Conti Shuts Down

May 24, 2022

AdvIntel intelligence well-known for tracking Conti activity has discovered the shutdown of Conti ransom operations, as critical ransom features were identified to have been removed from the infamous Conti News blog.

Unraveling Wizard Spider’s Operations

May 24, 2022

Unraveling Wizard Spider’s Operations

Industry: N/A | Level: Tactical | Source: Hacker News

Intelligence collected from Prodraft revealed the nuances of the cybercriminal group, Wizard Spider’s organizational structure, and goals. The group’s financial successes provides funding to advance their research and development plans, maintaining a effective toolset is a priority for the group. A hash cracking system was discovered by the team capable of unraveling “LM:NTLM hashes, cached domain credentials, Kerberos 5 TGS-REP/AS-REP tickets, KeePass files, MS Office 2013 files, and other types of common hashes.” Additionally, a cold-calling system used to pressure non-responsive victims into complying with the group’s ransom was reviewed. Wizard Spider’s primary method of initial access comes from distributing spam emails containing Qakbot malware or proxy malware such as SystemBC. Additionally, the group is found to be leveraging an exploit kit incorporating the Log4Shell vulnerability. Once the network has been infiltrated, the threat group conducts reconnaissance to identify high-value targets. Cobalt Strike is deployed to assist with lateral movement and the group prioritizes obtaining domain admin privileges to be able to deploy Conti ransomware. Various tools are identified to be used by Wizard Spider including numerous PowerShell scripts, Rubeus, SecretsDump, Adfind, Mimikatz, FileZilla, and Rclone.

Anvilogic Use Cases:

  • Executable Create Script Process
  • Rubeus Commands
  • Locate Credentials
  • Query Registry
  • NTDSUtil.exe execution
  • SecretsDump Credential Harvest
  • Adfind Execution
  • Adfind Commands
  • Mimikatz
  • Rclone Execution
  • Windows FTP Exfiltration

Conti & Its Subsidiary Group Blackbyte

May 24, 2022

Conti & Its Subsidiary Group Blackbyte

Industry: N/A | Level: Tactical | Source: AdvIntel

AdvIntel’s extensive research of the Conti ransomware group dives into its subsidiary group Blackbyte, which along with the data extortion group, Karakurt supports Conti’s operations. The relationship between Conti and Blackbyte was explored after reports of the NFL team San Francisco 49ers data breach on February 13th, 2022. Security news outlets pointed to Blackbyte as the perpetrator of the attack however, an investigation from AdvIntel identified the group was used “as a shell group to process the breach” with Conti as the true culprit of the attack. The breach of the 49ers’ network had begun on December 14th, 2021, with AdvIntel identifying a set of Cobalt Strike commands targeting the NFL team’s network. Identified from AdvIntel “the Conti team who began the operation against 49ers on December 14 were able to compromise the victim’s primary domain and get access to the local shares and core network segments for several departments, including the team’s finance and accounting sectors.” The Blackbyte-Conti alliance revealed a larger trend in the threat landscape of “sub-divisions,” groups created operating specifically in data exfiltration and doing so without the need for encryption. Conti has been identified by AdvIntel to also create alliances with other ransomware groups, including HelloKitty/FiveHands, Babuk, HiVE, BlackCat/ALPHV, and AvosLocker. Theorized for the future of ransomware groups, “As groups grow in size and scope, they will begin to spawn business derivatives to handle some of their smaller operations in return for assistance and resources. This, in turn, will allow those subgroups to grow independently of the larger group, before extenuating circumstances, such as sanctions, struggles for power, or impending dissolution of the parent collective eventually led them to split off and become their own threat entity.” Notable detection techniques for Blackbyte emphasized detections for Rclone, Cobalt Strike, Metasploit, and PowerShell commands.

