The Conti ransomware is a new threat that aims corporate networks. Its advanced capabilities allow it to performs faster and more targeted attacks. The researchers noticed that this ransomware shares the same malware code with Ryuk, which has begun to disappear as Conti performs attacks.
Conti ransomware first appeared in individual attacks in late December 2019. Attacks gradually increased and in late June began to increase sharply.
The ransomware violates corporate networks and spreads to gain domain admin credentials. Once the attackers get it administrator rights, develop ransomware and move on encryption of devices.
It is unknown at this time what he will do after leaving the post archives of victims before encrypting devices.
The connection between Ryuk and Conti ransomware
In August 2017, the Hermes Ransomware sold at Exploit.in hacking forum by a Russian cybercrime criminal.
Ο Vitali Kremez believes that the hackers they may have bought this ransomware builder and turned it into Ryuk.
At some point, the criminals who used Ryuk broke up or decided to make some changes and started using the name “Accounts“, Which seems to be is based on the Ryuk version 2 code.
In addition to the similarities in the malware code, the researchers observed similarity in the note template for ransom.
In addition, Kremez noted the same TrickBot infrastructure be used by both Ryuk and Conti operators to carry out the attacks.
Conti Ransomware: Some features are interesting
In a new report Carbon Black, the researchers described some interesting features of Conti Ransomware.
Prior to encryption, ransomware interrupts operation 146 Windows services, related to solutions security, creation backup, databases and emails. Conti ransomware also deletes Shadow Volume copies and begins to encrypt him computer.
When encrypting, ransomware appends the extension .CONTI in encrypted files and leaves a note for a ransom named CONTI_README.txt in each folder.
It also uses a unique encryption key AES-256 per file, which is then encrypted with a bundled public encryption key RSA-4096.
In the note, ransomware gives minimal information about attack and how to communicate with the attackers (another resemblance to Ryuk).
More details on the operation of Conti can be found here.