CISA helps draw the Curtain on Conti Ransomware Operations

The Cybersecurity and Infrastructure Security Agency (CISA) recently published an advisory regarding the Conti ransomware. The advisory provides a comprehensive analysis of techniques used by the ransomware gang in the past and present. The advisory also noted that the Federal Bureau of Investigation (FBI) has observed more than 400 incidents involving ransomware internationally and in the US. The advisory also includes mitigation strategies to protect against falling victim to a Conti attack, measures that CISA, the FBI, and the NSA have adopted to secure their infrastructure.

Along with the advisory, CISA published a press release that provides some background as to the necessity as to the importance of the advisory.

cisa conti ransomware report

Various law enforcement officials are quoted in the press release but the quote provided by Rob Joyce, Director of Cybersecurity at NSA provides a unique view of the ransomware gang and why the advisory is necessary. Joyce notes,

“The cyber criminals now running the Conti ransomware-as-a-service have historically targeted critical infrastructure, such as the Defense Industrial Base (DIB), prior to Conti campaigns, and the advisory highlights actions organizations can take right now to counter the threat,”

As to whether a victim should pay the ransom it was noted,

“If an organization should become a victim of ransomware, CISA, FBI and NSA strongly discourage paying the ransom. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and does not guarantee that a victim’s files will be recovered. As a cybersecurity community, one of the best ways to prevent future ransomware attacks and hold these criminals accountable is for cyberattack victims to report it.”

This has been the standard response to whether or not a ransom should be paid for some time now, not just from US law enforcement but other international law enforcement bodies as well.

Often the reality of the situation is a lot more difficult to answer with a flat-out no to paying but with the information shared with the public concerning hopefully more attacks can be prevented. If an attack is successfully prevented it certainly makes the debate surrounding to pay or not to pay moot.

This publication has covered several developments and incidents regarding the Conti ransomware, including the use of secret backdoors and the abuse of virtual machines to prevent detection. The CISA advisory might be the most comprehensive collection of Conti tactics and information regarding the malware to date.

The Low Down

One of the standout bits of information the advisory hands out is the unique nature of the gang’s ransomware-as-a-service (RaaS) model. Typically, ransoms are shared across the gang with the developers, affiliates, and other third parties like initial access brokers receiving a percentage cut from successful operations.

Conti does things a little differently in that the malware’s developers appear to receive a salary rather than a split of the proceeds. This in turn might provide affiliates with a greater share of the spoils but there is also the increased need to infect more victims to extort more funds to cover the developers’ salaries or wages.

As for how initial access to a target's network is achieved, the advisory notes:

  • Spear phishing campaigns using tailored emails that contain malicious attachments or malicious links;
  • Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or
  • Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware.
  • Stolen or weak Remote Desktop Protocol (RDP) credentials.
  • Phone calls;
  • Fake software promoted via search engine optimization;
  • Other malware distribution networks (e.g., ZLoader); and
  • Common vulnerabilities in external assets.

The gang has also been seen to make use of available penetration testing tools that scan for vulnerable Internet of Things devices, like routers, to gain a foothold into the victim’s infrastructure. Once access is gained remote monitoring and remote desktop software are abused to main persistence on a network by acting as a backdoor through which affiliates can access the network.

Lateral movement is typically secured by the use of documented vulnerabilities that include 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities, the "PrintNightmare" vulnerability (CVE-2021-34527) in Windows Print spooler, and the "Zerologon" vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain Controller systems. The use of these vulnerabilities also helps the attackers escalate privileges which is vital for the stealing and encrypting of data.

As to the encryption of data, the CISA notes that the following is done to help ensure a successful operation,

“Conti ransomware can use CreateIoCompletionPort(), PostQueuedCompletionStatus(), and GetQueuedCompletionPort() to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti ransomware can use "Windows Restart Manager" to ensure files are unlocked and open for encryption…Conti ransomware can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of net stop…Conti ransomware can delete Windows Volume Shadow Copies using vssadmin.”

The advisory goes into great depth on how to help mitigate against a Conti infection and can fill an article in itself. This should be treated as required reading allow with a list of attack patterns.

In summary, it is advised that multi-factor authentication be used wherever possible, organizations should implement network segmentation and filter traffic, and limit access to network resources especially if RDP connections are used.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal