Conti (Ransomware) – Malware

Overview

Conti ransomware has become one of the most notorious and impactful strains of malware in the cybersecurity landscape. Since its emergence in 2020, Conti has been linked to over $150 million in ransom payments and has successfully targeted more than 1,000 organizations worldwide. This sophisticated piece of malware is primarily associated with the Russian cybercrime group, Wizard Spider, and is widely considered the successor to the infamous Ryuk ransomware. Its widespread success can be attributed to its advanced techniques, including double extortion and rapid encryption, making it a significant threat to businesses of all sizes. Conti operates as second-stage malware, typically deployed after an attacker has gained initial access to a target system. Once inside, Conti establishes a connection to its command-and-control (C2) server, downloads additional tools, and begins its devastating process of encryption and data exfiltration. The ransomware’s double extortion tactic involves encrypting a victim’s files and then threatening to release sensitive data unless the ransom is paid. This dual threat makes it particularly difficult for organizations to recover without succumbing to the demands of the attackers, adding an extra layer of pressure for the victims.

Targets

Information Health Care and Social Assistance Finance and Insurance Manufacturing

How they operate

Initial Access and Deployment

Conti ransomware typically begins its attack through initial access mechanisms such as phishing emails, spear-phishing campaigns, or exploiting vulnerabilities in systems to gain a foothold. One common method involves compromising remote desktop protocol (RDP) credentials or utilizing known exploits to gain unauthorized access to vulnerable systems. Once inside the network, attackers install first-stage malware, which acts as a foothold and opens the door for the deployment of Conti’s second-stage ransomware. This malware often connects to a remote command-and-control (C2) server, allowing the attackers to download the second-stage tools, including file encryption utilities and additional malware designed to elevate privileges and maintain persistence.

Lateral Movement and Network Propagation

Once the Conti ransomware has established its presence on a compromised system, it begins its lateral movement within the network. The malware often leverages vulnerabilities in network protocols, especially the Server Message Block (SMB) protocol, to spread from one machine to another. SMB exploits are commonly used to elevate privileges and move quickly through the network, allowing the attackers to compromise additional systems. The malware can also take advantage of penetration testing tools like Cobalt Strike, PowerSploit, and AdFind to scan and exploit systems across the network, further spreading its reach. In addition to SMB, Conti uses other techniques to move laterally, such as executing remote code on other systems and manipulating existing security tools to disable protections. This approach makes it difficult for security measures to detect and block the spread of the ransomware, allowing the attackers to infect high-value targets without raising alarms.

Data Exfiltration and Double Extortion

One of the most distinctive features of Conti ransomware is its use of double extortion tactics. After infecting a system and spreading through the network, Conti performs data exfiltration, stealing valuable information before encrypting files. Sensitive corporate data, financial records, intellectual property, and personal information are often targeted. This stolen data is uploaded to an attacker-controlled server, giving the threat actors leverage over their victims. The ransomware operators then threaten to release the exfiltrated data publicly or sell it to other cybercriminals unless the ransom is paid. This tactic increases the pressure on victims, as they now face the risk of data leaks, reputational damage, and regulatory consequences, in addition to the immediate operational disruption caused by the encryption of their files. The ransom demand typically includes two parts: one for the decryption key to regain access to encrypted files and another to prevent the release of sensitive data.

Encryption Process and Payload

The final stage of a Conti ransomware attack is the encryption of files. Conti uses a combination of AES-256 symmetric encryption and RSA-4096 asymmetric encryption algorithms to lock down files. This two-layer encryption ensures that even if an attacker manages to obtain the decryption key for one layer, the other layer would still render the files inaccessible. During the encryption process, Conti targets file types that are critical for business operations, such as personal documents, spreadsheets, databases, and media files. These files are encrypted with a unique key for each victim, and the encryption is typically performed using multi-threading techniques, allowing the ransomware to quickly encrypt a large number of files in a short amount of time. Once the encryption is complete, Conti appends a specific extension to the encrypted files, often “.conti” or “.CONTI,” and creates ransom notes in each directory with instructions on how to contact the attackers. These notes include payment instructions, often in cryptocurrency, and threats of releasing sensitive data if the ransom is not paid.

Evasion Techniques and Countermeasures

Conti ransomware is designed to evade detection and analysis by security products. It attempts to disable or bypass any existing endpoint protection solutions by terminating processes related to security software or modifying firewall settings. Conti also checks if it is running in a sandbox environment used for malware analysis; if it detects such an environment, it may refrain from executing or encrypting files in an attempt to avoid detection. To protect against Conti ransomware, organizations must employ a multi-layered defense strategy. This includes user-awareness training to reduce the risk of phishing attacks, the use of advanced endpoint detection and response (EDR) solutions to quickly detect and neutralize threats, and the implementation of network segmentation to limit the spread of malware. Additionally, ensuring that systems are patched and up to date can help reduce the risk of initial exploitation.

Conclusion

Conti ransomware operates through a sophisticated, multi-stage attack process that involves gaining initial access, moving laterally through networks, exfiltrating sensitive data, and encrypting critical files using advanced encryption methods. Its use of double extortion tactics and its rapid deployment capabilities make it a formidable threat to organizations worldwide. By understanding how Conti operates on a technical level, businesses can better prepare themselves to defend against this dangerous strain of ransomware and minimize the damage caused by an attack.  

References

• Conti (ransomware)
• What Is Conti Ransomware?