Let's see how FortiEDR detects and blocks this ransomware by switching to simulation mode. In simulation mode, FortiEDR generates events but does not block them, allowing the Conti ransomware to fully execute.
The Conti ransomware attempts to connect to devices located in the same network in order to propagate itself.
- Network access
- WMI service access
The Conti ransomware is attempting to access the Windows Management Instrumentation (WMI) service in order to execute remote code.
- File Encryptor.
The Conti ransomware attempts to encrypt user’s files by performing file write. It adds a unique extension after encryption - .PSFUX.
- File creation
After encrypting users files, ransomware note 'readme.txt' is dropped. FortiEDR’s exfiltration policy and Ransomware prevention generates a block event for new file creation.
- Ransomware note
Notice that many of the encrypted files have .png extension and as you can see the new encrypted file has a unique .PSFUX extension.
The command line that was spotted in the wild was executed by regsvr.32exe.
Threat hunting telemetry captured the Conti ransomware dll attempting to connect to multiple internal IP addresses.
T1560 Archive Collected Data
T1218 Signed Binary Proxy Execution
The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts monitors, reviews and analyzes every alert, proactively hunts threats, and takes actions on behalf of customers to ensure they are protected according to their risk profile.