Forensics , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

How Conti Ransomware Works

Researchers Analyze the Severe Threat the Malware Poses
How Conti Ransomware Works
The Conti "news" website where the ransomware gang posts exfiltrated data in an attempt to extort victims to pay a ransom (Source: Cybereason)

Conti ransomware, which emerged eight months ago, poses a severe threat, according to Cybereason’s Nocturnus Team, which offers an in-depth analysis of how the malware works.

See Also: Gartner Guide for Digital Forensics and Incident Response

The malware is known for how fast it’s being updated, its ability to quickly encrypt a system and its auto-spreading functionality, according to the report.

Cybereason researcher Lior Rochberger says the actors behind Conti have released three versions of the malware since it burst onto the scene in May 2020, improving its effectiveness with each new variant.

Conti attacks, like Netwalker and Sodinokibi, use a double-extortion tactic. In addition to demanding a ransom for a decryption key, the attackers double down by leaking a small amount of the stolen data while threatening to leak even more information if the ransom is not paid.

"Conti is a very destructive threat,” Rochberger says. “Besides the double extortion that puts information and reputation at risk, the Conti operators equip it with a spreading capability, which means that Conti not only encrypts the files on the infected host but also spreads via SMB and encrypts files on different hosts, potentially compromising the entire network.”

The ransomware also uses a multithreading technique to quickly spread once it’s inside a network, making it difficult to stop, Rochberger says.

Tracking Conti Activity

The security firm Coveware, which issues quarterly ransomware reports, ranked Conti as the sixth-most-active variant in its third-quarter 2020 update.

The malware, which is distributed to hackers using a ransomware-as-a-service model, was picked up by the Trickbot gang in July, displacing Ryuk as the group's ransomware weapon of choice.

"We observed a collaboration between the Conti gang and the TrickBot gang, but we can't say at this point whether it's an exclusive collaboration,” Rochberger says. “However, it is possible that collaborations with other groups have taken place or will take place at some point, given the way that these ransomware groups operate their business model."

The Conti gang claims to have victimized 150 organizations and generated several million dollars in ransom income. But Cybereason says there’s no way to verify these claims.

Conti's developers have a "news site" where they post a small amount of the data that was stolen and then threaten to release more data to the public if the ransom is not paid.

In December, the Conti gang posted two zip files that it said contained 3GB of data from industrial IoT chipmaker Advantech (see: Conti Ransomware Gang Posts Advantech's Data).

More recently, Conti added the Scottish Environment Protection Agency to its list of victims. So far, Conti has leaked 20 files from SEPA, comprising what it says is 7% of what it stole via an attack on Dec. 24, 2020.

Three Versions

Conti was first spotted by cybersecurity teams on May 29, 2020.

The initial version featured the .conti extension and an independent executable. The malware spread inside a targeted system using Server Message Block, or SMB, when told to do so by the command-and-control server.

The Cybereason researchers say Conti takes an unusual approach to moving laterally once inside a system.

"Lateral movement is a necessary step to gain control over the network, and while many ransomware threat actors use certain techniques and tools to achieve it once they have gained access to a network, very few have implemented an auto-spreading functionality within the ransomware itself," Rochberger says.

Version two of Conti, which was issued on Oct. 9, 2020, included an updated ransom note with more details and, for the first time, a threat to publish data the gang had stolen if its financial demands were not met, according to the Cybereason report.

Technical changes in this version included an extension that changed with each attack. The ransomware also used fewer malicious URLs. In addition to the independent executable, this version also included a loader and Dynamic Link Library file. And it spread through SMB without orders, the report notes.

Version three, which came to light the following month, on Nov. 6, includes a few technical changes, such as using more malicious URLs and a Python debugger.

Although the malware has been updated, the method of distribution has not changed, the Cybereason report notes. The initial infection vector is a phishing email containing a link to a Google Drive where the payload is stored.

This payload is delivered via a PDF or other document that downloads the Bazar backdoor onto the victim’s device to connect to the command-and-control server. The next steps are reconnaissance, lateral movement and data exfiltration. Once a significant portion of the network is infected with the backdoor, Conti is dropped onto the system, the Cybereason report states.

The structure of a Conti attack (Source: Cybereason)

Executing the Attack

Attacks using the malware's latest version begin with either the independent executable or the loader bringing in a DLL from the resources section and then executing it, according to the report. The next steps are:

  • The loader decrypts the payload using a hard-coded key and loads it into memory.
  • Once the DLL is loaded, Conti starts its encryption and spreading routines. The ransomware scans the network for SMB (port 445). If it finds any shared folders it can access, it will try to encrypt the files on the remote machines as well.
  • A fast multithreading technique is used to encrypt the files, taking a few minutes to complete this task.
  • A copy of the ransom note is then left in every folder so it will be spotted by the victim.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.