From the Labs: YARA Rule for Detecting Conti

ReversingLabs threat analysts are constantly working to respond to new threats and provide our customers with information and tools to defend their systems from attacks. Written by our threat analysts, our high-quality, open source YARA rules help threat hunters, incident responders, security analysts, and other defenders detect malicious behavior in their environment.

In this series, we break down some of the threats behind our YARA detection rules and help your organization to detect them within your environment.

Conti: Ransomware as a Service

The Conti ransomware is one of the most prolific and active ransomware families in recent years. It made headlines in 2021 for links to attacks on the City of Tulsa, Oklahoma as well as networks belonging to audio gear manufacturer JVCKenwood.

Despite efforts to take down the group and its infrastructure, an alert by CISA, the Cybersecurity and Infrastructure Security Agency, notes that the Conti cyber threat actors remain active. CISA has tracked more than 1,000 attacks against U.S. and international organizations, including healthcare and first responder networks (PDF).

Believed to be based in Russia, the Conti group made news again in recent weeks for posting messages in support of the Russian invasion of Ukraine and - subsequently - for getting hacked in retaliation for the group’s support of the invasion. Group chats from an internal Conti Jabber server were leaked to the public, exposing the inner deliberations of Conti’s members.

Attacker Techniques

The Conti group is a verticalized ‘ransomware as a service’ operation that manages everything from malware development to payment processing, while outsourcing victim selection and compromise to affiliates. The group conducts ‘double extortion,’ which involves placing ransomware to hobble victim operations and also stealing data, which is selectively leaked to increase pressure on victims to pay ransoms.

According to CISA, attacks on victims typically begin with spear phishing [T1566] campaigns involving tailored emails that contain malicious attachments or malicious links.

The group is also known to use stolen or weak Remote Desktop Protocol (RDP) credentials [T1078], engage in phone-based social engineering attacks or push malicious software to victim networks via search engine optimization attacks or malware distribution networks.

Once established in a victim environment, Conti has been observed leveraging dual-use tools like Windows SysInternals and Router Scan to identify and target vulnerable infrastructure, such as routers, cameras and network attached storage devices. Brute force attacks [T1110] are often used to gain access to these systems. Mimikatz is often deployed to facilitate credential theft and attacks on Active Directory and Kerberos authentication [T1558]. Stolen or forged administrator credentials [TA0004] facilitate Conti’s lateral movement within compromised environments. Remote monitoring and management software and remote desktop software is exploited to maintain persistence [TA0003] on victim networks.

Once established, tools like TrickBot and Cobalt Strike are used to carry out post-exploitation tasks and command and control.

Detecting Conti

Given Conti’s track record of success in bringing down large and sophisticated organizations, identifying this threat early is critical.

ReversingLabs’ Conti YARA rule is designed to detect Conti ransomware within your environment with high fidelity and almost no false-positives.

Download the Conti YARA Rule here:
Win32.Ransomware.Conti.yara

To learn more about the prerequisites for using ReversingLabs’ YARA rules, consult our Github page.

The Work Doesn’t Stop Here

ReversingLabs’ team of analysts are constantly surveying the threat landscape in an effort to better serve our customers and the greater security community. Don’t hesitate to contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware or to schedule a demonstration.