Conti FtpServer: Complete Overview and Threat Analysis

Conti FtpServer Case Study: Attack Timeline and Lessons Learned

Executive summary

Conti operators used an exposed or compromised FTP server (referred to here as “Conti FtpServer”) as an initial foothold and/or data exfiltration staging point. The attack combined common Conti TTPs—initial access (RDP/exploits/phishing), credential harvesting, lateral movement with Cobalt Strike, in-memory payloads, RClone/MEGA exfiltration, and double-extortion encryption—resulting in large-scale data theft and ransomware deployment. Below is a condensed timeline, forensic indicators, and concrete lessons.

Attack timeline (representative, condensed)

1. Initial reconnaissance and access (day 0–2)
   • Public-facing FTP or other exposed service scanned and identified.
   • Initial access gained via vulnerable appliance/RDP/credential reuse; attacker drops a lightweight FTP client or script to interact with the FTP server.
2. Establish persistence and reconnaissance (day 2–5)
   • Deploy Cobalt Strike beacon(s) and create backdoor user accounts or scheduled tasks.
   • Enumerate domain resources, identify domain controllers, backup servers, and SMB shares.
3. Credential harvesting and privilege escalation (day 4–8)
   • Tools used: Mimikatz/minidump, Rubeus, kerberoast, brute-force scripts.
   • Credentials used to pivot; domain admin credentials located.
4. Lateral movement and staging (day 7–12)
   • Lateral spread via PSExec, WMI, SMB; administrative tools and AnyDesk/remote tools installed.
   • Attackers stage exfiltration scripts that push archives to the FTP server or pull from internal hosts.
5. Data exfiltration (day 10–14)
   • Large bulk transfers to FTP and/or cloud storage (MEGA) using RClone or custom scripts; FTP used for initial staging or temporary holding.
6. Final impact (day 14–16)
   • In-memory reflective DLL injection to deploy Conti payload; encryption across network shares and servers.
   • Ransom note and data-leak site publication (double extortion).

Indicators of compromise (IOCs) and forensic artefacts

• Network/host:
  • Unusual FTP authentication from non-business IPs or at odd hours.
  • Large or repetitive file upload/download activity to the FTP server.
  • Cobalt Strike beacons (sustained SSL/HTTP/unique user-agent patterns).
  • Outbound connections to known Conti-related IPs/domains or MEGA endpoints.
  • Use of RClone, AnyDesk, or suspicious scheduled tasks/services.
• Host artefacts:
  • Minidumps of LSASS, Mimikatz binaries, credential-dumping scripts.
  • Unusual registry Run keys, scheduled tasks named as “Adobe Update”/“WindowsDefender”.
  • DLL reflective injection patterns (process memory artifacts; no dropped ransomware binary).
  • Newly created privileged accounts or lateral-movement artifacts (PSExec logs, WMI event subscriptions).
• FTP-specific:
  • Modified FTP server logs showing uploads of large .zip/.7z/rar files or many small encrypted archives.
  • Unexpected anonymous or third-party accounts, changed permissions, or new home directories.
  • Temporary staging directories with filenames matching internal share structure.

Root causes observed

• Exposed/unpatched internet-facing services (FTP, VPN, firewall/Exchange).
• Weak or reused credentials and lack of MFA for administrative access.
• Insufficient network segmentation and lateral-movement controls.
• Backups accessible from domain or not isolated/offline.
• Inadequate logging/alerting for abnormal FTP transfers and remote admin tools.

Containment and remediation checklist (prioritized)

1. Isolate affected hosts and the FTP server (network-level quarantine).
2. Block malicious C2 addresses and domains; disable compromised accounts.
3. Collect volatile memory and full-disk images from key hosts (LSASS, process memory).
4. Rotate credentials, enforce MFA for all administrative users, and revoke exposed service credentials.
5. Remove persistence (scheduled tasks, services, backdoor users) and rebuild critical systems from known-good images.
6. Identify and secure all external-facing services; patch appliances and servers (including FTP software).
7. Restore from offline/isolated backups; verify integrity before reconnecting.
8. Report breach to appropriate legal/regulatory bodies and consider forensic/IR engagement.

Detection and prevention controls

• Preventive
  • Disable or remove unnecessary public FTP services; replace with SFTP/FTPS only behind MFA and restricted IP allowlists.
  • Enforce MFA for all remote/admin access; strong password policies and credential hygiene.
  • Network segmentation (separate FTP, backups, DCs, and production VLANs).
  • Harden and patch perimeter appliances (firewalls, VPN, Exchange).
• Detective
  • Monitor FTP logs for anomalous transfers, new accounts, and anomalous user agents.
  • EDR with memory-scanning capability to detect in-memory loading and reflective injection.
  • Network detection for unusual SSL/HTTP beacons, sustained connections, and high-volume outbound transfers.
  • SIEM alerts for mass file access, backup modification, and lateral-movement patterns.
• Response
  • Predefined IR playbook for ransomware and data-exfiltration incidents; tabletop exercises that include FTP compromise scenarios.
  • Threat intelligence ingestion of Conti IOCs and behavioral signatures.

Lessons learned (actionable)

• Never expose legacy FTP services directly to the internet; if required, enforce strict allowlists, logging, and MFA.
• Assume adversaries will use legitimate admin tooling—detect behavior, not just signatures.
• Prioritize segmentation so compromise of one service (FTP) cannot reach domain controllers or backups.
• Maintain immutable/offline backups and test restores regularly.
• Rapid detection of abnormal outbound transfers dramatically reduces the window for exfiltration—instrument egress monitoring.
• Memory-first detection (EDR) is critical because modern ransomware often executes without dropping files to disk.

Quick checklist to reduce FTP-specific risk (immediate)

• Disable anonymous access and unused accounts; require strong auth (keys, MFA).
• Restrict FTP access to specific source IP ranges and VPN-only access.
• Enable detailed logging and forward logs to an external SIEM.
• Limit user permissions and home-directory access to least privilege.
• Scan and patch FTP server software; consider migration to secure transfer solutions.