We use cookies to ensure that we give you the best experience on our website.

An escalation of Conti ransomware attacks 2021 – Double Extortion Ransomware

The Cybersecurity and Infrastructure Security Agency (CISA) shared that Kaseya's VSA software was used to push a malicious PowerSheII script The VSA software

CISA, the FBI, and the NSA have issued a warning to US organizations around increased attacks from the Conti Ransomware.

With the disappearance of REvil earlier this year, many affiliates shifted strains, with Conti being one of the popular variants adopted by these criminals, explaining this rapid increase in attack attempts, with the FBI confirming that they have witnessed at least 400 individual attacks against domestic and foreign institutions. Conti ransomware uses the MITRE ATT&CK techniques, and in typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.

This year Conti successfully disseminated a huge attack against Ireland’s Health Service Executive (HSE) and Department of Health (DoH), one which demanded $20 million, and Irelands Health Service is still recovering from this. The FBI has confirmed that healthcare continues to be one of the most targeted sectors amongst Conti’s attack efforts.

Here we have yet another sophisticated and successful ransomware-as-a-service (RaaS) strain operating out of Russia. Conti is a strain known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors, to maintain persistence on victim networks. Legitimate tools such as Sysinternals and Mimikatz are then utilized on the victim’s network to obtain credentials and escalate privileges, before moving laterally across the network and deploying the Conti malware.

Ransomware places customer call centers on hold. A Conti ransomware attack on GSS, the Spanish and Latin America division of Covisian, leading European customer care and call center provider, has locked up its IT systems and disrupted call center operations of companies like Vodafone Spain, Madrid’s water supplier, and television stations. Details are few, but the Record by Recorded Future notes that GSS described the incident as “inevitable/unavoidable.”

What happens with the attack?

Ransomware gangs actively look for and prey on victims who are using legacy cybersecurity products. These solutions typically have a difficult time keeping up with modern sophisticated attacks due to their model of requiring a sample of the malware before being able to create signatures that guard against it.
Like many other ransomware gangs, Conti completely removes the volume of shadow copy files on a system – making simple restoration impossible.
In May, the Federal Bureau of Investigation (FBI) revealed that the Conti ransomware gang has hit at least 16 healthcare and first responder organizations.
In August, an affiliate of the Conti RaaS has leaked the training material provided by the group to the customers of its RaaS, he also published the info about one of the operators.
The Conti Ransomware operators offer their services to their affiliates and maintain 20-30% of each ransom payment.
The affiliate leaked the IP addresses for Cobalt Strike C2 servers and an archive of 113 MB that includes training material and tools shared by the Conti operators with its network to conduct ransomware attacks.

More Technical Details

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. Conti developers likely pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receive a share of the proceeds from a successful attack.

Conti actors often gain initial access [TA0001] to networks through:

  • Spearphishing campaigns using tailored emails that contain malicious attachments [T1566.001] or malicious links [T1566.002];
  • Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware.
  • Stolen or weak Remote Desktop Protocol (RDP) credentials [T1078].
  • Phone calls;
  • Fake software promoted via search engine optimization;
  • Other malware distribution networks (e.g., ZLoader); and
  • Common vulnerabilities in external assets.

Conti actors often use the open-source Rclone command-line program for data exfiltration [TA0010]. After the actors steal and encrypt the victim's sensitive data [T1486], they employ a double extortion technique in which they demand the victim pay a ransom for the release of the encrypted data and threaten the victim with the public release of the data if the ransom is not paid.

Ref: https://us-cert.cisa.gov/

The advisory published by various US agencies and to secure our client’s environment METMOX suggest you with the following mitigations:

  • Use multi-factor authentication to remotely access networks from external sources.
  • Implement network segmentation and filter traffic. Implement and ensure robust network segmentation between networks and functions to reduce the spread of ransomware. Define a demilitarized zone that eliminates unregulated communication between networks.
  • Implement a URL blocklist and/or allowlist to prevent users from accessing malicious websites.
  • Scan for vulnerabilities and keep software updated. Set antivirus/antimalware programs to conduct regular scans of network assets using up-to-date signatures.
  • Upgrade software and operating systems, applications, and firmware on network assets promptly. Consider using a centralized patch management system.
  • Remove unnecessary applications and apply controls. Conti threat actors leverage legitimate applications—such as remote monitoring and management software and remote desktop software applications—to aid in the malicious exploitation of an organization’s enterprise.
  • Implement endpoint and detection response tools. Endpoint and detection response tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors.
  • Limit access to resources over the network, especially by restricting RDP.
  • Secure user accounts. Regularly audit logs to ensure new accounts are legitimate users.
  • Use the Ransomware Response Checklist in case of infection.

If you’re battling this or a similar threat, you’ve come to the right place. The METMOX Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

Based on different techniques used by the attackers, we have different processes to help our customers secure their organizations Metmox's endpoint security includes data security, network security, advanced threat prevention, forensics, endpoint detection, and response (EDR), and remote access VPN solutions.

We have a global consulting team standing by to assist you in providing around-the-clock support, where required, as well as local assistance. Please contact us here: https://metmox.com/contact-us/