Following a leak of a cache of documents relating to the Conti ransomware group by one of its own affiliates, in the first of a two-part blog series we analyse some of the main findings and outline steps to mitigate against Conti and other ransomware variants.
The Conti ransomware group has been one of the most prolific in the industry since it was originally observed in 2020. A recent insider leak of the Conti playbook has provided valuable intelligence about the tools, tactics and procedures (TTPs) utilised by the group, including step-by-step manuals and instructions for operators.
Even by ransomware standards, Conti is regarded as one of the most ruthless and damaging gangs in operation. Frequently targeting hospitals, emergency medical networks and other organisations, its average ransom payment is $849,581. The FBI has associated the ransomware-as-a-service variant with more than 400 cyber-attacks against organisations around the world.
“The Conti ransomware group has been one of the most prolific in the industry… Conti is regarded as one of the most ruthless and damaging gangs in operation”
Unprecedented access to Conti operations
On August 5, 2021, an actor on XSS forum, m1Geelka, shared a link to a cache of documents allegedly connected to the Conti ransomware operation. The actor was taking retaliatory action, claiming to have received minimal compensation from Conti operators in exchange for work performed after responding to an advertisement for “pentesters.”
The leaked Conti ransomware playbook files give unprecedented access to the TTPs used by the Conti group. A review of the leaked data identified that it was a manual for Conti affiliates. Instructions included information on pre-attack reconnaissance, the types of information that actors should focus on for exfiltration and instructions on how to leverage Active Directory to help identify users with domain or enterprise admin accounts for privilege escalation. It also included a list of suggested passwords that the threat actors could use to brute-force accounts within a system.
Key findings from the Conti document leak
Once inside a network, the threat actor is told to look for domain controllers, local administrators, domain admins, enterprise admins and the total number of domains across the network. The size of the network will largely dictate the next steps. Threat actors are instructed not to disable certain software or operating systems as they may attract attention to their presence on the network.
Disabling anti-virus products
The Conti operators are given tools to query the machine for installed antivirus (AV) products. Some such scripts have been pulled directly from GitHub repos of legitimate red teamers. Batch files, tools and scripts are also provided to disable many common antivirus solutions such as Bitdefender, TrendMicro, Norton, Sophos and Windows Defender.
Sharing TTPs with other ransomware operators, the GMER tool is deployed, which has the intended purpose of detecting RootKits (indeed some malware variants will look for GMER execution and stop it). However, in this case, it is used to detect hidden services such as anti-virus solutions and disable them. Once AV solutions are disabled, the actors can deploy the rest of their toolkits for internal discovery and lateral movement.
Internal discovery and lateral movement
By far the most documented and developed parts of the Conti playbook and tools are related to internal discovery and lateral movement. The threat actors’ overall goal is to acquire Domain Administrator credentials and access to a domain controller from which they can deploy ransomware to all connected devices.
Operators will execute ‘adfind.exe’, a commonly used auditing tool, to discover machines on the network in addition to relevant information about them – a tactic shared by many other threat actors.
Once a list of users and machines has been identified, the operators will interrogate the domain to discover job titles, service accounts and group membership to better target their lateral movement attempts. If this information cannot be easily gleaned from the domain, the group will use LinkedIn to search for names and job titles.
The group advises searching for accounts associated with technical, financial or support functions as they are likely to have higher privileges or access to data which would increase the chance of being able to extort their victims.
Once the actors are satisfied and they have disabled anti-virus tooling, they will deploy tools to search for passwords and hashes on the compromised machine.
Using command-line tools such as ‘net’ and ‘whoami’, the operators gain an understanding of the environment they are working in. Should the actor fail to obtain necessary privileges, they will resort to brute force or password spraying attacks over SMB. Operators are instructed to check for domain policy on lockouts to decide whether a brute force is viable.
Exploitation for privilege escalation
Ransomware groups are known to exploit new vulnerabilities shortly after they are released. The Conti ransomware playbook details the exploitation of three Windows vulnerabilities to escalate privileges and move laterally:
PrintNightmare is a vulnerability affecting the Microsoft Windows Print Spooler Service and the Conti group boast about how effective it is to exploit. Using the built-in MIMIKATZ capability, an ‘Invoke-Nightmare’ exploit is used to grant local admin or SYSTEM level privileges should they need to.
ZeroLogon, another critical vulnerability that the Kroll and Redscan threat intelligence team have covered in detail, allows an attacker to instantly elevate privileges to domain administrator, obtain Golden Tickets and access domain controllers from any host on the domain. The group uses open source tools to exploit this vulnerability, which allows the threat actors to skip large parts of an attack chain if deployed correctly, greatly reducing the time needed to achieve their objectives.
The various Conti manuals detail how to exploit the EternalBlue vulnerability using a CobaltStrike proxy to gain a Meterpreter session. Using Meterpreter, the operators can easily launch attacks against unpatched targets across the entire network.
TTPs in common with Conti
This Conti playbook leak provides unprecedented access into the workings of a highly sophisticated and determined ransomware group. Although not all information disclosed is new to the intelligence community, some tactics and organisational structures detailed in the leak give ample opportunity to harden defences and write detections to respond to the ransomware threat. It’s likely that many ransomware groups follow similar tactics and procedures in their attacks, which include:
- Use of off-the-shelf open-source tooling to stage and execute attacks, exploit vulnerabilities and maintain persistence.
- Use of legitimate tools such as AnyRun and Atera to avoid detection and maintain access to organisations where they may have been detected.
- Development of bespoke scripts to better streamline their attacks, reducing the time taken to complete their objectives.
- Exploitation of weak credentials, older technology and human weaknesses in their initial access and lateral movement objectives.
It is our view that Conti and other ransomware groups will continue to follow similar attack paths, use legitimate software and exploit vulnerabilities like those outlined here for the foreseeable future, as they are effective and have been proven to work.
For info on the latter stages of the Conti attack methodology, read part 2
Mitigations for ransomware similar to Conti
- Consider using tooling such as EDR or Applocker to limit access to remote tools that are not allowed in your environment such as AnyDesk or Atera. Consider also blocking access to command line tooling via Group Policy for functions that do not require it.
- Audit AD Policy and users with elevated privileges, as so much of the ransomware attack chain relies on finding users with high privileges. Limiting the number of users with such access will disrupt attackers.
- Audit internal password policy – NIST guidance on AD password lockout policy is 10 attempts.
- Ensure patching cycles are adhered to. The Conti gang is still finding success exploiting the EternalBlue vulnerability that was patched in 2017.
- Consider blocking services such as Ngrok and other tunnelling tools such as Localtunnel, Serveo and PageKite at the network level.
- Block Conti Cobalt Strike C2 at network level: 162.244.80[.]235, 85.93.88[.]165, 185.141.63[.]120, 82.118.21[.]1
This information was first shared as part of our weekly threat intelligence reporting. This is provided to customers as part of Kroll Responder, our outcome-focused Managed Detection & Response (MDR) service. It supplies the people, technology and cyberoffensive intelligence required to continuously hunt for threats across networks and endpoints and help shut them down before they cause damage and disruption.
Special thanks to Laurie Iacono, Nick Senske and the Kroll Threat Intelligence team for helping to research and collate the information in this article.