This article was written by Topher Tebow, Senior Cyber Security Researcher Acronis The focus is on malware tracking and analysis.
Heading Ransomware attack It’s like a daily routine, bringing a new level of danger and turmoil to the already complex business of protecting data. One such threat is Conti, which is often used to target healthcare institutions and retailers.
How it works tells us a lot about modern ransomware attacks. So I recently exploded Conti ransomware in a controlled environment to show the importance of proper cyber protection.
Preparing for an attack
This attack used three virtual machines to simulate different scenarios. The first machine was a clean installation of unprotected Windows. This machine demonstrates ransomware functionality. The other two machines had ransomware protection to fix the attack, or URL filtering to prevent the installation of malicious payloads.
SysInternalsSuite’s Process Monitor and Process Explorer Ransomware Activity during the attack. Of course, there are normal processes, but there are also processes spun up by ransomware, as well as registry changes.
As an attack vector, I created a fake malicious email based on tax-related invoices to mimic the general phishing temptation. The email was based on the actual email, so it looked legitimate. After quickly updating my email settings, I also saw my company name as the sender. I used the official logo and colors, but replaced the invoice details with a download link and someone who might be expecting such an email created an email instead of just viewing it I made it possible to communicate with.
At this link, I downloaded an “invoice” with an embedded Visual Basic script that automatically downloads and runs the ransomware using a trusted file sharing service.
Attackers often hide content up to this point, as victims typically need to enable active content before running this script. In this case, I was planning to pay the ransom myself, so I set up Word to run the content automatically. This is a simple configuration change and should not be overlooked as a potential vulnerability in corporate networks.
My attack begins with a prepared email being sent to the “victim”. Victims click a link in an email to download a document from a trusted file sharing service. The Visual Basic script runs as soon as the document opens, pulling down the ransomware and running it automatically.
After a few seconds, the ransomware file will appear as a subprocess of WINWORD.EXE in Process Explorer. The Windows Registry shows queries from ransomware that begin with the CurrentControlSet entry. After that, it moves to the restart setting. This shows that Conti is looking for a way to get persistence in the system.
When ransomware encrypts files, it slows down the machine. If the user does not notice anything wrong, Conti will continue to encrypt the new files added to the machine.
Poor system performance can be the first sign of a problem, but there are several other indicators. Others include changing the file extension with “.ZSSCI” added to the file name (although different ransomware uses different extensions). The file icon is changed to a blank page icon because the file type is no longer recognized. For Conti and most other modern ransomware, the readme.txt file is placed in any directory where the file is encrypted.
The readme.txt file is a ransom memo that notifies the victim of the attack and provides payment instructions. The days of flashy ransom notes that replace desktop backgrounds and open web pages with horrifying messages and lots of bad gif images are over. Here you can see that the .onion address is being used to contact the attacker. This requires the use of Tor Browser and uses an HTTPS alternative on the clear web.
Attackers have also threatened to expose stolen data if ignored, in the spirit of the double blackmail method adopted by the majority of recent ransomware gangs.
Need is the mother of invention
At this point, there are several ways to get your data back. You can pay the ransom and expect the decryption key to work, restore it if you have a clean backup, or find the time machine. Instead of funding criminals, shutting down during recovery, or inventing time travel, there are viable ways to avoid being a victim.
A single approach cannot solve all problems, so a multi-layer solution is the most effective way to keep your data safe from this type of attack.
Organizations have been stepping up their fishing training in recent years, which is a great first step. Unfortunately, even the most well-trained individuals can be fooled by well-crafted attacks. Therefore, it is essential to implement tools to prevent attacks. Let’s see what happens when protection is applied.
With ransomware protection in place, attacks began to look very much like attacks on unprotected systems. Conti continued to run, accessing the registry and starting to encrypt files. But then Conti suddenly closes and the Word document opens safely.
The difference this time is that the file entropy is being monitored and after only eight files have been encrypted, the software has stopped the process started by Conti. The ransomware protection software automatically restores the encryption from the cached copy generated at the beginning of the encryption, saving the hassle and downtime associated with restoring from backup.
Of course, stopping the attack before the payload is installed is always the recommended option. Advanced email security solutions can prevent malicious email from reaching the end user, but proper URL filters block access to known malicious URLs from which the payload is downloaded. ..
No matter how complex your organization’s data protection is, simulating an attack proves that not all hope is lost. Through education, planning, and diligence, you can repel these attacks by recognizing signs of potential attacks and implementing multi-tier solutions that automate the detection and response of attacks.
Start building your own multi-tiered protection plan by uniquely integrating backup, disaster recovery, cyber security, and endpoint management. Acronis Cyber Protect..
Topher Tebow I’m a senior cybersecurity researcher Acronis The focus is on malware tracking and analysis. Topher spent nearly a decade fighting web-based malware before moving to endpoint protection. He creates technical content for several businesses, from security trends and best practices to malware and vulnerability analysis.
Topher has been published in trade magazines such as Cyber Defense Magazine and Security Boulevard, and has contributed to articles in several major publications.