Fortinet : The Affiliate’s Cookbook - A Firsthand Peek into the Operations and Tradecraft of Conti

FortiGuard Labs Threat Research Report

Ransomware has dominated the media headlines for the first half of 2021. The attack on Colonial Pipeline (Darkside) caused a disruption in the distribution of oil and gasoline across the East coast on the United States (ironically, it was the billing system taken offline and not OT devices controlling the supply). The one on JBS Foods in Brazil (REvil) led to concerns about a potential global meat shortage. And the one that targeted managed service provider Kaseya VSA (REvil) was a supply chain attack which resulted in downstream customers being impacted with ransomware attacks.

Prior to these attacks, the tactics, techniques, and procedures (TTPs) of threat actors were discovered either by forensic analysis conducted by incident response teams or via static analysis of the malware itself. However, a disgruntled self-proclaimed 'pentester' of the Conti group recently leaked various insider files to the public. Contained within this leak are zipped password protected files, operational how to documents, and other reference files created by the group for affiliates. Because of this leak, we have been given a sneak peek into the operations of a Ransomware operation from the affiliate perspective.

The Conti ransomware group, in operation for over a year, operates a Ransomware-as-a-Service (RaaS) that has been connected to multiple attacks, including a recent high-profile attack on the Irish Health Service that caused a massive disruption to services. In that attack, not only were services disrupted and brought to a halt, but database servers (SQL) and over 700GB of PII was downloaded and exfiltrated by the threat actors. So, their modus operandi is not just ransom, but extortion by providing proof that valuable data has been exfiltrated.

The primary focus of the following analysis will be on the Conti support manual, titled 'CobaltStrike Manuals_V2 Active Directory.' It will touch on several interesting observations lifted from the manual. Although other files and documents were released, this support manual contains information for 'affiliates' and offers a rare glimpse into the Ransomware-as-a-Service world.

In this blog, the reader will be presented with the following:

• A sneak peek into documentation provided to criminal affiliates and the type of support provided by a ransomware organization.
• Observations of recent vulnerabilities, suggesting this document is rather new.
• A perspective into operational strategies, including the TTPs used by the Conti ransomware group, such as tools, methodologies, and an attack overview from its beginning stages to the final ransomware deployment stage.

Nearly a decade of ransomware

Ransomware in its current form (lock screen, payment in cryptocurrency, etc.) has been around for almost a decade, and yet still makes media headlines. From the first mass ransomware attacks that displayed various law enforcement logos to the victim (based on what locale the victim was in) demanding payment in prepaid credit cards (Reventon - 2012), to the first payments made in Bitcoin cryptocurrency (Cryptolocker -2013), and now, Ransomware-as-a-Service (GandCrab - 2018), it has become almost commonplace. So, how is it that it is still making headlines?

It is because attacks are becoming more brazen, and victims and the impact of an attack are increasingly high profile. In addition to the ongoing efforts of targeting random indiscriminate individuals and their machines, criminals are increasingly targeting major organizations and their entire environment, thereby causing noticeable disruptions. It is also worth mentioning that their tradecraft has improved, from the basic social engineering techniques via spearphishing or pirated software still used by low-level criminals, to new advanced strategies where, by the time a ransomware attack is launched, the threat actor has already been inside the victim's network, undiscovered and undetected, sometimes for months before striking.

Another compounding factor is the new RaaS model. This maturing strategy allows vetted 'affiliates' to conduct attacks, rather than the organization that developed the malware. Using a sort of franchise model, affiliates earn a hefty sum of the ransom while paying the ransomware authors a percentage of their gains. For the developers, the money comes through scalability, giving them time to refine their service rather than hunting for victims. This also means that the rate and volume of attacks necessarily increases as the number of affiliates grows. Reports by researchers estimate that ransomware attacks alone in 2020 grew over 150 percent and have netted attackers over 350 million dollars.^1,2

_{^[1] Group-IB: ransomware empire prospers in pandemic-hit world. Attacks grow by 150% https://www.group-ib.com/media/ransomware-empire-2021/}

_{^[2] Ransomware Skyrocketed in 2020, But There May Be Fewer Culprits Than You Think https://blog.chainalysis.com/reports/ransomware-ecosystem-crypto-crime-2021}

Of course, forensic analysis shows that attackers had already successfully embedded themselves inside a network, sometimes for weeks or months at a time, to prepare for executing their attack (interestingly, in a new development, CVE-2020-1472 - Zerologon changed that to hours)³. However, we didn't have much insight into the operational tradecraft used by affiliates. We just assumed that they were well-versed in pentesting methodologies and skilled in performing their operations. And while we had heard of some ransomware gangs providing advanced attack support for their affiliates, we didn't really know how much support was provided until now.

The Affiliates' Cookbook

^[3] _{https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/}