How Conti Ransomware WorksResearchers Analyze the Severe Threat the Malware Poses
Conti ransomware, which emerged eight months ago, poses a severe threat, according to Cybereason’s Nocturnus Team, which offers an in-depth analysis of how the malware works.
The malware is known for how fast it’s being updated, its ability to quickly encrypt a system and its auto-spreading functionality, according to the report.
Cybereason researcher Lior Rochberger says the actors behind Conti have released three versions of the malware since it burst onto the scene in May 2020, improving its effectiveness with each new variant.
Conti attacks, like Netwalker and Sodinokibi, use a double-extortion tactic. In addition to demanding a ransom for a decryption key, the attackers double down by leaking a small amount of the stolen data while threatening to leak even more information if the ransom is not paid.
"Conti is a very destructive threat,” Rochberger says. “Besides the double extortion that puts information and reputation at risk, the Conti operators equip it with a spreading capability, which means that Conti not only encrypts the files on the infected host but also spreads via SMB and encrypts files on different hosts, potentially compromising the entire network.”
The ransomware also uses a multithreading technique to quickly spread once it’s inside a network, making it difficult to stop, Rochberger says.
Tracking Conti Activity
The security firm Coveware, which issues quarterly ransomware reports, ranked Conti as the sixth-most-active variant in its third-quarter 2020 update.
The malware, which is distributed to hackers using a ransomware-as-a-service model, was picked up by the Trickbot gang in July, displacing Ryuk as the group's ransomware weapon of choice.
"We observed a collaboration between the Conti gang and the TrickBot gang, but we can't say at this point whether it's an exclusive collaboration,” Rochberger says. “However, it is possible that collaborations with other groups have taken place or will take place at some point, given the way that these ransomware groups operate their business model."
The Conti gang claims to have victimized 150 organizations and generated several million dollars in ransom income. But Cybereason says there’s no way to verify these claims.
Conti's developers have a "news site" where they post a small amount of the data that was stolen and then threaten to release more data to the public if the ransom is not paid.
In December, the Conti gang posted two zip files that it said contained 3GB of data from industrial IoT chipmaker Advantech (see: Conti Ransomware Gang Posts Advantech's Data).
More recently, Conti added the Scottish Environment Protection Agency to its list of victims. So far, Conti has leaked 20 files from SEPA, comprising what it says is 7% of what it stole via an attack on Dec. 24, 2020.
Conti was first spotted by cybersecurity teams on May 29, 2020.
The initial version featured the .conti extension and an independent executable. The malware spread inside a targeted system using Server Message Block, or SMB, when told to do so by the command-and-control server.
The Cybereason researchers say Conti takes an unusual approach to moving laterally once inside a system.
"Lateral movement is a necessary step to gain control over the network, and while many ransomware threat actors use certain techniques and tools to achieve it once they have gained access to a network, very few have implemented an auto-spreading functionality within the ransomware itself," Rochberger says.
Version two of Conti, which was issued on Oct. 9, 2020, included an updated ransom note with more details and, for the first time, a threat to publish data the gang had stolen if its financial demands were not met, according to the Cybereason report.
Technical changes in this version included an extension that changed with each attack. The ransomware also used fewer malicious URLs. In addition to the independent executable, this version also included a loader and Dynamic Link Library file. And it spread through SMB without orders, the report notes.
Version three, which came to light the following month, on Nov. 6, includes a few technical changes, such as using more malicious URLs and a Python debugger.
Although the malware has been updated, the method of distribution has not changed, the Cybereason report notes. The initial infection vector is a phishing email containing a link to a Google Drive where the payload is stored.
This payload is delivered via a PDF or other document that downloads the Bazar backdoor onto the victim’s device to connect to the command-and-control server. The next steps are reconnaissance, lateral movement and data exfiltration. Once a significant portion of the network is infected with the backdoor, Conti is dropped onto the system, the Cybereason report states.
Executing the Attack
Attacks using the malware's latest version begin with either the independent executable or the loader bringing in a DLL from the resources section and then executing it, according to the report. The next steps are:
- The loader decrypts the payload using a hard-coded key and loads it into memory.
- Once the DLL is loaded, Conti starts its encryption and spreading routines. The ransomware scans the network for SMB (port 445). If it finds any shared folders it can access, it will try to encrypt the files on the remote machines as well.
- A fast multithreading technique is used to encrypt the files, taking a few minutes to complete this task.
- A copy of the ransom note is then left in every folder so it will be spotted by the victim.