FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
gthirugnanasa
Article Id 198090

Introduction
Conti ransomware has been around since May 2020 and continues to affect a large number of companies. The FBI has linked the Conti ransomware attacks to a Russian persistent threat actor known as Wizard Spider. Conti distributes itself using BazarLoader and employs a multithreading approach to encrypt all of the files quickly. Conti is available in three different versions. This article focuses on the third version.

Pre-execution

FortiEDR prevents the Conti ransomware from being executed under Ransomware prevention policy. FortiEDR detects this variant as BazarLoader.AD!tr.

 

 

 

Post-execution

Let's see how FortiEDR detects and blocks this ransomware by switching to simulation mode. In simulation mode, FortiEDR generates events but does not block them, allowing the Conti ransomware to fully execute.

  • Network access
The Conti ransomware attempts to connect to devices located in the same network in order to propagate itself.

 

 

 

  • WMI service access

The Conti ransomware is attempting to access the Windows Management Instrumentation (WMI) service in order to execute remote code.

 

 

 

 

  • File Encryptor.

The Conti ransomware attempts to encrypt user’s files by performing file write. It adds a unique extension after encryption - .PSFUX.

 

 

 

 

  • File creation

After encrypting users files, ransomware note 'readme.txt' is dropped. FortiEDR’s exfiltration policy and Ransomware prevention generates a block event for new file creation.

 

 

 

  • Ransomware note

 

 

 

 

 

Threat Hunting

Notice that many of the encrypted files have .png extension and as you can see the new encrypted file has a unique .PSFUX extension.

 

 

 

 

 

 

 The command line that was spotted in the wild was executed by regsvr.32exe.

 

 

 

 

Threat hunting telemetry captured the Conti ransomware dll attempting to connect to multiple internal IP addresses.

 

 

 

 

MITRE ATT&CK

T1560 Archive Collected Data

T1218 Signed Binary Proxy Execution

IOC

FCE6F537B075BE5A1EB6EF2CE4F0C735108A425D

The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts monitors, reviews and analyzes every alert, proactively hunts threats, and takes actions on behalf of customers to ensure they are protected according to their risk profile.