Anvilogic Use Cases:

  • Rclone Execution
  • Cobalt Strike Beacon
  • Cobalt Strike style Shell invocation
  • Obfuscated Powershell Techniques
  • Encoded Powershell Command
  • Suspicious Executable by Powershell
  • Attrib.exe Metasploit File Dropper
  • PowerSploit Metasploit Payload

National Emergency Declared in Costa Rica

May 10, 2022

National Emergency Declared in Costa Rica

Industry: Government | Level: Strategic | Source: BleepingComputer

As cyber-attacks from the Conti ransomware group have targeted multiple Costa Rica government agencies, a national emergency has been declared by the Costa Rican President Rodrigo Chaves on May 8th, 2022. The following was quoted by news outlet Amelia Rueda from the Costa Rican president “The attack that Costa Rica is suffering from cybercriminals, cyberterrorists is declared a national emergency and we are signing this decree, precisely, to declare a state of national emergency in the entire public sector of the Costa Rican State and allow our society to respond to these attacks as criminal acts.” The impact was identified by BleepingComputer amounting to a 672 GB data dump associated with Costa Rican government agencies. Based on the ransomware group’s data leak site, of the 672 GB of stolen data, 97% of the data has been leaked. From an initial review of the data posted, the data appears to be related to source code and SQL database information. A message from Conti on the leak site, mentions “UNC1756” as the actor responsible for the attack. The objective of the actor for the attacks is for financial gain and has warned of more attacks “I will definitely carry out attacks of a more serious form.”

Conti Ransomware Hits Costa Rica Electricity

May 03, 2022

Conti Ransomware Hits Costa Rica Electricity

Industry: Energy | Level: Strategic | Source: TheRecord

Junta Administrativa del Servicio Eléctrico de Cartago (JASEC), a government agency controlling electricity in Cartago, Costa Rica, has been impacted with Conti ransomware as administrative systems were impacted this past weekend. The attack occurred on Saturday, using systems managing the company’s emails, website, and administrative collection systems being encrypted. The electric operator’s general manager Luis Solano has assured customers “electricity and internet services operate normally,” however, the incident has inhibited customers from paying electric or internet bills. Until the incident is resolved the company has suspended bill payments.

Ransomware Attack Techniques

May 03, 2022

Ransomware Attack Techniques

Industry: N/A | Level: Tactical | Source: Symantec

Symantec’s analysis of ransomware groups Hive, Conti, and Avoslocker, have identified frequently utilized tools, tactics, and procedures (TTPs). During the initial access stage of the attack, the ransomware operators leverage exploits, RDP from weak or compromised credentials, and malware deployment through phishing emails involving IcedID, Emotet, QakBot, or TrickBot. Persistence involved the use of third-party remote software such as AnyDesk and ConnectWise Control along with modifications to the firewall and registry. Tools used for system discovery include ADRecon and Netscan. Credential access is achieved with a vast array of techniques involving Mimikatz, comsvcs.dll, extracting credentials from the registry, and using task manager to dump LSASS memory. Tools used for lateral movement includes PsExec, WMI, BITSAdmin, and Mimikatz. The tampering of Windows logs helped cover the attacker’s tracks. Data recovery is inhibited by deleting shadow copies. Lastly, for data exfiltration, actors relied on RClone and FileZilla to transfer data.

  • Anvilogic Use Cases:
    • Registry key added with reg.exe
    • Windows Firewall Rule Creation
    • Mimikatz
    • Invoke-Expression Command
    • comsvcs.dll Lsass Memory Dump
    • Rundll32 Command Line
    • Task Manager lsass Dump
    • Credentials in Registry
    • Remote Admin Tools
    • WinRM Tools
    • BITSadmin Execution
    • Clear Windows Event Logs
    • Inhibit System Recovery Commands
    • Suspicious Registry Key Deleted
    • Rclone Execution

Impact of Conti Ransomware on the Healthcare Industry

April 26, 2022

Impact of Conti Ransomware on the Healthcare Industry

Industry: Healthcare | Level: Strategic | Source: Krebs On Security

The impact of Conti and Ryuk ransomware on the Healthcare industry has been substantial. As reported by Brian Krebs and findings from the Health Information Sharing & Analysis Center (H-ISAC) chief security officer, Errol Weiss, have declared the impact of ransomware on hospitals has been dangerous causing disruptions to IT systems and the cancellation or delay of patient care services. In addition, with the nature of ransomware, the cost of incidents has been significant requiring payment, incident analysis, and remediation of impacted systems. As identified by Ireland’s Health Service Executive, a ransomware incident that had occurred in May 2021 amassed over $600 million in costs for recovery. Ryuk/Conti has seen this vector as a prime target, and since 2020 the threat actors have compromised more than 400 healthcare facilities. Figures reported for ransomware against the healthcare industry haven’t been reliably reported, it is likely to be underreported given companies would like to keep the breach confidential and not attract public attention.

