Network Security

Conti ransomware leaks show a low-tech but effective model

Conti ransomware leaks show a low-tech but effective model
Written by ga_dahmani
Conti ransomware leaks show a low-tech but effective model

The Conti ransomware empire relies on surprisingly low-tech attack methods and techniques.

Security researchers at Akamai Technologies took a deep dive into recently leaked manuals and training materials from the notorious ransomware group and found that Conti hackers generally don’t need to make use of cutting-edge exploits and hacking techniques.

Rather, the researchers found that the hackers who hire the Conti group are using tried-and-true hacking techniques, seeking to take over a single user account within their intended target’s network and then using those stolen credentials to move around. sideways.

“Conti’s attack doctrine is not new. Effective tooling and persistence seem to work,” Akamai security researcher Stiv Kupchik explained in a blog post Tuesday.

“The process seems to be mostly ‘hands on the keyboard’; although some functions can be programmed or automated, operators are generally expected to do the work of stealing credentials and making conscious decisions about broadcasting on the network.”

Akamai researchers found that the Conti network relies more on the hard work of its affiliated hackers than any technical wizardry. The group appears to rely almost exclusively on aftermarket penetration testing tools, such as Cobalt Strike, Mimikatz, and PSExec, with very little of its in-house arsenal.

“To accomplish its goals of network infiltration and propagation, Conti employs various tools, most of them not created by Conti,” Kupchik explained.

“In fact, only the crypter, trojan, and injector appear to be proprietary, but for lateral movement, spread, and exfiltration, Conti appears to use a host of tools that should be familiar to anyone on the red and blue teams.” .

While the group may not have the most unique tools or techniques, the Conti operation has proven extremely lucrative both for its operators and for hired hackers who do the legwork to infect machines and exfiltrate data that will be used to Conti’s extortion demands.

One of the reasons the group is so effective is because of its commitment to getting hackers deep into targeted networks before they make their presence known.

Conti hackers, Akamai said, tend to integrate into a network through lateral movement, using a single compromised account to access the credentials of other accounts and taking control of multiple systems.

The ultimate goal of this strategy is to gain access to the target’s domain controller (DC) and gain an administrator account that allows control of the entire domain on the network. Once that has been achieved, only then will the attackers take the step of encrypting the data and announcing the acquisition to the target company.

“Operators are instructed to work their way to the DC through the aforementioned process of credential theft and expansion,” Kupchik explained. “Since the process appears to be largely manual, this allows Conti operators a level of discretion in choosing targets.”

This, unfortunately, is bad news for network advocates. Without a specific exploit or unique method of breaking into networks, Conti hackers are not easy to defend against; Akamai said protecting against an intrusion requires a multifaceted effort.

“There is no solution that can immediately keep you safe and secure,” Kupchik said. “As we can see from the attack methodology, there is a sophisticated process before the first instance of ransomware is deployed, giving us plenty of opportunity to detect and respond to the attack.”

About the author


Leave a Comment