by Bhabesh Raj, Associate Security Analytics Engineer

Widely believed to be the successor to Wizard Spider’s infamous Ryuk ransomware, Conti ransomware was first observed in May 2020. Conti is distributed via the RaaS model, making it more accessible and thus more potent than Ryuk. By Q1 of 2021, Coveware reported that Conti has claimed the second highest market share in the ransomware scene.

Conti is known to re-attack prior victims, most of whom reside in North America and Western Europe. Following a ‘big-game hunting’ approach. ransom amounts are believed to be tailored to the victim, with demands observed as high as $25 million. According to Sentinel One Watchtower, in July 2021 Conti ranked first, by volume of leaked data, from among all other human-operated ransomware groups.

Grim Spider, a cell of Russian threat actor Wizard Spider, has operated Ryuk since 2018. Conti is seen as a natural evolution of Ryuk after their operators integrated the tried-and-tested RaaS model and ‘big-game hunting’ to Conti’s operation.

On May 14, 2021, NCSC alerted that Conti ransomware had severely disabled the Health Service Executive (HSE) system, affecting multiple services and necessitating the shutdown of the majority of the systems on their network. NCSC believes the attacks to be part of the same campaign that targeted the Irish health sector. Similarly, on May 20, 2021, the FBI released their own alert that identified at least 16 Conti ransomware attacks targeted US healthcare and first responder networks, including law enforcement agencies and emergency medical services, within the last year. The FBI also stated that the 290 US-based healthcare and first responder networks are among the more than 400 organizations worldwide that have been victimized by Conti. Most recently, DarkTracer has observed Everest and Conti’s continued targeting of French companies.

On September 3, 2021, Sophos reported an investigation revealing Conti affiliates using ProxyShell exploit in Exchange servers to deploy web shells. It succeeded in a matter of minutes and exfiltrated around 1TB of data within 48 hours after its’ initial access. This may be seen as an example of how ransomware affiliates capitalize on administrators’ inability to timely patch critical vulnerabilities in business critical applications like Exchange, to reduce their time-to-ransomware metric.

Currently, ransomware actors commonly utilize legitimate software in their kill chain to speed-up the ransomware deployment process. A most recent development may be seen in the AdvIntel report disclosing the use of Atera Remote Monitoring and Management (RMM) agent as a backdoor by Conti, to survive possible Cobalt Strike detections from EDRs.

Like other ransomware strains, Conti is commonly observed to be deployed by IceID, TrickBot, Buer, BazarBackdoor, etc. On August 1, 2021, The DFIR Report described how one threat actor installed TrickBot via BazarCall, which later deployed Cobalt Strike and finally led to the deployment of Conti.

Conti shares several TTPs with other ransomware strains like Egregor, such as in the use of RDP, RClone, Cobalt Strike, ADFind, PsExec, etc. The exact ransomware strain affecting the company’s network can only be identified through thorough incident response after initial intrusion detection.

LogPoint customers can use our Ransomware Analytics package that contains analytics for different ransomware strains.

Conti fast facts

Detecting Conti using LogPoint

Administrators can detect the exploitation attempts of ProxyShell by looking at web server logs of exchange server.

((url="*/autodiscover.json*" url IN ["*/powershell*", "*/mapi/nspi*", "*/EWS*", "*X-Rps-CAT*"])
OR url IN ["*autodiscover.json?@*", "*autodiscover.json%3f@*", "*%
[email protected]*", "*Email=autodiscover/autodiscover.json*", "*[email protected]*"])

Administrators can filter out unsuccessful attempts by adding the status code filters.

(url="*/autodiscover.json*" url IN ["*/powershell*", "*/mapi/nspi*", "*/EWS*", "*X-Rps-CAT*"] status_code IN [200, 301])

Conti actors deploy multiple web shells after exploiting Exchange vulnerabilities, which we can detect using Sysmon’s file creation events.

norm_id=WindowsSysmon event_id=11
file="*.aspx" path IN ["C:\inetpub\wwwroot\aspnet_client*", "*\FrontEnd\HttpProxy\owa\auth*"]

As IceID remains the most common infection vector for Conti, we need to lookout for the spawning of suspicious processes by Office products which may signal malicious macro executions.