Conti & Karakurt Data Extortion Group

April 19, 2022

Conti & Karakurt Data Extortion Group

Industry: N/A | Level: Tactical | Source: Infinitum

By obtaining access to Conti servers, the Infinitum IT Cyber Threat Intelligence team has identified a link between the Conti ransomware group and the data extortion group, Karakurt. The cybercriminal group Karakurt focuses on data extortion without using ransomware and only focusing on data exfiltration. The group has obtained access to victim networks primarily through VPN credentials. Based on the group’s blog site, they have compromised over 40 organizations between September and November 2021, whilst also compromising 11 organizations in December 2021. The compromised entities have been based in Canada and the United States.  The Infinitum teams’ research began on February 27th, 2022 leveraging the Conti leaks to access resources such as Protonmail and Mega Upload, which the ransomware group used enabling to the security team infiltrate the Conti servers.   From the team’s surveillance, they identified resources being shared by Conti and Karakurt, where Conti would upload data to Karakurt’s C2 servers using FileZilla. Additional review from Infinitum identified Conti using Inferno solutions, a Russian VPS Service, and accessing one of their data storage systems, found to contain an excess of 20TB of victim data. The security firm has shared the intelligence with the government.

  • Anvilogic Use Cases:
    • Adfind Execution
    • Adfind Commands
    • Cobalt Strike Beacon
    • Mimikatz
    • RDP Connection
    • RDP Logon/Logoff Event
    • Windows FTP Exfiltration

eSentire Conti Leaks Analysis

April 05, 2022

eSentire Conti Leaks Analysis

Industry: N/A | Level: Tactical | Source: eSentire

eSentire’s Threat Response Unit (TRU) dove into Conti intrusion procedures sharing detection tactics from the group’s 2021 and 2022 data leaks containing operation manuals and chat logs. The ransomware group’s chat logs, from the recent February 2022 data leak, often reference the usage of manuals that assist Conti operators to carry out their operations. The ransomware gang operates with a clear structure, involving a management chain, organized personnel with roles and responsibilities and training programs. The reference materials help to ensure Conti operators initiate their threat activity with consistency and efficiency. Analysis of the tools identified the reliance on many known tools and techniques including AdFind, Cobalt Strike, Mimikatz, Powerview, 7zip, AnyDesk, Rubeus, Rclone and native living off the land binaries (LOLBins).

  • Anvilogic Scenario: ZeroLogon Compromise
  • Anvilogic Use Cases:
    • Adfind Commands
    • Adfind Execution
    • Common Reconnaissance Commands
    • Cobalt Strike Beacon
    • Cobalt Strike style Shell invocation
    • Create/Add Local/Domain User
    • Locate Credentials
    • Mimikatz
    • Modify Group Policy
    • Native Archive Commands
    • Potential Web Shell
    • Registry key added with reg.exe
    • Rclone Execution

FBI’s Internet Crime Report for 2021

March 29, 2022

FBI’s Internet Crime Report for 2021

Industry: Critical Infrastructure | Level: Strategic | Source: IC3

The FBI’s Internet Crime Complaint Center (IC3) has released its report for 2021, tracking a variety of internet crimes with top crime types involving extortion, identity theft, personal data breach, non-payment/non-deliver, and phishing/vishing/smishing/pharming crimes. Of particular interest are ransomware statistics, which since 2021, IC3 has received 3,729 complaints. The critical infrastructure sector has been closely monitored since June 2021, with 16 crucial sectors considered “vital to the United States that their incapacitation or destruction would have a debilitating effect on our security, national economy, public health or safety, or any combination thereof.” Of complaints received, 649 involved organizations in the critical infrastructure sector and in addition, “of the 16 critical infrastructure sectors, IC3 reporting indicated 14 sectors had at least 1 member that fell victim to a ransomware attack in 2021.” From the 14 impacted critical infrastructure sectors, the top victims were Healthcare and Public Health (148 complaints), Financial Services (89), Information Technology (74), Critical Manufacturing (65) and Government Facilities (60). Three ransomware variants were the culprits of many reported complaints. They are as followed Conti (87 victims), LockBit (58 victims) and REvil/Sodinokibi (51 victims).