Conti ransomware first appeared in May 2020 and has become increasingly sophisticated since then, according to Cybereason. Attacks by this malware are particularly damaging due to the speed with which it encrypts data and spreads to other systems. Preventing Conti attacks requires general measures to detect it and specific techniques defeat an attack that’s already in progress.
Conti’s means of distribution has remained unchanged throughout its evolution. Attackers send a phishing email purporting to originate from a sender the victim trusts. The email contains a link to a Google Drive with a document that has the payload. Once the victim downloads this document, it downloads the Bazar backdoor malware that connects the victim’s device to Conti’s command-and-control server.
Conti attacks encrypt data on an infected machine. It then uses a double-extortion technique, beginning with a demand for a ransom in exchange for a decryption key. The second part of the extortion is to disclose a small portion of the encrypted data, along with a threat to release more data if the ransom isn’t paid. In addition to encrypting data, Conti uses a multithreading technique that allows it to spread quickly once it infects a network, making it difficult to stop. This ransomware also spreads to other systems via Server Message Block (SMB), allowing it to encrypt files on other hosts within a network.
Security firm Coveware ranked Conti as the sixth most active ransomware in its third-quarter report for 2020, largely due to its distribution through a ransomware-as-a-service model. For example, the Trickbot ransomware gang replaced Ryuk with Conti as its preferred weapon in July 2020. Analysts have observed collaboration between the Conti and Trickbot gangs, but haven’t yet determined if this is an exclusive relationship. However, the operating model these groups use makes collaboration with other groups a strong possibility.
The Conti gang says it has received several million dollars in ransom from at least 150 organizations, although Cybereason is unable to verify this claim. The gang also maintains a site where they post some of their victims’ encrypted data. One of its biggest disclosures was 3 GB of data from Advantech, a manufacturer of chips for IoT devices. The Conti gang also leaked 20 files from the Scottish Environment Protection Agency (SEPA), which it claims is seven percent of the data it has from SEPA.
Cybersecurity experts detected the first version of Conti on May 29, 2020, which consisted of an independently executable file with the .conti extension. Upon instruction from a command-and-control server, this version proliferated throughout the targeted system via SMB. Ransomware often uses other tools to gain control over a network, but very few are able to spread by themselves as Conti does.
The second version of Conti was released on October 9, which consisted of the executable, loader and Dynamic Link Library (DLL) file. The most notable changes in this version included a threat to publish the victims’ data if they failed to pay the ransom. It also included technical improvements such as changing the executable’s extension after each attack and using fewer URLs. In addition, this version of Conti didn’t require instructions to begin proliferating.
Version three of Conti was detected on November 6, with the most significant changes including a Python debugger and more URLs.
The first step in preventing any type of ransomware attack is early detection of these indicators. In the case of Conti in particular, defenders also need to shut down their internet-facing remote desktop protocol (RDP) processes if possible, or at least put them behind a virtual private network (VPN) if they’re operationally necessary. Another important defense is the use of layered security, including a response team that continually monitors the network.