Conti Ransomware: Behavior and Techniques
2021-09-29 | 5 min read
Conti is a modern ransomware-as-a-service (RaaS), receiving profits from the affiliates after each successful attack. Observed since 2019, it recently had an increase in activity, being involved in more than 400 attacks against international organizations, according to US-CERT. One of Conti’s victims was Ireland’s national health service provider, the Health Service Executive (HSE). During May 2020, the ransomware successfully attacked the HSE, forcing it to shut down its entire IT infrastructure.
As tactics to gain initial access, Conti uses phishing emails containing malicious attachments, stolen or weak credentials, fake software promoted via search engine optimization and exploitation of known vulnerabilities. Some of the vulnerabilities used by the ransomware for propagation include CVE-2021-34527, a vulnerability in Microsoft Windows Print spooler service, and CVE-2020-1472, a vulnerability in Microsoft Active Directory Domain Controller.
The ATI team has released a Conti kill-chain assessment, simulating the malware’s behavior. In this blogpost we will go through what happens when the Conti ransomware infects a system, in terms of MITRE ATT&CK techniques.
- T1082 - System Information Discovery
As a common malware anti-debugging mechanism, the malware checks whether its process is being debugged by a user-mode debugger. If that is the case, then the malware will exit.
The malware also inspects the Process Environment Block (PEB) to determine if the
BeingDebugged flag is set. This happens when a process is run under a debugger. If that is the case, then the malware will cease execution.
T1497 - Virtualization/Sandbox Evasion
The malware uses the
NtDelayExecution Windows native API to postpone malware execution, a time-based method to avoid sandbox analysis.
T1027 - Obfuscated Files or Information
To increase the difficulty of static analysis and detection, some of the APIs used during execution are dynamically resolved, rather than directly imported in the import address table (IAT). Also, stack strings are obfuscated in code, and de-obfuscated at runtime with a routine shown below.
T1543 - Create or Modify System Process
The malware creates a mutex called
kasKDJSAFJauisiudUASIIQWUA82 to ensure that only one instance of the ransomware is running at a single time.
T1490 - Inhibit System Recovery
Before encrypting the files on the system, the ransomware uses WMI to query for existing shadow copies. It will then call the
CreateProcessInternalW Windows native API to create a hidden window which runs the command shown below. The command deletes the existing shadow copies from the system.
T1486 - Data Encrypted for Impact
The found system files are encrypted using a custom implementation of ChaCha20 algorithm. A snippet of the encryption routine is shown below.
The Microsoft Windows native CRYPTSP API is used to generate a different encryption key per file, with an RSA-4096 public encryption key unique for each victim. The ".mabdg" file extension is added to the encrypted files. In each traversed directory, the malware writes the ransom note named ‘readme.txt’ shown below.
Conti is a highly effective ransomware, highlighting above average anti-VM and anti-debugging protections. Written in C and highly modular, it was released in different versions, which made it hard to pin down with signature-based detection. For more details, please inspect joint CISA-FBI cybersecurity advisory on the Conti ransomware.
We have released a complete Darkcloud killchain assessment for our Threat Simulator customers. Now you can test your endpoint and network security controls for coverage of this and many other threats in your production environment safely.