Anatomy of an attack — Conti Ransomware
Ransomware attack methodologies vary significantly across threat actors. This article shares technical details observed during the compromise phase conducted by the Conti Ransomware Gang, a particularly active and mature operator in the threat landscape (reference).
During compromise phases, these operators characteristically exploit specific vulnerabilities, including:
- 2017 SMB vulnerability (info);
- PrintNightmare (CVE-2021-34527);
- Zerologon (CVE-2020-1472)
Technical details of attack phases
Conti typically obtains initial access to victim infrastructure through one of the following techniques:
- Spearphishing campaigns with personalized emails containing malicious attachments T1566.001 or malicious links T1566.002. These techniques frequently result in downloads of additional malware and tools that facilitate lateral movement and other criminal activities;
- Theft of RDP credentials T1078;
- Trojans masquerading as system performance optimizers.
After obtaining access to victim infrastructure, attackers execute Windows Shell commands T1059.003 and leverage native Windows APIs T1106. CISA and FBI have observed that criminals employ tools to scan and conduct brute force attacks against routers, cameras, and storage devices connected to the network via web interfaces.
To establish persistence within infrastructure, criminals exploit valid credentials for remote monitoring and remote desktop management software T1078. Additionally, they may leverage VPN, Citrix, and other software access that permits external connectivity to internal infrastructure resources.
For privilege escalation, Conti performs Process Injection by loading and executing an encrypted dynamic-link library (DLL) in memory T1055.001.
As defense evasion techniques, the group executes obfuscated code T1027, enabling concealment of Windows API calls, alongside Process Injection and payload decryption through AES-256 key usage T1140.
To obtain access credentials, Conti operators employ multiple techniques, including:
- Brute Force T1110
- Kerberos ticket theft or forging T1558.003
- System Network Configuration Discovery T1016
- System Network Connections Discovery T1049
- Process Discovery T1057
- File and Directory Discovery T1083
- Network Share Discovery T1135
During the lateral movement phase, operators typically exploit the SMB protocol T1021.002 and compromise shared files across multiple users and machines T1080. Detection of this activity requires continuous network monitoring, which Managed Detection and Response capabilities can provide through behavioral analysis and threat correlation.
Finally, Conti executes the impact phase by encrypting data T1486 using the functions CreateIoCompletionPort(), PostQueuedCompletionStatus(), and GetQueuedCompletionPort(). Encryption employs a unique AES-256 key per file, derived from a unique RSA-4096 public key per victim. Files with extensions “exe”, “dll”, and “lnk” are typically excluded from encryption. Additionally, Shadow Copies deletion T1490 and termination of multiple Windows services T1489 critical to security, backup, and database operations are frequently observed.
IOC
The following Cobalt Strike addresses recently attributed to Conti operations have been identified:
162.244.80[.]23585.93.88[.]165185.141.63[.]12082.118.21[.]1
Conti’s operational methodology demonstrates the necessity of comprehensive defense-in-depth strategies encompassing credential hygiene, network segmentation, and continuous endpoint monitoring to detect and disrupt attack chains at multiple stages.
