Conti Ransomware attacks persist with updated version despite leaks

0

In late January 2022, ThreatLabz identified an updated version of Conti ransomware as part of global ransomware tracking efforts. This update was released before the massive leak of Conti source code and chat logs on February 27, 2022. The leaks were posted by a Ukrainian researcher after the invasion of Ukraine. However, since these leaks were published, the Conti gang has continued to attack organizations and conduct business as usual. While two versions of Conti’s source code have been leaked, the most recent ransomware code has yet to be leaked. This blog will highlight the most recent changes to ransomware and how Conti improved file encryption, introduced techniques to better evade security software, and streamlined the ransom payment process.

Technical analysis

The latest Conti update introduced a number of new features and ransomware code changes. Some of these changes include new command line arguments which are highlighted in bold in Table 1.

Command line argument

The description

-Log

Previously used to log ransomware actions; this feature has been removed, but the command line switch remains an artifact of the previous version

-way

Start encryption using specified path as root directory

-Cut

Size parameter for large file encryption

-fashion

Local (disks) or net (network shares) encryption mode; all and backups options have been removed

-user

Log into Windows Safe Mode as specified user

-pass

Log in to Windows Safe Mode as a user with the corresponding password

– secure start

Force restart the system and launch Conti in Windows Safe Mode

-disablesafeboot

Turn off Windows Safe Mode and restart the system (used after file encryption in Windows Safe Mode)

-nomutex

Previously used to prevent mutex creation; currently unused

Table 1. Conti command line arguments updated January 2022

The functionality of the -log and -nomutex command line arguments has been removed. New command line parameters that have been added relate to functionality that allows Conti to reboot the system into Windows Safe Mode with networking enabled and then start file encryption. By starting in safe mode, Conti can maximize the number of encrypted files, since business applications such as databases are probably not running. Therefore, these applications will not have open file handles that could prevent file encryption. Also, many security software applications (for example, antivirus programs) will not be loaded by default when the system is running in Safe Mode. The ability to encrypt files in Windows Safe Mode is a feature that has been observed in other ransomware families, including REvil and BlackMatter.

If the -safeboot command line argument is provided with the -user and -pass parameters, Conti will use these values ​​to automatically log in with the specified credentials when the system is restarted in safe mode. This is done by setting the registry values ​​under HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon to the following:

Automatic administrator login = 1
DefaultUserName =
DefaultDomainName =
DefaultPassword =

The -user argument must be in the format: .

If the -safeboot command line argument is passed alone (without the -user and -pass parameters), Conti will search for users with administrator privileges by looking for the security identifier (SID) prefix S-1- 5-21 with relative identifier (RID) -500.

If Conti is able to locate an administrator account, Conti will run cmd.exe /c net user /active:yes to ensure the account is enabled. Conti will then attempt to change the password for this account to an empty string by running cmd.exe /c net user “”. The corresponding registry values ​​will then be set to automatically log in as administrator in safe mode when the system is restarted. Figure 1 shows examples of registry values ​​set after an administrator account has been configured to log in automatically.

Figure 1. Example of Windows registry changes made by Conti to automatically log in as administrator

In order to run Conti when the system is booted in safe mode, a registry value is created under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce with name *conti and value -disablesafeboot.

Conti then runs the command bcedit.exe /set {current} safeboot network and forces a system restart by calling the Windows API function ExitWindowsEx(). This will launch Windows in safe mode with networking enabled, as shown in Figure 2. Network mode is enabled, so Conti can still be used to encrypt files on network shares.

Figure 2. Conti starting Windows in safe mode with networking enabled to encrypt files

After Conti finishes encrypting files in safe mode, it runs the command bcedit.exe /deletevalue {current} safeboot and reboots the system. Conti’s file encryption algorithms remain the same as previous versions with a 256-bit random ChaCha symmetric key per file. Each file’s ChaCha key is protected by a hard-coded, victim-specific 4096-bit RSA public key.

The new Conti update also added the ability to change the desktop wallpaper by writing an embedded PNG file to C:ProgramDataconti.png. An example of a Conti wallpaper image is shown in Figure 3.

Figure 3. Conti PNG image used to set victim desktop wallpaper after file encryption

The feature to change desktop wallpaper after file encryption is very common among ransomware families to attract more victims’ attention.

