Conti ransomware has been around since May 2020 and continues to affect a large number of companies. The FBI has linked the Conti ransomware attacks to a Russian persistent threat actor known as Wizard Spider. Conti distributes itself using BazarLoader and employs a multithreading approach to encrypt all of the files quickly. Conti is available in three different versions. This article focuses on the third version.
FortiEDR prevents the Conti ransomware from being executed under Ransomware prevention policy. FortiEDR detects this variant as BazarLoader.AD!tr.
Let's see how FortiEDR detects and blocks this ransomware by switching to simulation mode. In simulation mode, FortiEDR generates events but does not block them, allowing the Conti ransomware to fully execute.
The Conti ransomware attempts to connect to devices located in the same network in order to propagate itself.
- Network access
- WMI service access
The Conti ransomware is attempting to access the Windows Management Instrumentation (WMI) service in order to execute remote code.
- File Encryptor.
The Conti ransomware attempts to encrypt user’s files by performing file write. It adds a unique extension after encryption - .PSFUX.
- File creation
After encrypting users files, ransomware note 'readme.txt' is dropped. FortiEDR’s exfiltration policy and Ransomware prevention generates a block event for new file creation.
- Ransomware note
Notice that many of the encrypted files have .png extension and as you can see the new encrypted file has a unique .PSFUX extension.
The command line that was spotted in the wild was executed by regsvr.32exe.
Threat hunting telemetry captured the Conti ransomware dll attempting to connect to multiple internal IP addresses.
T1560 Archive Collected Data
T1218 Signed Binary Proxy Execution
The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts monitors, reviews and analyzes every alert, proactively hunts threats, and takes actions on behalf of customers to ensure they are protected according to their risk profile.