Created on 08-07-2021 07:56 AM Edited on 08-29-2022 06:34 AM By Anthony_E
Introduction
Conti ransomware has been around since May 2020 and continues to affect a large number of companies. The FBI has linked the Conti ransomware attacks to a Russian persistent threat actor known as Wizard Spider. Conti distributes itself using BazarLoader and employs a multithreading approach to encrypt all of the files quickly. Conti is available in three different versions. This article focuses on the third version.
Pre-execution
FortiEDR prevents the Conti ransomware from being executed under Ransomware prevention policy. FortiEDR detects this variant as BazarLoader.AD!tr.
Post-execution
Let's see how FortiEDR detects and blocks this ransomware by switching to simulation mode. In simulation mode, FortiEDR generates events but does not block them, allowing the Conti ransomware to fully execute.
The Conti ransomware attempts to connect to devices located in the same network in order to propagate itself.
- Network access
- WMI service access
The Conti ransomware is attempting to access the Windows Management Instrumentation (WMI) service in order to execute remote code.
- File Encryptor.
The Conti ransomware attempts to encrypt user’s files by performing file write. It adds a unique extension after encryption - .PSFUX.
- File creation
After encrypting users files, ransomware note 'readme.txt' is dropped. FortiEDR’s exfiltration policy and Ransomware prevention generates a block event for new file creation.
- Ransomware note
Threat Hunting
Notice that many of the encrypted files have .png extension and as you can see the new encrypted file has a unique .PSFUX extension.
The command line that was spotted in the wild was executed by regsvr.32exe.
Threat hunting telemetry captured the Conti ransomware dll attempting to connect to multiple internal IP addresses.
MITRE ATT&CK
T1560 Archive Collected Data
T1218 Signed Binary Proxy Execution
IOC
FCE6F537B075BE5A1EB6EF2CE4F0C735108A425D
The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts monitors, reviews and analyzes every alert, proactively hunts threats, and takes actions on behalf of customers to ensure they are protected according to their risk profile.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.