A lesser-known ransomware strain known as Conti uses up to 32 simultaneous CPU threads to encrypt files on infected computers for higher encryption speeds, security researchers at Carbon Black said Wednesday.
Conti is the latest in a long line of ransomware strains identified this year. Like most ransomware families today, Conti is designed to be controlled directly by an adversary, rather than running automatically on its own.
Conti works like most ransomware. However, it also comes with its own details, including some features not observed in other strains.
In a technical report released Wednesday, Carbon Black's TAU said that what stood out in their analysis of Conti code was its support for multi-threading functions.
This is not entirely unique. Other ransomware executives support them functions multiple threads, performing multiple concurrent "calculations" on the CPU to speed them up and allow the encryption process to be completed faster before file locking is detected and stopped by antivirus.
Other ransomware strains that use multiple CPU threads are REVIL (Sodinokibi), LockBit, Rapid, Thanos, Phobos, LockerGoga and MegaCortex - to name just a few. But Carbon Black says Conti stood out because of the large number of concurrent threads it used - that is, 32 - which resulted in "faster encryption compared to many other ransomware".
However, this was not the only detail that Carbon Black has identified in Conti. The second feature was a detailed control of ransomware encryption targets via a command-line client.
Carbon Black researchers say ransomware can be configured to bypass file encryption on local drives and encrypt data on shared SMB networks by simply feeding the ransomware binary a list of IP addresses via the command line.
In addition, this behavior can also confuse security teams investigating such incidents, who may not be able to locate a gateway to a network unless they have full control of all systems and allow hackers to remain hidden. within a single machine in the victim's network.
The third unique technique found in Conti code is to abuse Windows Restart Manager - the Windows component that unlocks files before restarting the operating system.
According to Carbon Black, Conti calls this component to unlock and terminate the application process so that it can encrypt their respective data. This trick can be incredibly useful on Windows servers, where most sensitive data is managed by a database that is almost always running.
There is currently no way to recover files locked through Conti ransomware, which means that all known prevention methods must be used - such as offline backup, workstation security and open remote management ports.