CONTI RANSOMWARE
Introduction
Conti ransomware made its first appearance in 2020 as it was being distributed by phishing emails containing a link to Google Drive which stores the initial payload.
Conti ransomware is currently the second most common active ransomware family and have been recorded to target organisations of medium to large size from many countries.
There is no decryptor for any of the active variants of the Conti ransomware and the average ransom required is $891,566 which can be paid via provided website addresses in the ransomware note.
Modus Operandi
Initial access
The threat actor uses a phishing email that has a link to Google Drive which stores the initial payload. As soon as the target opens the malicious file, the malicious script stored in the file attempts to download BazarLoader, a backdoor or IcedID, a banking Trojan. These malwares give the threat actors the capability to perform lateral movement and privilege escalation techniques with the assistance of additionally downloaded tools like Cobalt Strike and Meterpreter. It has been observed that threat actors have used vulnerabilities in software and hardware like the FortiGate firewall exploit, to attempt to gain initial access instead of phishing.
Installation
When a significant segment of the network or the active directories are infected with BazarLoader or IcedID, the Conti loader is downloaded and then decrypts the payload using a hard-coded key. The decrypted payload is then loaded into memory by using performing a technique of process hollowing, where the Conti creates a new process in a suspended state, then writes its malicious code into the process before resuming the execution of the suspended process. Conti also delete any shadow volume copies on the infected system to ensure that the victims will not be able to recover their encrypted files.
Encryption
Once the DLL is loaded, Conti starts its encryption and keeps lateral moving through the network to find more machines to target. Conti also scans the network for SMB – port 445 in the attempt of finding any shared folders it can access and then it will try to encrypt the files in the folders. Conti encrypts each file with an AES-256 key and then encrypted again with a bundled RSA-4096 public key which is unique per victim. Conti uses a fast-multithreading technique involving 32 simultaneous CPU threads when encrypting the files which means taking a short amount of time to complete the encryption and therefore there is very little time for the victim to notice the attack occurring.