In order to hinder malware analysis, Conti dynamically resolves most Windows API functions using a hashing algorithm. In the previous version of Conti, the hashing algorithm was Murmur2, while the latest version now uses Murmur3. This produces different hashes for all API functions used by Conti, which can be missed by security software looking for matching hashes.

Conti has also updated encrypted file extensions to include upper and lower case characters and numbers. The following file extension examples have been observed in recent Conti samples:

.ZG7Ak
.wjzPe
.LvOYK
.C5eFx
.fgM9X

This encrypted file extension modification may be designed to bypass endpoint security software that could identify the previous Conti ransomware model that used five capital letters.

Conti also updated the ransom note and URL of the TOR hidden service. An example of a recent Conti ransom note is shown below:

All your files are currently encrypted by the CONTI strain. If you don’t know who we are, just click “Google”.

As you already know, all your data has been encrypted by our software.
Under no circumstances can it be recovered without contacting our team directly.

DO NOT TRY TO RECOVER your data yourself. Any attempt to recover your data (including using additional recovery software) may damage your files. However,
if you want to try – we recommend you choose the data of the lowest value.

DON’T TRY TO IGNORE US. We’ve uploaded a pack of your internal data and are ready to post it to our news site if you don’t respond.
So it will be better for both parties if you contact us as soon as possible.

DO NOT ATTEMPT TO CONTACT Federal authorities or any salvage company.
We have our informants in these structures, so all your complaints will be immediately addressed to us.
So, if you hire a recovery company for negotiations or send requests to the police/FBI/investigators, we will consider this as hostile intent and immediately initiate the release of all compromised data.

To prove that we REALLY CAN recover your data, we offer you to decrypt two random files for free.

You can contact our team directly for further instructions via our website:

DIGITAL VERSION:
(you need to download and install the TOR browser first https://torproject[.]org)

http://contirec7nchr45rx6ympez5rj…vaeywhvoj3wad[.]onion/

YOU SHOULD BE CAREFUL!
We will only speak with an authorized person. This can be the CEO, senior management, etc.
If you are not such a person, DO NOT CONTACT US! Your decisions and actions can cause serious harm to your business!
Inform your supervisors and stay calm!

The new Conti ransom note is streamlined with a direct link to a victim-specific chat portal. Previous versions required a victim to access the portal and then download their ransom note, which contained a unique identifier.

The latest Conti Portal contains a welcome page that instructs the user to follow the instructions in the README.txt file which is written to disk after the file is encrypted. It no longer supports a victim downloading the ransom note to authenticate, as shown in Figure 4.

Figure 4. Conti ransom portal homepage update

Conclusion

In January 2022, Conti introduced new features to bring feature parity with other ransomware families, including the ability to encrypt files in Windows Safe Mode and change the desktop wallpaper. Although the group’s source code and chat logs were leaked online in February 2022, Conti continues to carry out ransomware attacks against large organizations. ThreatLabz expects the Conti gang to continue updating the malware and possibly renaming it, as source code leaks have damaged its reputation and could lead other criminal groups to forge the code.

Zscaler Cloud Sandbox Detection

In addition to sandbox detections, Zscaler’s multi-layered cloud security platform detects campaign-related indicators at various levels with the following threat names:

Win32.Ransom.Conti

Win64.Ransom.Conti

Indicators of Compromise

SHA256

The description

fca8d48afa7e5535fb71fd22225e86602d47dcfa5a4924fcbc33aecd9c945847

Conti ransomware

16cc7519945bace49ef729e69db7d19e00252f2bd559903e1631c8878c2360f4

Conti ransomware

e6818bf8c6d20501485fc0cc644d33fcea4bd9a3b45c5d61e98317bda5c080c4

Conti ransomware

182f94d26de58b8b02ddf7223f95d153b5e907fa103c34ed76cae2c816f865f0

Conti ransomware

e950c625a94ce9e609778fcc86325530774e45572ff58ebc6549e2627941b5cc

Conti ransomware

*** This is a Security Bloggers Network syndicated blog from Blog Category Feed written by Brett Stone-Gross. Read the original post at: https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks

Share.

About Author

Comments are closed.