The Scottish Environment Protection Agency (SEPA) confirmed that it was recently attacked by a ransomware on Christmas Eve, 2020. The environmental regulator and national flood risk management authority confirmed that some of its internal systems, contact center, and other internal communications were compromised by this attack.
SEPA already started the recovery process by isolating the affected systems. SEPA is working closely with Scotland Police and Scottish Government agencies on the investigation of this attack. There has been no confirmation from SEPA on the data leaks in this incident or relating it to any specific ransomware family. On the other hand, the Conti Ransomware family has claimed this attack and already published 7% of the stolen data on its leak website.
According to SEPA, roughly 1.2 GB of data was exfiltrated with evidence supporting access to at least 4,000 files. As stated by SEPA, the information stolen by the Conti Ransomware during the attack includes:
- Business information: Information such as publicly available regulated site permits, authorizations, and enforcement notices. This also includes information related to SEPA corporate plans, priorities, and change programs.
- Procurement information: Information such as publicly available procurement awards.
- Project information: Information related to commercial work with international partners.
- Staff information: Personal information relating to SEPA staff.
The ransomware attack investigation is still ongoing by cyber security specialists working with SEPA, the Scottish Government, Police Scotland, and the National Cyber Security Centre.
Overview of the Conti Ransomware
Conti threat actors have collaborated with the TrickBot malware group. The Conti ransomware is sold as Ransomware-as-a-Service in DarkWeb forums and used by threat actors like TrickBot. The TrickBot attackers uses the Bazaar backdoor to deploy the Conti Ransomware on the victim’s system. The infection starts with a phishing email containing a link to the google drive which stores the payload for the Bazaar backdoor. The infection cycle can be seen in the image below:
Conti attack cycle using Bazaar backdoor
The Conti Ransomware is an advanced ransomware with new generation infection techniques including a unique string encoding routine that uses 277 different algorithms – one per string. The ransomware uses this encoding technique to hide the Windows API calls. Conti also uses 32 simultaneous threads for encrypting data files and SMB vulnerability for lateral movement in the internal network to encrypt remote files. The Conti Ransomware is believed to have emerged from the Ryuk ransomware as it shares the same code. Conti was first detected in December 2019. It resurfaced in December 2020 by targeting government organizations and large corporate networks and demanding huge ransoms from infected victims.
Information of sections of the Conti sample:
The malware sample we analyzed is a VC++ compiled file with custom encrypted data that might be used for dynamic loading of Win32 APIs and malicious threads. The ransomware imports 3 DLLs which we examined for suspicious function calls:
The ransomware sample makes use of anti-debugging techniques and with the help of the IsDebuggerPresent function, checks if it is being debugged.
The Conti ransomware is managed directly by attackers and has capabilities such as:
- Advanced encryption techniques including 32 simultaneous encryption threads for faster encryption compared to other ransomwares.
- Anti-analysis techniques by using a routine that allows it to hide Windows API calls used by the ransomware itself.
- Capability to infect files on the network using Server Message Block (SMB).
The Conti ransomware sample that we analyzed has evolved from the previous versions found in July 2020. Some of the latest changes are mentioned in the table below:
|Creation times (Based on VT)||2020-10-09 |
|Ransom Note file name||R3adm3.txt (In our sample) |
|Extension||Changes per sample|
|Embedded emails / URLs||hxxp://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid[.]onion hxxps://contirecovery[.]info|
|Form||An independent executable Loader + DLL|
|Spreading via SMB||It is spreading via SMB even without command line arguments.|
After encrypting the victim’s system, the ransomware leaves a ransom note on each encrypted folder. One such ransom note can be seen in the image below:
The Conti Ransomware uses AES-256 encryption via a hard-coded public key. The unique factor is the use of multiple threads for the encryption process, which allows faster encryption as compared to other ransomwares. The ransomware uses a CreateIoCompletionPort() call to create 32 thread instances which work simultaneously to encrypt files. After encryption, the ransomware adds extension to all the encrypted files. One of them is ‘UWTJF’, added by our research sample. It can be seen in the image below:
- Ensure anti-virus software and associated files are up to date.
- Search for existing signs of the indicated IOCs in your environment.
- Consider blocking or setting up detection for all URL and IP-based IOCs.
- Keep applications and operating systems running at the current released patch level.
- Exercise caution while opening attachments and links in emails.
- Keep systems fully patched to effectively mitigate vulnerabilities.
Overall, Conti is a modern ransomware that uses multiple advanced infection techniques not seen in older ransomware families. The use of multi-threading for encryption ensures quick encryption of files. In addition, the ability to infect shared network hosts using command line can impact multiple systems over the network and allows lateral movement for infecting through the network.
The research team at Cyble is continuously monitoring to harvest the threat indicators/TTPs of emerging APTs in the wild to ensure that targeted organizations are well informed and proactively protected.
Indicators of Compromise (IOCs)
MITRE ATT&CK Framework:
|T1566.0012||Phishing: Spear Phishing Link||The ransomware uses spear phishing emails with malicious links to deliver malcrafted pdf files.|
|T1210||Exploitation of Remote Services||Exploits a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.|
|T1204||User Execution: Malicious Link||Prompts users to click on malicious links that lead to exploitation and redirects to payload delivery.|
|T1486||Data Encrypted for Impact||Encrypts user data files to hold them from ransom demand.|
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.