Double Extortion Ransomware and the Heightened Surge of Conti Attacks

Government agencies, including CISA, FBI, and NSA, have issued a stern caution to US organizations regarding the escalating threat posed by Conti Ransomware.

Following the disappearance of REvil earlier this year, criminal affiliates shifted their focus to alternative strains, with Conti being one of the favored variants. This shift in tactics explains the sudden surge in attack attempts, with the FBI confirming a staggering count of at least 400 separate attacks against both domestic and foreign institutions. Conti ransomware employs the MITRE ATT&CK techniques, typically involving the theft of files, encryption of servers and workstations, and subsequent ransom demands.

This year, Conti executed a large-scale assault on Ireland's Health Service Executive (HSE) and Department of Health (DoH), demanding a staggering $20 million in ransom. The repercussions of this attack are still felt within Ireland's Health Service as they continue their recovery efforts. The FBI has substantiated that healthcare institutions remain one of the primary targets for Conti's malicious campaigns.

Once again, we are faced with a highly sophisticated and successful ransomware-as-a-service (RaaS) strain originating from Russia. Conti specifically exploits legitimate remote monitoring and management software, as well as remote desktop software, as backdoors for establishing persistence within victim networks. Subsequently, legitimate tools such as Sysinternals and Mimikatz are utilized within the victim's network to acquire credentials, escalate privileges, and subsequently propagate the Conti malware throughout the network.

In a recent incident, a Conti ransomware attack on GSS, the Spanish and Latin America division of Covisian, a prominent European customer care and call center provider, resulted in the complete lockdown of their IT systems and severe disruption to call center operations for companies like Vodafone Spain, Madrid's water supplier, and television stations. While details are scarce, reports indicate that GSS described the incident as "inevitable/unavoidable."

What Transpires During an Attack?

Ransomware groups actively seek out and prey upon victims who rely on outdated cybersecurity products. These solutions often struggle to keep pace with modern, sophisticated attacks due to their reliance on obtaining a malware sample before creating signatures for defense.

Like many other ransomware gangs, Conti eradicates all shadow copy files on a system, rendering simple restoration impossible.

In May, the Federal Bureau of Investigation (FBI) disclosed that the Conti ransomware gang had targeted at least 16 healthcare and first responder organizations.

In August, an affiliate of the Conti RaaS leaked training materials provided by the group to its RaaS customers. The affiliate also disclosed information about one of the operators involved.

The Conti Ransomware operators offer their services to affiliates while retaining 20-30% of each ransom payment.

The affiliate divulged the IP addresses for Cobalt Strike C2 servers, along with an archive of 113 MB containing training materials and tools shared by the Conti operators with their network for conducting ransomware attacks.

Further Technical Insights

Although Conti is classified as a ransomware-as-a-service (RaaS) model, there are variations in its structure that set it apart from the typical affiliate model. Conti developers likely provide wages to the deployers of the ransomware instead of a percentage of the proceeds, as seen in affiliate-based operations. The developers, in turn, receive a share of the ransom from successful attacks.

Conti actors commonly gain initial access to networks through various means, including spear-phishing campaigns employing tailored emails with malicious attachments or links, malicious Word attachments embedded with scripts for downloading additional malware like TrickBot, IcedID, or Cobalt Strike to facilitate lateral movement and aid in deploying the Conti ransomware. Other entry points include stolen or weak Remote Desktop Protocol (RDP) credentials, phone calls, fake software promoted via search engine optimization, other malware distribution networks (e.g., ZLoader), and exploiting common vulnerabilities in external assets.

Conti actors frequently employ the open-source Rclone command-line program for data exfiltration. Once the actors steal and encrypt sensitive data, they resort to a double extortion technique, demanding a ransom for the release of the encrypted data and threatening to publicly expose the data if the ransom is not paid.

Ref: https://us-cert.cisa.gov/

Advisory from Various US Agencies & Mitigation Recommendations by UltraViolet Cyber

1. Implement multi-factor authentication for remote network access.
2. Establish robust network segmentation and traffic filtering to hinder ransomware propagation. Create a demilitarized zone that restricts unregulated communication between networks.
3. Utilize URL blocklists or allowlists to prevent user access to malicious websites.
4. Conduct regular vulnerability scans and keep software up to date. Enable antivirus/antimalware programs with updated signatures to scan network assets.
5. Promptly upgrade software, operating systems, applications, and firmware on network assets. Consider employing a centralized patch management system.
6. Remove unnecessary applications and implement controls. Conti threat actors exploit legitimate applications, such as remote monitoring and management software, and remote desktop software, for malicious purposes.
7. Deploy endpoint detection and response tools for enhanced security visibility and protection against cyber threats.
8. Restrict network access, particularly for Remote Desktop Protocol (RDP).
9. Ensure the security of user accounts and regularly audit logs to validate legitimacy.
10. Refer to the Ransomware Response Checklist in case of infection.

If your organization is grappling with this or a similar threat, UltraViolet Cyber Incident Response team is ready to assist you. Our team comprises world-class consultants dedicated to managing response and containment services for various incidents, including ransomware and Advanced Persistent Threat (APT) cases.

UltraViolet Cyber offers comprehensive endpoint security solutions, encompassing data security, network security, advanced threat prevention, forensics, endpoint detection and response (EDR), and remote access VPN. We provide global consulting teams available around the clock to offer necessary support, including localized assistance. Reach out to us for immediate assistance.

Frequently Asked Questions