According to Sophos threat researchers, Conti ransomware is incredibly active right now, due to the dissolution of DarkSide, REvil and Avaddon, three groups that operated under a Ransomware-as-a-Service (RaaS) business model. Affiliates of these now shuttered gangs are looking for a new operator, which Sophos suspects is Conti, due to the recent high levels of activity the company’s threat researchers have seen. Another “high alert” threat at the moment is ProxyShell, an evolution of the ProxyLogon attack. ProxyShell is easy to exploit and is currently a mainstay in adversary playbooks, including those deploying LockFile ransomware.
Now, Conti is jumping in.
“Sophos has confirmed Conti ransomware attackers are leveraging ProxyShell. In the Sophos article “Conti affiliates use Microsoft Exchange exploit in ransomware attack,” we detail the how the attack takes place to help defenders know what to look for on their systems. We explain tools used, lateral movements, how data was exfiltrated and encrypted, and tips to defend, including the urgent recommendation that organizations with Exchange Server should update and patch servers as soon as possible,” said Peter Mackenzie manager, incident response, Sophos. “We also want to highlight the speed at which the attack took place. Contrary to the typical attacker dwell time of months or weeks before they drop ransomware, in this case, the Conti attackers gained access to the target’s network and set up a remote web shell in under one minute. Three minutes later, the attackers installed a second, backup web shell, we suspect they added in case the target discovered the first one. Within 30 minutes they had generated a complete list of the network’s computers, domain controllers, and domain administrators. Just four hours later, the Conti attackers had obtained the credentials of domain administrator accounts and began executing commands. Within 48 hours of gaining that initial access, the attackers had exfiltrated about one terabyte of data. After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer. Over the course of the intrusion, the attackers installed an unusual seven backdoors on the network: two web shells, Cobalt Strike and four commercial remote access tools (AnyDesk, Atera, Splashtop and Remote Utilities). The attackers used the web shells, installed early on, mainly for initial access; Cobalt Strike and AnyDesk were the primary tools used for the remainder of the attack. It was swift and efficient. Patching is absolutely essential.”
Below is summary of Conti’s ransomware tools in the MITRE ATT&CK framework:
Defenders should patch and deploy preventative security measures, including anti-ransomware and behavioral and machine learning technology to detect and protect against Conti and other ransomware.
Additional resources for defenders include:
· Proxyshell vulnerabilities in Microsoft Exchange: What to do
· What to expect when you’ve been hit by Conti ransomware
