256 Conti Version3 Domains Conti websites 23.106.215[.]97 IP Site that stores a Conti payload About the Author **Cybereason Nocturnus** The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks. [All Posts by Cybereason Nocturnus](https://www.cybereason.com/blog/authors/cybereason-nocturnus) -----