Despite being a relatively new threat in the cybersecurity arena, Conti ransomware already became a big menace for organizations worldwide. Since its emergence in May 2020, security researchers have reported at least 150 successful attacks against retail, manufacturing, construction, and other industries in North America and Western Europe. Notably, Conti operators apply a double extortion scheme against their victims, demanding a ransom for decryption and leaking the stolen data if not paid.
What Is Conti Ransomware?
According to the latest analysis from Cyberseason, Conti is a very offensive malware, able of auto-spreading, fast encryption, successful evasion, and lateral movement. Currently, it is actively promoted according to the Ransomware-as-a-Service (RaaS) model on various darknet forums. Besides, Conti Gang has established exclusive partnerships with TrickBot maintainers who outplaced Ryuk ransomware in favor of Conti during summer 2020. Strong promotion by TrickBot gang, swift update cycle, shared code samples, and enhanced features make Conti ransomware a full-fledged Ryuk successor as of its malicious capabilities.
Conti Gang has pushed three versions of the ransomware since May 2020, making each subsequent release even more notorious. The latest version received:
- Improved spreading features that leverage SMB to lock multiple hosts inside the compromised network;
- Better encryption routine, which relies on multithreading technique to achieve fast files locking within 32 simultaneous encryption threads;
- Enhanced evasion tactics, which enables anti-analysis by hiding Windows API calls and leveraging a dedicated Python debugger.
Security researchers from ClearSky reveal that Conti ransomware operators might be tied to the Russia-affiliated hacking collective known as Wizard Spider. Previously, this threat group was identified to maintain the notorious Ryuk ransomware, and the analysis of the attack against an unnamed Canadian firm points that the same actors stand behind Conti intrusions.
Conti Ransomware Attacks
According to the security experts, Conti is predominantly deployed with the help of TrickBot malicious infrastructure. The infection routine follows the same pattern in most cases. Victims receive a phishing email with malicious links inserted into its body. In case clicked, URLs redirect users to the Google drive containing Bazar Trojan executables. Once installed, Bazar drops Conti ransomware onto the compromised network.
To date, the Conti Gang has successfully hit over 150 businesses worldwide, most of which are located in North America. The number of victims is constantly growing, which is reflected in a dedicated Conti website launched by ransomware maintainers. Adversaries use this webpage in double extortion schemes to leak pieces of stolen information and push their victims to pay the ransom. For example, in December 2020, Conti developers placed two ZIP archives presumably containing 3GB of data exfiltrated from Advantech IoT manufacturer. The same month hackers leaked data from Scottish Environment Protection Agency (SEPA) to its webpage. The most recent attacks of the notorious ransomware group hit several US healthcare institutions, including Leon Medical Centers and Nocona General Hospital. Conti Gang leaked hundreds of patient records in an extortion attempt.
One of SOC Prime’s most active Threat Bounty developers, Osman Demir, has recently resealed an exclusive Sigma rule aimed at Conti attack detection. To identify techniques and procedures associated with Conti ransomware infection and prevent the attack, you are welcome to download dedicated SOC content from Threat Detection Marketplace via the following link.
The rule has translations to the following platforms:
SIEM: Azure Sentinel, QRadar, Splunk, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness
EDR: Microsoft Defender ATP, CrowdStrike
Tactics: Impact, Privilege Escalation, Defense Evasion, Discovery
Techniques: Data Encrypted for Impact (T1486), Process Injection (T1055), Remote System Discovery (T1018)
Unless you don’t have a paid access to the Threat Detection Marketplace, this exclusive Sigma rule can be unlocked by activating your free trial under a community subscription. Additionally, we recommend that you pay attention to the community Sigma rule also covering Conti infection: https://tdm.socprime.com/tdm/info/agjZV60tJUSw/7sZ6gHMBSh4W_EKGHbAy/#rule-context
Subscribe to Threat Detection Marketplace, the world’s biggest Detection as Code platform aggregating 100K+ Detection and Response rules easily convertible to various platforms. Have a desire to join SOC Prime’s community of cyber defenders and contribute to the industry-leading SOC content library? Join our Threat Bounty Program for a safer future!