Getting to peek behind the curtains of a ransomware operation is rare. Figuring out the inner workings of modern ransomware-as-a-service operations is an investigation that can take hours upon hours to glean the smallest bits of information. Sometimes discoveries are made that pull the curtain back a little further. Recent blog posts by Vitali Kremez’s Advanced Intelligence have helped expose large sections of the Conti gang’s operations and tactics.
One such blog post revealed how affiliates gain persistence on a victim’s network and avoid detection by security applications.
Due to Cobalt Strike’s widespread use by a wide variety of threat actors security teams and applications actively look for indications that Cobalt Strike, initially used as a penetration testing tool, is present on a machine or network. This means hackers must come up with new methods of compromise, or novel uses of existing tools that prevent detection.
According to Advanced Intelligence, a Conti attack’s chain flow now involves the use of an Atera Agent. The chain flow begins with the initial compromise involving TrickBot, Buer, BazarBackdoor, or AnchorDNS.
Then a Cobalt Strike beacon is initialized, the Atera Agent is installed which is done to enable persistence and shell execution so that Cobalt Strike can survive detections.
Atera Agent is a legitimate IT management solution that can perform a variety of functions including remote control, patch management, discovery, inventory of IT assets, monitoring, security, and backing up data. Researchers noted regarding the use of the legitimate tool,
“The idea behind this tactic is to leveraging a legitimate remote management agent Atera to survive possible Cobalt Strike detections from the endpoint detection and response platform. Relying on the legitimate tool to achieve persistence is a core idea leverage by the ransomware pentesting team…While reviewing Conti incidents that we proactively identified, monitored, and alerted via our threat prevention platform Andariel, AdvIntel has identified that Atera played the key role in allowing secret backdoor installations on the host right after the Conti gang obtained initial access via TrickBot, BazarBackdoor, AnchorDNS, or Cobalt Strike directly.”
The use of the legitimate tool effectively allowed the Conti gang to regain access to infected protected environments, even if those environments had more advanced security applications that include machine learning and detection-response features. Interestingly the attackers would use the trial version of Atera linked to a burner account.
This was enough to gain a shell and obtainbackdoor access to the environment which was then maintained by the agent. Attackers favored Proton Mail and Outlook burner accounts when signing up for the trial version of Atera. Researchers noted,
“In most of the cases, the adversaries leveraged protonmail[.]com and outlook[.]com email accounts to register with Atera to receive an agent installation script and console access. Therefore, this backdoor access is not a central compromise of Atera, but rather a registration loophole leveraged by the adversaries to obtain Atera trial access simply via anonymous emails.”
Peek Behind the Curtain
Researchers were given a unique look into Conti’s operations when a disgruntled affiliate took to the Internet to list his grievances. It was not just his grievances that were on display but Conti’s playbook and documentation as reported by Bleeping Computer. The information was shared on a forum post by the disgruntled affiliate.
In the post, the affiliate claimed to have only been paid 1,500 USD for an attack. This is in comparison to the affiliate's claim that the core development group is making millions. In retaliation for this perceived imbalance with regards to labor and payment, the affiliate released information that includes the IP addresses for Cobalt Strike C2 servers and a 113 MB archive containing numerous tools and training material for conducting ransomware attacks.
This was followed by the angry individual releasing another archived file of approximately 111 MB in size. The archived file contained hacking tools, manuals written in Russian, training material, and help documents that are allegedly provided to affiliates when performing Conti ransomware attacks. Speaking to Bleeping Computer, Vitali Kremez said,
“We can confirm based on our active cases. This playbook matches the active cases for Conti as we see right now,” stating further, the ransomware expert noted, “By and large, it is the holy grail of the pentester operation behind the Conti ransomware "pentester" team from A-Z. The implications are huge and allow new pentester ransomware operators to level up their pentester skills for ransomware step by step. The leak also shows the maturity of their ransomware organization and how sophisticated, meticulous and experienced they are while targeting corporations worldwide. It also provides a plethora detection opportunities including the group focus on AnyDesk persistence and Atera security software agent persistence to survive detections.”
It is this wealth of information that has allowed researchers to peek behind the curtain and similarly reveal the Conti Ransomware operation to how the Wizard of Oz was revealed. It also shows that ransomware operations are susceptible to the emotion of their human affiliates just like any organization who do not deal with disgruntled employees appropriately.
How Conti targets Organisations with Corporate Insurance
Along with the use of the Atera Agent, another revelation was how affiliates are instructed on how to target companies with insurance policies that may cover cyber incidents. This tactic was revealed by Advanced Intelligence in a separate blog post.
If policies are found, they are uploaded to a repository to be used by negotiators to better leverage their positions and secure the ransom demanded. This is done through the use of the tool rclone. The tool is described by researchers as,
“rclone is a program that enables the transfer of content on the cloud and other storage. With Rclone data can be synchronized with a configuration on an external source such as a cloud source creating an external copy of the information from a specific environment. Conti ransomware weaponizes this program in order to perform data exfiltration operations.”
The use of rclone is primarily for the exfiltration of data. Affiliates are instructed to look for documentation relating to finance, accounting, insurance, and a host of IT services. The information is not only used to gain more leverage on the victim when it comes to negotiations but is also used when determining what amount the attackers will deem appropriate for the ransom.
The data exfiltration tool, rclone, is then used to connect to a service like Mega to clone the data. Information stolen in this way can then be used in the ways mentioned above. Further, the information may contain sensitive data that the attackers could threaten to release if the ransom is not paid, commonly referred to as the double extortion technique.
The information gained through the public leaking of documents and tools by a disgruntled affiliate has provided a unique insight into the ever-evolving ransomware landscape. Hopefully, this information can be weaponized by security teams in order to defend networks.