Ransomware attacks are perceived as complicated, confusing and dangerous. While all those things are true, there are also some basic truths about ransomware attacks that can be used to stop an attack quickly, minimizing or eliminating the damage they cause. Conti is a form of ransomware that has often targeted health care organizations and retailers, and perfectly demonstrates the basic behaviors exhibited by ransomware. Detonating Conti ransomware inside of a controlled environment tells us a lot about a modern ransomware attack, so that is exactly what I did.
The Ransomware Setup
For my test, I set up two virtual machines so I could see the difference between an unprotected attack and a protected attack. The first machine was a clean install of Windows with only a few files from an old film school project of mine to be ransomed. The second machine was set up as a clone of the first machine, but with anti-ransomware software installed and running.
I also decided to have a little more fun, and created a fake malicious email to use as the attack vector, which I based on a tax-related invoice I had in my email inbox. It was easy to turn it into an email that looked legitimate and even showed the company’s name as the sender. I used the official logos and colors, and only made a few adjustments to the email to ensure that someone who might be expecting such an email would interact with the one I crafted. This is similar to social engineering tactics an actual attacker would use.
The only real difference between my email and the original is that I removed the actual order details and replaced them with a link disguised as a button, which would download the “invoice” I had prepared from a trusted file sharing service. That invoice, of course, is the magic behind this type of attack. It is a Word document with an embedded Visual Basic script that downloads the ransomware payload and automatically runs it on the victim machine.
Because I only planned to ransom my own machine, I also updated Word to automatically run the embedded script, although most users would have to enable active content for this to happen, so an actual attacker would have the script hide the content in the document until the user enables active content.
The Big Bang
The attack is simple enough, but a lot happens behind the scenes. I used Process Monitor and Process Explorer from the Windows SysInternals Suite to keep an eye on what the ransomware was doing. Much of what happened in these tools are normal processes, but throughout the attack, there were a number of changes to the registry and processes.
The attack begins as many do, with the email sent to the victim, who has just enough confidence in the legitimacy of the email to feel comfortable interacting with it. The link in the email downloads a document from a trusted file sharing service. The Visual Basic script in the document runs as soon as active content is enabled, pulling down the ransomware and running it automatically. After a few seconds, the ransomware file shows up in Process Explorer, as a subprocess of WINWORD.EXE, and we start to see it accessing and changing entries in the Windows Registry. The system begins to run slowly as the ransomware begins encrypting files. Left alone, the ransomware continues running, and will continue to encrypt new files added to the machine if the user does not notice that there is something wrong.
In addition to the slowdown caused by the ransomware, there are other signs that the system has been compromised. Encrypted files have their icons changed to that of a blank page, and their file extensions are changed. In this case, the file extensions were appended with ‘.ZSSCI,’ but this differs based on which piece of ransomware is used. For the Conti ransomware I used in this attack, a readme.txt file was also placed in any directory where files were encrypted. This file is the ransom note informing the victim what has taken place and how to contact the attacker to pay the ransom. (Sadly, the days of flashy ransom notes that replace the desktop background or open a ransom note with a lot of bad gif images in the browser are gone.)
Until someone invents time travel, there are limited options for restoring access to your files at this point in the attack. A victim can obtain the decryption key or restore files from a backup after the system has been cleaned. Of course, a better solution is to be prepared for the inevitable ransomware attack before it happens. There are multiple ways to avoid becoming a victim, and multiple solutions should be implemented. Training people to identify and avoid the lure in malicious emails is essential, but even the most observant individuals can be distracted or fooled by an especially well-crafted attack. For this reason, it is imperative to have tools in place to prevent the attack.
I reran the attack scenario with protection in place and saw similar results–until the point where the Conti file suddenly closed and the Word document opened safely. The file entropy was being monitored, and the anti-ransomware software stopped the processes started up by the ransomware with only eight files encrypted. These files were automatically restored from cached copies that were generated when the encryption began.
Having a solution with automatic restoration included not only keeps your data intact, it can save you from the downtime caused by an extensive restoration process. Effective URL filtering that prevents access to known malicious URLs can also prevent the attack from getting past the initial lure in the first place. Add an advanced email security solution and you significantly decrease the chances of the attack even starting.
Simulating an attack shows that no matter how complicated, confusing or dangerous an attack may seem, hope is not lost. Through diligence and planning, we can fight off these attacks by educating ourselves and putting multi-layered solutions in place to automate the detection and response to attacks.