As Ryuk wanes, a new family of ransomware dubbed Conti, which mimicks many of Ryuk’s commands but sports some unique features that differentiates it from others, is on the rise.
“Conti uses a large number of independent threads to perform encryption, allowing up to 32 simultaneous encryption efforts, resulting in faster encryption compared to many other families,” according to Carbon Black blog post that details the ransomware and some of the features that set it apart from others in terms of performance and a focus on network-based targets.
“As cybercriminals evolve their code and tools, it's troubling that this ransomware strain has improved its ability to encrypt files quicker to use multiple threads running simultaneously,” said James McQuiggan, security awareness advocate at KnowBe4, who noted that while Ryuk is declining and Conti is escalating, organizations are still falling prey to their attacks.
“Conti also utilizes command line options to allow for control over how it scans for data, suggesting that the malware may commonly be spread and directly controlled by an adversary,” according to Carbon Black.
That control, said the researchers, who observed Conti in the wild, gives the new ransomware strain “the novel ability of skipping the encryption of local files and only targeting networked SMB shares, including those from IP addresses specifically provided by the adversary” – a “very rare ability” found in the Sodinokibi ransomware family.
Also unique to a few ransomware families is using Windows Restart Manager that ensures all files can be encrypted. “Just as Windows will attempt to cleanly shut down open applications when the operating system is rebooted, the ransomware will utilize the same functionality to cleanly close the application that has a file locked,” Carbon Black explained, which frees the file to be encrypted.
Like other modern ransomware strains, Conti determines what data to encrypt by iterating through files on local systems and SMB network shares, then uses AED-256 encryption through a hard-coded public key to encrypt the files. But uniquely, Conti sports multiple anti-analysis features – including primarily a unique string encoding routine in nearly every string text - meant to slow detection and reverse engineering. This obfuscation technique is used to hide, among other things, the ransomware’s various Windows API calls.
While a few ransomware families do target local networks to encrypt through SMB, Conti has what the Carbon Black researchers call a “very unique feature” that “allows command line arguments to direct it to encrypt the local hard drive or network shares, even specific, targeted, IP addresses.”
That seems to indicate that the ransomware strain was partly designed to allow an adversary monitoring the environment to execute it directly.
“This is the opposite of ransomware that’s designed to be executed via an email attachment or drive-by download, in which the ransomware just executes independently,” said Carbon Black, though Conti can be executed independently with no interaction.
By supporting the “’-h’ command line argument that can point to a text file containing a list of network hostnames, each separated by a new line,” the researchers said, the ransomware can “first iterate through hosts that it routinely connects to and then target specific machines elsewhere on the network as specified by the adversary.”
As a result, Conti can wreak targeted damage through a method that could thwart incident response. “While the Conti malware design has it operate from inside the network and not from an email click, it's worth noting that cybercriminals had to get in one way or another,” said McQuiggan. “Organizations want to have a robust security incident and event monitoring system to watch for systems exhibiting the unusual symptoms caused by this malware.”