Conti Ransomware Resurfaces, Targeting Government & Large Organizations

The Scottish Environment Protection Agency (SEPA) confirmed that it was recently attacked by a ransomware on Christmas Eve, 2020. The environmental regulator and national flood risk management authority confirmed that some of its internal systems, contact center, and other internal communications were compromised by this attack.  

SEPA already started the recovery process by isolating the affected systems. SEPA is working closely with Scotland Police and Scottish Government agencies on the investigation of this attack. There has been no confirmation from SEPA on the data leaks in this incident or relating it to any specific ransomware family. On the other hand, the Conti Ransomware family has claimed this attack and already published 7% of the stolen data on its leak website. 

According to SEPA, roughly 1.2 GB of data was exfiltrated with evidence supporting access to at least 4,000 files. As stated by SEPA, the information stolen by the Conti Ransomware during the attack includes: 

  • Business information: Information such as publicly available regulated site permits, authorizations, and enforcement notices. This also includes information related to SEPA corporate plans, priorities, and change programs.  
  • Procurement information: Information such as publicly available procurement awards.  
  • Project information: Information related to commercial work with international partners.  
  • Staff information: Personal information relating to SEPA staff. 

The ransomware attack investigation is still ongoing by cyber security specialists working with SEPA, the Scottish Government, Police Scotland, and the National Cyber Security Centre. 

Overview of the Conti Ransomware 

Conti threat actors have collaborated with the TrickBot malware group. The Conti ransomware is sold as Ransomware-as-a-Service in DarkWeb forums and used by threat actors like TrickBot. The TrickBot attackers uses the Bazaar backdoor to deploy the Conti Ransomware on the victim’s system. The infection starts with a phishing email containing a link to the google drive which stores the payload for the Bazaar backdoor. The infection cycle can be seen in the image below: 

Conti attack cycle using Bazaar backdoor 

The Conti Ransomware is an advanced ransomware with new generation infection techniques including a unique string encoding routine that uses 277 different algorithms – one per string. The ransomware uses this encoding technique to hide the Windows API calls. Conti also uses 32 simultaneous threads for encrypting data files and SMB vulnerability for lateral movement in the internal network to encrypt remote files. The Conti Ransomware is believed to have emerged from the Ryuk ransomware as it shares the same code. Conti was first detected in December 2019. It resurfaced in December 2020 by targeting government organizations and large corporate networks and demanding huge ransoms from infected victims. 

Technical Information: 

Information of sections of the Conti sample: 

The malware sample we analyzed is a VC++ compiled file with custom encrypted data that might be used for dynamic loading of Win32 APIs and malicious threads. The ransomware imports 3 DLLs which we examined for suspicious function calls: 

The ransomware sample makes use of anti-debugging techniques and with the help of the IsDebuggerPresent function, checks if it is being debugged.  

 The Conti ransomware is managed directly by attackers and has capabilities such as: 

  • Advanced encryption techniques including 32 simultaneous encryption threads for faster encryption compared to other ransomwares.  
  • Anti-analysis techniques by using a routine that allows it to hide Windows API calls used by the ransomware itself. 
  • Capability to infect files on the network using Server Message Block (SMB). 

The Conti ransomware sample that we analyzed has evolved from the previous versions found in July 2020. Some of the latest changes are mentioned in the table below: 

 Version 2 
Creation times (Based on VT) 2020-10-09 
2020-10-21 
Ransom Note file name R3adm3.txt (In our sample) 
readme.txt 
Extension  Changes per sample 
Embedded emails / URLs hxxp://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid[.]onion hxxps://contirecovery[.]info 
Form An independent executable Loader + DLL 
Spreading via SMB It is spreading via SMB even without command line arguments. 

After encrypting the victim’s system, the ransomware leaves a ransom note on each encrypted folder. One such ransom note can be seen in the image below: 

The Conti Ransomware uses AES-256 encryption via a hard-coded public key. The unique factor is the use of multiple threads for the encryption process, which allows faster encryption as compared to other ransomwares. The ransomware uses a CreateIoCompletionPort() call to create 32 thread instances which work simultaneously to encrypt files. After encryption, the ransomware adds extension to all the encrypted files. One of them is ‘UWTJF’, added by our research sample. It can be seen in the image below: 

Security Recommendations: 

  • Ensure anti-virus software and associated files are up to date. 
  • Search for existing signs of the indicated IOCs in your environment. 
  • Consider blocking or setting up detection for all URL and IP-based IOCs. 
  • Keep applications and operating systems running at the current released patch level. 
  • Exercise caution while opening attachments and links in emails. 
  • Keep systems fully patched to effectively mitigate vulnerabilities. 

Overall, Conti is a modern ransomware that uses multiple advanced infection techniques not seen in older ransomware families. The use of multi-threading for encryption ensures quick encryption of files. In addition, the ability to infect shared network hosts using command line can impact multiple systems over the network and allows lateral movement for infecting through the network. 

The research team at Cyble is continuously monitoring to harvest the threat indicators/TTPs of emerging APTs in the wild to ensure that targeted organizations are well informed and proactively protected. 

Indicators of Compromise (IOCs) 

SHA-256 Hashes 
d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c 
f092b985b75a702c784f0936ce892595b91d025b26f3387a712b76dcc3a4bc81 
e64e350861b86d4e05668bc25e6c952880f6b39ca921496ccce1487dbf6acab6 
707b752f6bd89d4f97d08602d0546a56d27acfe00e6d5df2a2cb67c5e2eeee30 
03b9c7a3b73f15dfc2dcb0b74f3e971fdda7d1d1e2010c6d1861043f90a2fecd 
b524ed1cc22253f09d56f54d8ded4566b63352ff739f58de961f8a5bebb0fad9 
1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24 
c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4 
e16fea1b8874cc6b26e7e2df9697f03f86efa82247bb3b2922f1d05052dbcbb4 
5d8a701110d58ab7c1aa8bae6bc9d5358b8cd508115891320e6af6c68f3bbd74 
ebeca2df24a55c629cf0ce0d4b703ed632819d8ac101b1b930ec666760036124 
D236d64b7bf9510ea1746d10a4c164a2ef2c724cc62b2bca91d72bdf24821e40 
2579148e5f020145007ac0dc1be478190137d7915e6fbca2c787b55dbec1d370 

MITRE ATT&CK Framework: 

ID Description Use 
T1566.0012  Phishing: Spear Phishing Link  The ransomware uses spear phishing emails with malicious links to deliver malcrafted pdf files. 
T1210 Exploitation of Remote Services Exploits a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement. 
T1204  User Execution: Malicious Link  Prompts users to click on malicious links that lead to exploitation and redirects to payload delivery.   
T1486  Data Encrypted for Impact  Encrypts user data files to hold them from ransom demand. 

About Cyble

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com

Leave a Comment

Your email address will not be published.

%d bloggers like this: