I. Targeted Industries
- Financial & Educational Institutions
- Private Organizations
- Government Agencies
- Enterprise Businesses
- Small-Medium Businesses
The VMware Carbon Black Threat Analysis Unit recently reported a new family of ransomware in the wild, called Conti. Conti ransomware is being used to target corporate and government networks with features that allow for precision and speed. The ransomware was first identified in December 2019 in isolated attacks but has spiked in activity this past month. It is designed to be controlled by an adversary rather than execute automatically by itself. Conti operators will breach a network and move laterally until they gain domain and admin credentials for admin privileges. This ransomware strain has indicators of compromise similar to those seen in the malware code of Ryuk. However, VMware Carbon Black says Conti comes with rare features that have not been seen in other strains.
III. Background Information
Conti has similar features to other strains of ransomware. For example, multi-threaded operations are used to accelerate threat execution by running multiple concurrent computations on the CPU. Although this is a feature shared among other strains of malware, Conti uses 32 concurrent threads making it faster than other families. Conti is also unique because it can direct the encryption to local hard drives, network share, and even specific IP addresses with command line arguments. Additionally, Conti takes advantage of the Windows Restart Manager by closing applications that lock certain files. This is done to prepare the computer for encryption as it disables Windows services related to security, backup, database, and email solutions.
Once the computer is ready, Shadow Volume copies will be cleared and the encryption will begin. The .CONTI extension is added to the encrypted files along with a ransom note named CONTI_README.txt in each folder. To encrypt the data, a different AES-256 encryption key is used per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti is then able to gather more information from systems that the compromised machine has been recently connected to, in an attempt to access remote devices and encrypt those files as well. Using these techniques allows Conti to go unnoticed for days or weeks, making it difficult to detect.
IV. MITRE ATT&CK
T1204 – User Execution: Malicious Link
An adversary may rely on users’ lack of cybersecurity hygiene to click on a malicious link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability. Links may also lead users to download files that require execution via malicious files.
T1486 – Data Encrypted for Impact
An adversary could potentially interrupt availability to a target’s system by encrypting their data. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key.
- Scheduled Backups & Patch Updates
Back up data regularly and store externally. Perform consistent updates and patch vulnerabilities.
- Closely Monitor Remote Access Infrastructure
Unusual activity in event logs should be investigated immediately. Ensure there is a password reset for all accounts in case of compromise.
Turn on Attack Surface Reduction Rules
Make sure to include rules that block ransomware activities and credential theft.
Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
Incorporate Known IOCs into IDS
Incorporate the known IOCs of the attack into your intrusion detection system (IDS) to catch any suspicious behavior related to the attack.
- Strong Cyber Hygiene
Users need to ensure the validity of emails, links, downloads, etc. All sources should be verified.
- Recommended Link: https://www.us-cert.gov/Ransomware
VI. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) Abrams, Lawrence. “Conti Ransomware Shows Signs of Being Ryuk’s Successor.” BleepingComputer. BleepingComputer, July 9, 2020. https://www.bleepingcomputer.com/news/security/conti-ransomware-shows-signs-of-being-ryuks-successor/.
(2) Arghire, Ionut. “Powerful Conti Ransomware Emerges.” SecurityWeek, July 9, 2020. https://www.securityweek.com/powerful-conti-ransomware-emerges?utm_source=feedburner.
(3) Baskin, Brian. “TAU Threat Discovery: Conti Ransomware.” VMware Carbon Black, July 8, 2020. https://www.carbonblack.com/blog/tau-threat-discovery-conti- ransomware/.
(4) Cimpanu, Catalin. “Conti Ransomware Uses 32 Simultaneous CPU Threads for Blazing-Fast Encryption.” ZDNet. ZDNet, July 9, 2020. https://www.zdnet.com/article/conti-ransomware-uses-32-simultaneous-cpu-threads-for-blazing-fast-encryption/.
(5) Data Encrypted for Impact. (n.d.). Retrieved July 13, 2020, from https://attack.mitre.org/techniques/T1486/.
(6) User Execution. (n.d.). Retrieved July 13, 2020, from https://attack.mitre.org/techniques/T1204/.