Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development , Ransomware

Conti Ransomware Threat Rising as Group Gains Affiliates

Playbook Leak Reveals Effective Training Program for Less-Sophisticated Affiliates
Conti Ransomware Threat Rising as Group Gains Affiliates
Signs of a Conti intrusion aimed at forcibly encrypting VEEAM software backups (Source: Vitali Kremez)

As the United States heads into a holiday weekend, experts are warning that ransomware-wielding attackers are sure to unleash crypto-locking chaos in the coming days.

See Also: Malware Analysis Spotlight: Why Your EDR Let Pikabot Jump Through

White House officials say they have no intelligence tied to any specific attack, but they are sounding a cautionary note based on attackers' typical behavior. "Attackers view holidays and weekends - especially holiday weekends - as attractive time frames in which to target potential victims, including small and large businesses," the U.S. Cybersecurity and Infrastructure Security Agency warned this week.

Such warnings are being sounded by numerous security researchers too. "Expect elevated ransomware activity for the Labor Day weekend," says Vitali Kremez, CEO of threat-intelligence firm Advanced Intelligence.

The Conti ransomware gang is being counted as one of the top threats, security experts warn. Affiliates of the Conti operation have been behind a significant number of recent attacks, as has the LockBit 2.0 operation.

Affiliates Need New Operators

Security firm Sophos says that in the wake of multiple ransomware-as-a-service operations going dark - including big players such as DarkSide, Avaddon and REvil, aka Sodinokibi - Conti appears to have been recruiting many of their former affiliates. Operators develop and distribute ransomware, while affiliates take it and use it to infect victims, and then share in any resulting ransom payment.

"Conti are super active lately," says British information security researcher Kevin Beaumont. At least some affiliates are apparently so unconcerned about attacks in progress being detected that when the ransomware forcibly encrypts a file - before deleting the original - it appends a ".locker" extension to the file, leaving no doubt as to what's happening, he notes.

Ransomware attackers might claim to never hit certain targets, such as healthcare organizations, and to only set a ransom demand based on what an organization can pay. But as Conti's hit against Ireland's national health system in May demonstrated, there are no guarantees. As one recent discussion - published by the MalwareHunterTeam research team - between a small business and Conti demonstrates, claims that ransom payments are carefully calibrated look like yet more lies (see: Secrets and Lies: The Games Ransomware Attackers Play).

Operators Seek Fresh Affiliates

To maximize profits, the more sophisticated ransomware operations regularly seek to recruit the most highly skilled affiliates. To do so, ransomware operations such as LockBit regularly extol the quality of their code and its ability to not only encrypt but also decrypt files, which is key for affiliates who want to see ransoms get paid. LockBit also regularly touts the speed of its ransomware, because faster encryption leaves victims less time to respond (see: 9 Takeaways: LockBit 2.0 Ransomware Rep 'Tells All').

Ransomware operators will also sometimes train less experienced affiliates. Instead of sharing a cut of every ransom paid - 70% going to an affiliate is not uncommon - operators may instead pay less-skilled affiliates a relatively low wage.

This appears to be the case based on a leaked Russian-language Conti attack playbook, for which Cisco Talos has published a translation.

This isn't the first such playbook to be leaked, likely by an unhappy affiliate or business competitor. But every one that has come to light demonstrates that many ransomware operations "clearly provide comprehensive documentation to their affiliates," helping to educate these business partners regardless of their previous experience, according to a Cisco Talos overview.

"This documentation allows both seasoned criminals and those newer to the scene the ability to conduct large-scale, damaging campaigns," the Cisco Talos researchers say. "This shows that although some of the techniques used by these groups are sophisticated, the adversaries carrying out the actual attacks may not necessarily be advanced."

7 Takeaways: Leaked Conti Playbook

Here are takeaways from the playbook translation, as well as the analysis published by Cisco Talos:

  • Ukraine: The individual who leaked the playbook appears to have been a low-level affiliate based in Ukraine who was being paid a salary of approximately $1,500 to work as a "pentester" - an individual who focuses on gaining initial access to a victim's network.
  • Active Directory: The guide includes substantial details into how AD networks tend to be structured in the U.S. and Europe.
  • Admin access targeted: "The adversaries list several ways to hunt for administrator access once on the victim network," Cisco Talos says, including using the ADFind tool to enumerate Active Directory users.
  • OSINT: The guide also describes how to use open-source intelligence tools, such as LinkedIn, "to identify roles and users with privileged access," as well as referencing comments in Active Directory to understand which individuals have which roles and responsibilities, the researchers say.
  • Cobalt Strike walk-through: The playbook gives readers a walk-through of version 4.3 of this penetration testing tool.
  • Red-team tools: The playbook describes several tools that haven't previously been seen in many attacks, including Armitage, which is a red-team toolkit built on Metasploit, and SharpView, which is a .NET port of a tool included in the "offensive PowerShell toolkit."
  • Credential dumping: The playbook outlines the use of SharpChrome and SeatBelt for dumping credentials for Chrome and the Windows operating system, respectively.
The Cobalt Strike version included in the playbook (Source: Cisco Talos)

Conti Attack Life Cycle: 5 Days

The Conti operation's ability to recruit or train affiliates with sufficient skills to rapidly take down targets continues to be documented by incident responders.

Peter Mackenzie, the incident response manager for security firm Sophos, warns that LockFile ransomware-wielding attackers as well as Conti affiliates have been increasingly exploiting the ProxyShell flaws in Microsoft Exchange servers that first came to light in April, with Microsoft releasing patches in May and July.

"As attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks has decreased from weeks to days to hours," he says in a new report co-authored with Sean Gallagher of Sophos.

Summary of Conti’s ransomware tools displayed in the MITRE ATT&CK framework (Source: Sophos)

Conti Attack Stages

In one Conti attack that exploited ProxyShell, Mackenzie says attackers were able to move extremely quickly before leaving all systems crypto-locked. Here's a timeline of how the attack proceeded, as described by Sophos:

  1. ProxyShell exploit: After using this to gain access to the victim's network, the attacker created a remote web shell in less than 60 seconds.
  2. Backup web shell: Less than three minutes later, the attacker installed a second web shell to provide persistent network access.
  3. Domain mapping: Less than 30 minutes later, "they had generated a complete list of the network's computers, domain controllers, and domain administrators," Mackenzie says.
  4. Admin credentials: Four hours later, "the Conti affiliates had obtained the credentials of domain administrator accounts and began executing commands," Mackenzie says.
  5. Data exfiltration: Less than 48 hours after first breaching the network, the attacker had exfiltrated 1TB of data.
  6. Ransomware unleashed: Five days after gaining remote access, the attacker used Active Directory credentials they'd obtained to target network shares and endpoints to install ransomware wherever possible.

While rapid, the attack appears to have been both methodical and thorough. "Over the course of the intrusion, the Conti affiliates installed no fewer than seven backdoors on the network: two web shells, Cobalt Strike, and four commercial remote access tools - AnyDesk, Atera, Splashtop and Remote Utilities," Mackenzie and Gallagher say. "The web shells, installed early on, were used mainly for initial access; Cobalt Strike and AnyDesk were the primary tools they used for the remainder of the attack."

In addition, while moving relatively quickly, the attacker "took time to thoroughly document the network of the victim before springing the attack, and minimized the opportunities of discovery of the ransomware itself by running it from servers rather than on each targeted machine," they say (see: Ransomware: Strategies for Faster Detection and Response).

As ransomware operations such as Conti continue to not only recruit sophisticated affiliates but also give lower-skilled partners the skills required to take down even large networks, clearly defenders still have their work cut out for them.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.