Conti is a human-operated ransomware and was first detected in December 2019, in unrelated attacks. Researchers consider Conti to be a replacement for Ryuk crypto-malware. The new malicious software is notable for its advanced capabilities such as fast encryption, anti-analysis, and direct execution.
Similar to other strains of ransomware, Conti has multithreading capabilities – 32 concurrent CPU threads for encryption – which makes it faster. This ransomware abuses Windows Restart Manager functionality by closing applications that lock certain files. Conti then disables Windows services responsible for security, backup, database, email solutions, which allows it to encrypt these files. Conti also allows executing command line arguments to directly encrypt local hard drives, data and network shares, and even specific IP addresses of the threat actors’ choice.
Once the ransomware takes over, it deletes Windows Shadow Volume copies to prevent recovery of the files on the local system. Conti appends ‘.CONTI’ extension to the encrypted files and leaves a ransom note in each folder. To encrypt the data, the ransomware uses AES-256 encryption key for each file, which is again encrypted with a bundled RSA-4096 public encryption key that is unique for each victim.
Conti ransomware has targeted the following industries:
- Financial & Educational Institutions
- Private Organizations
- Government Agencies
- Enterprise Businesses
- Small-Medium Businesses
Conti is even capable of accessing data from systems that are/ have been connected to the compromised machine. It can access remote devices and encrypt the files present on those devices as well.
MITRE ATT&CK Framework
T1204 – User Execution: Malicious Link
The adversary prompts users to click on a malicious link, which in turn leads to the exploitation of browser/ application vulnerabilities. Similarly, links that redirect to downloadable malicious files are also used to deploy Conti.
T1486 – Data Encrypted for Impact
The adversary could potentially interrupt accessibility to the victim’s system by encrypting their data. They can attempt to render stored data impenetrable by encrypting files or data on the local and remote drives, by withholding access to the decryption key.
Indicators of Compromise
Associated file names
Ransom note text
Associated email addresses
- 596f1fdb5a3de40cccfe1d8183692928b94b8afb [SHA1]
- B7b5e1253710d8927cbe07d52d2d2e10 [MD5]
- Eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe [SHA256]
- Da778748ef41a4482da767de90e7ae2a8befa41e [SHA1]
- 61653b3cd1a290bbc531181edec807b20e263599aa6a2908dc259b867ec98297 [SHA256]
- 67f9404df22c6b1e82807f5c527805083f40b70b9dac6bc27c2583b70de17390 [SHA256]
- 6b1b4bbff59456dfaa3307a20171fd7394f49a5f6d1b3cd59392ba41e4881878 [SHA256]
- 749c4c343978b9f236838034f868dac937fdfd9af31a6e5dd05b993a87d51276 [SHA256]
- 895007b045448dfa8f6c9ee22f76f416f3f18095a063f5e73a4137bcccc0dc9a [SHA256]
- 196B1E6992650C003F550404F6B1109F [MD5]
- FF177BD454A19D15B9050448DA3298C4 [MD5]
Metadata for Conti ransomware sample
Countermeasures and best practices for prevention:
- Users are advised to disable their Remote Desktop Protocol (RDP) if not in use. Moreover, if it is required a secure RDP connection should be set up behind the firewall with appropriate binding and access control policies.
- All operating systems and applications should be updated on a regular basis. Virtual patching can be done to protect legacy systems and networks. This prevents cybercriminals from gaining easy access to any system through the vulnerabilities that exist in outdated applications and software. Avoid installing updates/ patches from unauthorized sources.
- Restrict execution of PowerShell /WSCRIPT in an enterprise environment. Ensure the installation and use of the latest version of PowerShell, with enhanced logging enabled. Script block logging and transcription should also be allowed. Logs associated with this should be sent to a centralized log repository for monitoring and analysis.
- Establish a Sender Policy Framework (SPF) for your domain to prevent spam by detecting email spoofing that in turn prevents ransomware attacks.
- Application whitelisting/ strict implementation of Software Restriction Policies (SRP) blocks binaries running from %APPDATA% and %TEMP% paths. Generally, ransomware samples drop and execute from these locations.
- Do not open attachments or click on URLs in unsolicited emails, even if they are from someone in your contact list and they seem benign. If the URL appears to be genuine, instead of clicking on it, use your browser to access that particular page.
- Block the attachments of the following file types: exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
- Consider encrypting confidential data, since the ransomware generally targets common file types.
- Backup critical information regularly, to limit the impact of data or system loss and to help expedite the recovery process. Ideally, sensitive data should be kept on a separate device, and backups should be stored offline.
- Network segmentation and segregation into security zones to help protect sensitive information and critical services. One must separate administrative networks from business processes with physical controls and Virtual Local Area Networks.
- Install ad blockers to combat exploit kits such as Fallout that are distributed via malicious advertising.