Norm_id=WinServer label=”Process” label=Create
parent_process IN [“*\winword.exe”, “*\excel.exe”, “*\powerpnt.exe”] “process” IN [“*\cmd.exe”, “*\powershell.exe”, “*\wscript.exe”, “*\jscript.exe”, “*\wmiprvse.exe”]

IceID is also known to be directly executed by Regsvr32 (T1218.010) from suspicious paths like Temp directory.

Norm_id=WinServer label=”Process” label=Create
command IN [“*\AppData\Local\Temp\*”, “*\AppData\Roaming\Temp\*”]

Conti runs the usual barrage of commands like whoami, ipconfig, etc for reconnaissance, which can be easily picked up from process creation events.

norm_id=WinServer label="Process" label=Create
"process" IN ["*\whoami.exe", "*\nltest.exe", "*\net1.exe", "*\ipconfig.exe", "*\systeminfo.exe"] | chart count() as cnt, distinct_list(image) as images by host, user
| search cnt > 3

Using WMI to remotely run processes (T1047) is now becoming a hallmark for ransomware operators. Picking up this very important activity is crucial to detect any generic ransomware strain.

norm_id=WinServer label="Process" label=Create command="*wmic* /node:* process call create *"

For gathering domain credentials, Conti has used the legitimate ntdsutil utility (T1003.003) to create copy of the Active Directory domain database.

norm_id=WinServer label="Process" label=Create
command="*ntdsutil*ac * ntds*ifm*"

As cobalt strike is now used by many ransomware variants including Conti, please refer to our blog, ‘detecting Cobalt Strike activity in your enterprise.’

For persistence, Conti creates a new user (T1136.001) and adds that user to the local administrators group which is trivial to detect from process creation events.

norm_id=WinServer label="Process" label=Create
command IN ["*net* user /add *", "*net* localgroup administrators */add*"]

Conti is known to disable Microsoft Defender (T1562.001) before deploying Cobalt Strike, which is easy to detect by using logs from Defender’s event channel.

norm_id=WinServer event_source="Microsoft-Windows-Windows Defender" event_id=5001

For lateral movement, Conti first drops the DLL payload on ADMIN$ shares (T1021.002) of endpoints and later remotely execute that payload using PsExec (T1570).

norm_id=WinServer label="Process" label=Create
command="*cmd* /c copy *.DLL *\ADMIN$"
norm_id=WinServer label="Process" label=Create
command="* -accepteula *" command="*rundll32*.DLL,*"

Conti also enables RDP connections (T1021.001) in endpoints using either netsh or via direct registry manipulations (T1112), which we can hunt from process creation events.

norm_id=WinServer label="Process" label=Create
command IN ["*netsh *firewall *remote desktop* enable*", "*reg add *\Terminal Server* fDenyTSConnections*0x0*"]

Like Egregor and FiveHands, Conti uses RClone, an open-source cloud storage management tool to exfiltrate data to the attacker’s cloud storage (T1567.002), which is trivial to detect from Sysmon’s process creation events.

norm_id=WindowsSysmon label="Process" label=Create
description="Rsync for cloud storage"

Administrators should also look for rogue Atera agent installations, as seen in recent Conti incidents.

norm_id=WinServer label=Install label=Application

Log Sources

LogPoint users require the following log sources to run the aforementioned queries:

  • Windows Process Creation
  • Windows Software Installation
  • Microsoft Defender
  • Sysmon Process Creation
  • Sysmon File Creation
  • Firewall/Proxy Server

Setting up Detection in Depth is Vital for Detecting Ransomware

Like its predecessor, Conti remains one of the most active ransomware strain, with a staggering number of victims. Like other human-based ransomware, it uses commonly utilized tools both commercial and publicly available, to facilitate their objectives. In today’s threat landscape with adversaries utilizing evasion wherever they seem fit to evade fragile detections set up by blue teams – relying only on a small number of detections is a naive approach.

It is necessary to set up proper defense-in-depth approach. This is essential to detect evolving threats like ransomware that use common tools ‘with a twist,’ to achieve their objectives.

Discover More About Logpoint