Conti Ransomware Information

Available Solution for Conti Ransomware

- 更新於:
- 22 May 2021
- 產品/版本:
- 作業系統:

Conti Ransomware has been described as the successor to the popular Ryuk ransomware family. Increasingly, threat actors are now distributing the malware via the same method used to distribute Ryuk in the past.

Capabilities

Initial Access
This ransomware may arrive in the system as a result of an infection of BazarLoader which is a result of a phishing email containing a link to Google Drive that downloads the malware.

Lateral Movement and Defense Evasion
Attackers also used batch files to disable security tools. It is executed through a scheduled task. After gaining the credentials of the domain administrator, the attackers are now free to move laterally on the network.

Credential Access
After gaining information on the domain accounts, attackers then dump the domain controller credentials using ntdsutil.

Exfiltration
An attacker uses a tool named RClone tool to perform data exfiltration. This tool is an open-source tool use to sync files to specified cloud storage. In this case, Mega Cloud storage.

Impact
After exfiltration and distribution of the ransomware to the targetted endpoints, files are not encrypted. It also inhibits system recovery by deleting shadow copies using WMI.

Infection Routine

File Reputation

DETECTION/POLICY/RULES	PATTERN BRANCH/VERSION	RELEASE DATE
Backdoor.Win32.COBEACON.OSLJAE	16.311.00	2020-10-27
Backdoor.Win64.C0BALT.AG	16.533.00	2021-02-12
Backdoor.Win64.C0BALT.AH	16.561.00	2021-02-26
Backdoor.Win64.C0BEACON.SMA	16.263.00	2020-10-03
Backdoor.Win64.COBALT.YABBL	16.617.00	2021-03-26
Backdoor.Win64.COBALT.YABBS	16.617.00	2021-03-26
Ransom.Win32.CONTI.E	16.109.00	2020-07-18
Ransom.Win32.CONTI.l	16.275.00	2020-10-09
Ransom.Win32.CONTI.YAAI-A	16.241.00	2020-09-22
Ransom.Win32.CONTI.YABAZ	16.617.00	2021-03-26
Ransom.Win32.CONTI.YXAGQ	16.617.00	2021-03-26
Ransom.Win32.CONTl.D	16.103.00	2020-07-15
Ransom.Win32.CONTlJ	16.333.00	2020-11-06
Ransom.Win64.CONTI.A	16.537.00	2021-02-14
Trojan. PSI.BAZALOADER.YXAK-A	16.323.00	2020-11-02
Trojan.BAT.COBALSTART.A	16.561.00	2021-02-26
Trojan.BAT.COBALSTART.YABBM	16.617.00	2021-03-26
Trojan.BAT.COBALSTART.YABBS	16.617.00	2021-03-26
Trojan.BAT.COBEACON.YABBL	16.617.00	2021-03-26
Trojan.BAT.CONTlSTART.YABBM	16.617.00	2021-03-26
Trojan.BAT.KILLAV.WLDS	16.653.00	2021-04-13
Trojan.BAT.KlLLAV.YABBS	16.617.00	2021-03-26
Trojan.BATCONTlSTART.YABBM	16.617.00	2021-03-26
Trojan.PS1.COBALT.YABBS	16.617.00	2021-03-26
Trojan.Win32.BAZALOADER.YXAK-A	16.323.00	2020-11-02
Trojan.Win64.BAZARLOADER.YABBM	16.617.00	2021-03-26
Trojan.XML.KlLLAV.YABBS	16.617.00	2021-03-26
Trojan.XMLKILLAV.AA	16.549.00	2021-02-20
Worm.BAT.COBALT.YABBS	16.617.00	2021-03-26
Worm.BAT.KlLLAV.YABBS	16.617.00	2021-03-26

Predictive Machine Learning

DETECTION	PATTERN BRANCH/VERSION
TROJ.Win32.TRX.XXPE50FFF042	In-the-Cloud
TROJ.Win32.TRX.XXPE50FFF041	In-the-Cloud

Behavior Monitoring

PATTERN BRANCH/VERSION	RELEASE DATE
FLS.IBT.4851T	Behavior Monitoring OPR 2.187
RAN4056T	Behavior Monitoring OPR 1.907

Web Reputation

URL	CATEGORY	BLOCKING DATE
URL Protection	Malware Accomplice, Disease Vector, Ransomware	In-the-Cloud

PATTERN VERSION	RELEASE DATE
Email Protection	Anti-Spam Pattern 6040

Solution Map - What should customers do?

To update Trend Micro products, refer to the corresponding Online Help Center guides.

Recommendation

Make sure to always use the latest pattern available to detect the old and new variants of Nefilim ransomware.

Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
For support assistance, please contact Trend Micro Technical Support.

Threat Report

Blogs

Trend Micro Vision One: Tracking Conti Ransomware

需要協助?