Threat Thursday

SCYTHE Library: Threat Thursday - Conti Ransomware

Written by Jorge Orchilles | May 27, 2021 4:00:00 AM

Conti Ransomware

You may have noticed that SCYTHE really believes in collaboration, hence why we continue to push the industry forward towards Purple Teaming. To stay ahead of the attackers, we must work together: Cyber Threat Intelligence, Red Teams, and Blue Teams. For this #ThreatThursday we are looking at one of the most common ransomware threat actors, Conti. We are leveraging Cyber Threat Intelligence from a new partner, TrukNo, that provides adversary behavior all the way down to the procedure level, facilitating the creation of adversary emulation plans so that you can test against these behaviors in your production environment more efficiently. TrukNo is an aggregator of CTI and in this case, they leveraged another partner we have sponsored and supported for some time: The DFIR Report. As usual, we cover how to detect and respond to the behaviors of Conti so that you can avoid the business impact of ransomware.

Cyber Threat Intelligence

This week we are leveraging a new platform from a startup called TruKno. You can access the beta dashboard here. This site is nice to navigate adversary behaviors/TTPs at the procedure level which is required to create adversary emulation plans. We are also leveraging a partner we have sponsored and supported for some time: The DFIR Report.

Conti is currently the “King of Ransomware on the DarkWeb” according to DarkTracer. Interestingly, and probably a coincidence, all of the ransomware we have shared in previous Threat Thursdays are no longer active (Maze, Ryuk, Egregor, DarkSide):

Conti ransomware has impacted healthcare and first responder networks as per this FBI Flash and multiple news outlets covering the Ireland, New Zealand, and Canada health services. As a ransomware that has hit hundreds of organizations, we have enough CTI to create an adversary emulation plan.
We have created multiple ways to visualize the Conti Cyber Threat Intelligence as a ATT&CK Navigator Heat Map, SCYTHE Heat Map, and VECTR Escalation Path.


https://github.com/scythe-io/community-threats/blob/master/Conti/Conti_SCYTHE_Heatmap.png
https://github.com/scythe-io/community-threats/blob/master/Conti/Conti_vectr.jpg

Adversary Emulation Plan

As usual, we have created and shared the Conti ransomware adversary emulation plan in our GitHub. Here is a table with the CTI analyzed and organized for easier consumption:

 Tactic  Techniques
Description   Conti is currently the most active ransomware threat according to DarkTracer. It performs double extortion in environments to ensure payment is received.
Execution   T1059.001 - Command and Scripting Interpreter: PowerShell
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
 Command and Control  T1071 - Application Layer Protocol: HTTPS heartbeat of 62 seconds and jitter of 39%
T1573 - Encrypted Channel: HTTPS
Initial Access   T1566.001: Spearphishing Attachment
T1566.003: Spearphishing via Service
 Defense Evasion T1218.011 - Signed Binary Proxy Execution: Rundll32
T1112 - Modify Registry
 Discovery T1010: Application Window Discovery
T1083: File and Directory Discovery
T1057: Process Discovery
T1012: Query Registry
T1082: System Information Discovery
T1016: System Network Configuration Discovery
T1033: System Owner/User Discovery
 Persistence T1136.001 - Local Account - net user /add /Y nuuser 7HeC00l3stP@ssw0rd
T1543.003 - Windows Service
 Credential Access T1003.001 - LSASS Memory
 Lateral Movement T1021.001 - Remote Desktop Protocol
T1021.002 - SMB/Windows Admin Shares
 Collection T1074.001 - Local Data Staging
T1560.002 - Archive via Library
 Exfiltration T1041 - Exfiltration Over C2 Channel
 Impact T1486 - Data Encrypted for Impact
T1489 - Service Stop
T1531 - Account Access Removal
T1491.001 - Internal Defacement

To emulate:

  1. Download and import the threat in JSON format to your SCYTHE instance - https://raw.githubusercontent.com/scythe-io/community-threats/master/Conti/Conti_scythe_threat.json
  2. Download the Virtual File System (VFS) files under Conti/VFS
  3. Upload the VFS files to your SCYTHE VFS in the following location: VFS:/shared/Conti
  4. Create a new campaign, selecting HTTPS, and ensuring the communication options match the CTI: --cp yourdomain[.]com:443 --secure true --multipart 10240 --heartbeat 62 --jitter 39
  5. Set the Program database path to: A:\source\conti_v3\x64\Release\cryptor_dll.pdb
  6. Import from Existing Threat: Conti
  7. Launch Campaign
  8. Execute with rundll32.exe

Note that different TTPs will be performed based on the endpoint being on a domain or not and running with local administrator privileges or not.

Detect and Respond

The FBI Flash covers a number of mitigations that we are providing in this post but also want to add a few items related to detection and response. Prevention will make initial access and execution a little harder but for those, logically, working under assumed breach, we need detection and response:

  • Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Implement network segmentation.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multifactor authentication where possible.
  • Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Require administrator credentials to install software.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.
  • Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).
  • Detect when new services are created on endpoints
  • Detect when certain registry keys are modified such as enabling Remote Desktop Protocol
  • Detect when new users are created and/or added to the local administrator group

Conclusion

Conti is the current “King of Ransomware” and we don’t like it. We hope that by analyzing the cyber threat intelligence from their damaging attacks, we can provide adversary emulation plans so that you can test, measure, and improve your people, process, and technology. These attacks will evolve and organizations need to continually attack, detect, and respond to ensure they are not impacted by known adversary behaviors. Maze, Ryuk, Egregor, and DarkSide have shut down after being featured on a Threat Thursday. Will Conti be next?

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, or follow on Twitter @scythe_io.