What is CONTI Ransomware and what do you need to know about it

Author: Samridh Ashish

Executive Summary

Conti is one of the most relentless ransomware amongst any existing ransomware families. As of 28th Feb 2022, the US and International organisations have seen more than 1,000 attacks since its launch. In typical Conti ransomware attacks, threat actors steal files, encrypt servers and workstations with AES256 encryption, and demand a ransom payment in cryptocurrency.

Conti has extorted over US$150 million from its victims.

Rise of CONTI ransomware

Conti is believed to be one of the most dangerous active ransomware families. Threat actors use Conti to steal sensitive files and information from compromised networks and threaten to publish this data unless the ransom is paid. Having links with Wizard Spider, Conti is considered the successor of the notorious Ryuk ransomware. It has operators spread across Russia, Ukraine and Belarus.

Conti works on RaaS (Ransomware-as-a-Service) model, and its first infection was discovered in December 2019. It has been connected to several ransomware incidents — racking in payments total more than 100 Bitcoin (approx. USD 50 million).

Major incidents related to CONTI

In May 2021, Ireland’s Health Service was forced to terminate its IT systems after a ransomware attack.

In May 2021, The City of Tulsa, Oklahoma, suffered a ransomware attack that forced the City to shut down its systems to stop the spread of the malware.

In September 2021, JVCKenwood suffered a ransomware attack, and supposedly 1.7 TB of data was stolen.

In February 2022, the ransomware group announced its full support to the Russian government and their determination to retaliate against the cyberattacks launched against the Russian citizens and infrastructure.

Warning statement released by Conti group
Top affected countries and industries

Some common tools used by threat actors deliver Conti:

1. TrickBot

2. Cobalt strike

3. Buer

4. IceID

Analysis

Conti uses many independent threads to perform encryption, making it the fastest encrypting malware in the ransomware family (up to 32 simultaneous encryption efforts). This ransomware accelerates data encryption and can linger in your systems for weeks without notice. Conti uses Windows Restart Manager to disable security, backup, database, and email solution services to prep for encryption. This ransomware family can encrypt hard drives, network shares, and even specific IP addresses.

Tactics, techniques and procedures based on MITRE ATT&CK® and Cyber Kill Chain® framework:

*Atera RMM (Remote monitoring and management software) provider says their software has not been compromised

MITIGATIONS

1. Use multi-factor authentication

2. Implement network segmentation and traffic filter

3. Regularly scan for vulnerabilities

4. Keep software and firmware updated

5. Remove unnecessary applications

6. Implement EDR tools

7. Regularly audit logs and administrative user accounts

CONCLUSION

Conti exhibits rapid development in the current ransomware category. It has a new way of launching ransomware attacks by utilising advanced encryption and targeting high-value systems in the victim network. Despite the recent data leaks, the ransomware gang shows no sign of slowing down. To stop them in their tracks, they must be made unprofitable.

REFERENCES

www.trendmicro.com

https://www.logpoint.com/en/blog/detecting-Conti-ransomware-the-successor-of-infamous-ryuk/

https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/Conti-ransomware#:~:text=Conti%20is%20a%20sophisticated%20Ransomware,first%20detected%20in%20December%202019.

https://malpedia.caad.fkie.fraunhofer.de/

https://ransomwhe.re/#browse

https://attack.mitre.org/software/S0575/

https://www.cisa.gov/uscert/ncas/alerts/aa21-265a

https://www.cobaltstrike.com/features/

https://blogs.vmware.com/security/2020/07/tau-threat-discovery-Conti-ransomware.html

https://www.bleepingcomputer.com

https://www.ic3.gov/Media/News/2021/210521.pdf

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Samridh Ashish

Samridh Ashish

Security and threats intelligence researcher