Insights > Network Visibility + Security

Conti Ransomware: Behavior and Techniques

2021-09-29  |  5 min read 

Introduction 

    Conti is a modern ransomware-as-a-service (RaaS), receiving profits from the affiliates after each successful attack. Observed since 2019, it recently had an increase in activity, being involved in more than 400 attacks against international organizations, according to US-CERT. One of Conti’s victims was Ireland’s national health service provider, the Health Service Executive (HSE). During May 2020, the ransomware successfully attacked the HSE, forcing it to shut down its entire IT infrastructure. 

    As tactics to gain initial access, Conti uses phishing emails containing malicious attachments, stolen or weak credentials, fake software promoted via search engine optimization and exploitation of known vulnerabilities. Some of the vulnerabilities used by the ransomware for propagation include CVE-2021-34527, a vulnerability in Microsoft Windows Print spooler service, and CVE-2020-1472, a vulnerability in Microsoft Active Directory Domain Controller.  

    The ATI team has released a Conti kill-chain assessment, simulating the malware’s behavior. In this blogpost we will go through what happens when the Conti ransomware infects a system, in terms of MITRE ATT&CK techniques. 

 

  • T1082 - System Information Discovery 

        As a common malware anti-debugging mechanism, the malware checks whether its process is being debugged by a user-mode debugger. If that is the case, then the malware will exit. 

Call to IsDebuggerPresent WIN API
                                                               Call to IsDebuggerPresent WIN API

 

 

        The malware also inspects the Process Environment Block (PEB) to determine if the BeingDebugged flag is set. This happens when a process is run under a debugger. If that is the case, then the malware will cease execution. 

                                    BeingDebugged flag (offset 0x2) inspection

 

  • T1497 - Virtualization/Sandbox Evasion 

        The malware uses the NtDelayExecution Windows native API to postpone malware execution, a time-based method to avoid sandbox analysis. 

 

  • T1027 - Obfuscated Files or Information 

        To increase the difficulty of static analysis and detection, some of the APIs used during execution are dynamically resolved, rather than directly imported in the import address table (IAT). Also, stack strings are obfuscated in code, and de-obfuscated at runtime with a routine shown below.  

XOR decription

 

  • T1543 - Create or Modify System Process 

        The malware creates a mutex called kasKDJSAFJauisiudUASIIQWUA82 to ensure that only one instance of the ransomware is running at a single time. 

 

  • T1490 - Inhibit System Recovery 

        Before encrypting the files on the system, the ransomware uses WMI to query for existing shadow copies. It will then call the CreateProcessInternalW  Windows native API to create a hidden window which runs the command shown below. The command deletes the existing shadow copies from the system. 

 

  • T1486 - Data Encrypted for Impact 

        The found system files are encrypted using a custom implementation of ChaCha20 algorithm. A snippet of the encryption routine is shown below.  

 

The Microsoft Windows native CRYPTSP API is used to generate a different encryption key per file, with an RSA-4096 public encryption key unique for each victim. The ".mabdg"  file extension is added to the encrypted files. In each traversed directory, the malware writes the ransom note named ‘readme.txt’ shown below. 

 

Conclusion  

    Conti is a highly effective ransomware, highlighting above average anti-VM and anti-debugging protections. Written in C and highly modular, it was released in different versions, which made it hard to pin down with signature-based detection. For more details, please inspect joint CISA-FBI cybersecurity advisory on the Conti ransomware. 

    We have released a complete Darkcloud killchain assessment for our Threat Simulator customers. Now you can test your endpoint and network security controls for coverage of this and many other threats in your production environment safely.