Conti Ransomware Is Considered the Most Successful Ransomware | Antivirus

Threat

The Conti malware made its first appearances in December 2019 but it was not until mid-2020 that its participation was more noticeable and from that moment it alerted security companies due to its close resemblance and probable relationship with the Ruyk ransomware attacks. As of today, Conti is considered one of the “emerging” groups this year the most successful, counting 142 victims of ransomware.

Conti ransomware

Following its mid-year growth, Conti began distributing itself through reverse shells opened by the TrickBot Trojan after Ryuk's activity slowed in July 2020.

Among the actions that characterize this malware, it stands out that it operates as a private RaaS with the help of other computer criminals to encrypt and steal large amounts of files and data in exchange for money, generally in BitCoins, for their ransom. Like other malware, such as NetWalker and Egregor, Conti created his own website to leak data from his victims. 

In one of their recent attacks, Conti's team demanded 750 bitcoins, which is around $ 14 million. This request is the one that places the victim companies in a situation of trouble since every day that passes and they do not contact the actors of the theft, the quota increases by 0.5 bitcoins. 

Operation mode

As we have discussed in previous newsletters, Trickbot is the one who will give access to threat actors to implement Ryuk or Conti Ransomware.

TrickBot is a malware infection that is commonly installed through malicious phishing emails or other malware. Once installed, TrickBot will silently run on the victim's computer while downloading other modules to perform different tasks.

The actors behind Conti, once they successfully breach corporate networks, spread laterally until they gain full access to domain administrator credentials and accounts, which allows them to deploy ransomware payloads to encrypt devices.

Conti uses a large number of independent threads to perform the encryption, allowing up to 32 concurrent encryption efforts, resulting in faster encryption compared to many other families. 

Conti also uses command-line options to allow control over how it scans for data, suggesting that malware can commonly be spread and directly controlled by an adversary. This control introduces the new ability to bypass local file encryption and target only SMB shares on the network, including those for IP addresses specifically provided by the adversary. This is a very rare ability that has been seen previously with the Sodinokibi ransomware family.  

A new tactic used by Conti and evidenced by very few ransomware families is the use of the Windows restart manager to ensure that all files can be encrypted. Just as Windows will attempt to cleanly close open applications when the operating system restarts, the ransomware will use the same functionality to cleanly close the application that has a locked file thereby releasing the file for encryption. 

When encrypting a computer, the ransomware adds the.CONTI extension to the encrypted files and will place a ransom note called CONTI_README.txt in each folder.

Shares Code With Ryuk Ransomware

There are indications that this ransomware shares the same malware code as Ryuk, which has been slowly fading away while Conti's distribution increases.

At some point, the threat actors using Ryuk split, rebranded or decided to transition to the name "Conti", which appears to be based on Ryuk version 2 code.

In addition to the similarities in the malware code, a more descriptive ransom note from Conti has been spotted using the exact same template used by Ryuk in previous attacks.

Until July, Ryuk was the ransomware chosen by TrickBot distributors to infect its victims. Now he has taken that place.

Panorama

Overall, Conti represents a unique twist on modern ransomware. Conti shows an intention behind the actor to also respond to recognition to determine valuable servers in the environment that are sensitive to data encryption. Its multi-threaded implementation, as well as the use of the Windows restart manager, shows an incredibly fast and complete data encryption feature, this added to its leak site makeup ransomware that will be present in the threat landscape in 2021.

Mitigation

The Entel CyberSecure Cyber ​​Intelligence Center recommends the following:

• Generate a custom rule for IOC blocking in perimeter incoming profiles.
• Have periodic backup policies that are stored outside the organizational network.
• Scan all attached files, before opening them, with an antivirus that detects behaviors to combat ransomware.
• Maintain a good information backup strategy: backup systems that must be isolated from the network; and security policies. This will allow to neutralize the attack, restore operations, and avoid paying the ransom.
• Update Windows computers to the latest versions.
• Never follow the instruction to disable security features, if an email or document requests it.
• Establish security policies in the system to prevent the execution of files from directories commonly used by Ransomware (App Data, Local App Data, etc.)
• Have anti-spam systems for emails, in this way the chances of infection through massive spam email campaigns are reduced.
• Maintain access control lists for network mapped drives by restricting write privileges. With this, you will be able to identify the impact generated by the encryption of files, understanding that the hijacking of information will occur on all network drives mapped on the victim's computer.