Threat Thursday - Conti Ransomware
You may have noticed that SCYTHE really believes in collaboration, hence why we continue to push the industry forward towards Purple Teaming. To stay ahead of the attackers, we must work together: Cyber Threat Intelligence, Red Teams, and Blue Teams. For this #ThreatThursday we are looking at one of the most common ransomware threat actors, Conti. We are leveraging Cyber Threat Intelligence from a new partner, TrukNo, that provides adversary behavior all the way down to the procedure level, facilitating the creation of adversary emulation plans so that you can test against these behaviors in your production environment more efficiently. TrukNo is an aggregator of CTI and in this case, they leveraged another partner we have sponsored and supported for some time: The DFIR Report. As usual, we cover how to detect and respond to the behaviors of Conti so that you can avoid the business impact of ransomware.
Cyber Threat Intelligence
This week we are leveraging a new platform from a startup called TruKno. You can access the beta dashboard here. This site is nice to navigate adversary behaviors/TTPs at the procedure level which is required to create adversary emulation plans. We are also leveraging a partner we have sponsored and supported for some time: The DFIR Report.
Conti is currently the “King of Ransomware on the DarkWeb” according to DarkTracer. Interestingly, and probably a coincidence, all of the ransomware we have shared in previous Threat Thursdays are no longer active (Maze, Ryuk, Egregor, DarkSide):
Conti ransomware has impacted healthcare and first responder networks as per this FBI Flash and multiple news outlets covering the Ireland, New Zealand, and Canada health services. As a ransomware that has hit hundreds of organizations, we have enough CTI to create an adversary emulation plan.
We have created multiple ways to visualize the Conti Cyber Threat Intelligence as a ATT&CK Navigator Heat Map, SCYTHE Heat Map, and VECTR Escalation Path.
Adversary Emulation Plan
As usual, we have created and shared the Conti ransomware adversary emulation plan in our GitHub. Here is a table with the CTI analyzed and organized for easier consumption:
|Description||Conti is currently the most active ransomware threat according to DarkTracer. It performs double extortion in environments to ensure payment is received.|
|Execution||T1059.001 - Command and Scripting Interpreter: PowerShell
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
|Command and Control||T1071 - Application Layer Protocol: HTTPS heartbeat of 62 seconds and jitter of 39%
T1573 - Encrypted Channel: HTTPS
|Initial Access||T1566.001: Spearphishing Attachment
T1566.003: Spearphishing via Service
|Defense Evasion||T1218.011 - Signed Binary Proxy Execution: Rundll32
T1112 - Modify Registry
|Discovery||T1010: Application Window Discovery
T1083: File and Directory Discovery
T1057: Process Discovery
T1012: Query Registry
T1082: System Information Discovery
T1016: System Network Configuration Discovery
T1033: System Owner/User Discovery
|Persistence||T1136.001 - Local Account - net user /add /Y nuuser 7HeC00l3stP@ssw0rd
T1543.003 - Windows Service
|Credential Access||T1003.001 - LSASS Memory|
|Lateral Movement||T1021.001 - Remote Desktop Protocol
T1021.002 - SMB/Windows Admin Shares
|Collection||T1074.001 - Local Data Staging
T1560.002 - Archive via Library
|Exfiltration||T1041 - Exfiltration Over C2 Channel|
|Impact||T1486 - Data Encrypted for Impact
T1489 - Service Stop
T1531 - Account Access Removal
T1491.001 - Internal Defacement
- Download and import the threat in JSON format to your SCYTHE instance - https://raw.githubusercontent.com/scythe-io/community-threats/master/Conti/Conti_scythe_threat.json
- Download the Virtual File System (VFS) files under Conti/VFS
- Upload the VFS files to your SCYTHE VFS in the following location: VFS:/shared/Conti
- Create a new campaign, selecting HTTPS, and ensuring the communication options match the CTI: --cp yourdomain[.]com:443 --secure true --multipart 10240 --heartbeat 62 --jitter 39
- Set the Program database path to: A:\source\conti_v3\x64\Release\cryptor_dll.pdb
- Import from Existing Threat: Conti
- Launch Campaign
- Execute with rundll32.exe
Note that different TTPs will be performed based on the endpoint being on a domain or not and running with local administrator privileges or not.
Detect and Respond
The FBI Flash covers a number of mitigations that we are providing in this post but also want to add a few items related to detection and response. Prevention will make initial access and execution a little harder but for those, logically, working under assumed breach, we need detection and response:
- Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Implement network segmentation.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
- Install updates/patch operating systems, software, and firmware as soon as they are released.
- Use multifactor authentication where possible.
- Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts.
- Disable unused remote access/RDP ports and monitor remote access/RDP logs.
- Require administrator credentials to install software.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Install and regularly update anti-virus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
- Consider adding an email banner to messages coming from outside your organizations.
- Disable hyperlinks in received emails.
- Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).
- Detect when new services are created on endpoints
- Detect when certain registry keys are modified such as enabling Remote Desktop Protocol
- Detect when new users are created and/or added to the local administrator group
Conti is the current “King of Ransomware” and we don’t like it. We hope that by analyzing the cyber threat intelligence from their damaging attacks, we can provide adversary emulation plans so that you can test, measure, and improve your people, process, and technology. These attacks will evolve and organizations need to continually attack, detect, and respond to ensure they are not impacted by known adversary behaviors. Maze, Ryuk, Egregor, and DarkSide have shut down after being featured on a Threat Thursday. Will Conti be next?
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email email@example.com, or follow on Twitter @scythe_io.