Conti ransomware leaks show a low-tech but effective model

The Conti ransomware empire is built on surprisingly low-tech attack methods and techniques.

Security researchers with Akamai Technologies took a deep dive into the recently leaked manuals and training materials from the notorious ransomware group and found that, by and large, Conti hackers don't need to make use of cutting-edge exploits and hacking techniques.

Rather, the researchers found, the hackers who contract with the Conti group are using tried-and-true hacking techniques, seeking to take over a single user account within their intended target's network and then using those stolen credentials to move laterally.

"Conti's attack doctrine is not a novel one. The use of effective tools and persistence seems to do the trick," Akamai security researcher Stiv Kupchik explained in a blog post Tuesday.

"The process appears to be mostly 'hands on keyboard' -- while some functions can be scripted or automated, operators are generally expected to do the work of stealing credentials and making cognizant decisions on spreading in the network."

Akamai researchers found that the Conti network runs more on the hard work of its hacker affiliates than any sort of technical wizardry. The group seems to rely almost exclusively on aftermarket penetration testing tools, such as Cobalt Strike, Mimikatz and PsExec, with very little of its arsenal being created in house.

"To achieve their network infiltration and propagation goals, Conti employs various tools, most of them not of Conti's own making," Kupchik explained. "In fact, only the crypter, the trojan, and the injector seem to be proprietary, but for lateral movement, propagation, and exfiltration Conti seems to use a plethora of tools that should be familiar to anyone on both red and blue teams."

While the group might not have the most exclusive tools or techniques, the Conti operation has nonetheless proven itself extremely lucrative for both its operators and the contracted hackers who do the groundwork of infecting machines and exfiltrating data to be used for Conti's extortion demands.

One of the reasons the group is so effective is its commitment to getting hackers deep inside the targeted networks before making their presence known. The Conti hackers, Akamai said, tend to get themselves embedded within a network through lateral movement, using a single compromised account to access credentials for other accounts and taking over multiple systems.

The ultimate goal in this strategy is to get access to the target's domain controller (DC) and obtain an administrator account that allows for mastery over the entire network domain. Once that has been accomplished, only then will the attackers take the step of encrypting data and announcing the takeover to the target company.

"Operators are instructed to work their way to the DC via the aforementioned process of stealing credentials and expanding," Kupchik explained. "Since the process seems to be largely manual, this allows Conti operators a level of discretion in choosing targets."

This, unfortunately, is bad news for network defenders. With no specific exploit or unique method for breaking into networks, Conti hackers are not easy to defend against; Akamai said that protecting against an intrusion requires a multifaceted effort.

"There is no one solution that can keep you immediately safe and secure," Kupchik said. "As we can see in the attack methodology, there is a sophisticated process before the first ransomware instance is deployed, which gives us plenty of opportunity to detect and respond to the attack."