Ransomware Profile: Conti

Conti is a strain of ransomware that targets organizations in the private and public sectors. It includes some novel features that allow for faster and more selective attacks than most other ransomware families. 

What is Conti?  

Conti is a ransomware family that encrypts files on compromised systems using a unique AES-256 encryption key per file, which is then encrypted with an RSA-4096 encryption key. Conti incidents usually involve the theft of data, which is published on Conti’s data leak site if the victim refuses to pay the ransom. 

Conti typically functions as human-operated ransomware. It features command line capabilities that enable operators monitoring the target environment to directly control, spread and execute the ransomware. This functionality gives attackers the unique ability to selectively choose to encrypt local files, network shares and/or specific IP addresses. 

Prior to encryption, Conti prepares the compromised system by deleting Windows Volume Shadow Copies and disabling 146 Windows services related to backup, security, database and email solutions. 

During encryption, Conti utilizes the Windows Restart Manager API to terminate Windows services that would otherwise keep a file open and unencryptable. A number of ransomware families have adopted this technique, including REvil, SamSam, Medusa Locker and more. Conti uses 32 concurrent threads to perform encryption, making its encryption process faster than most other ransomware strains. All files are encrypted except for those with a .exe, .dll, .lnk or .sys extension. Encrypted files are appended with the .conti extension.  

The Ryuk connection 

It was initially believed that Conti was being operated by the same group responsible for Ryuk, a sophisticated strain of ransomware that was extremely prolific throughout 2019 and the first half of 2020. The indicators included:

However, later events indicated that Conti may not be Ryuk’s successor after all. In early 2021, a new Ryuk variant with worm-like capabilities was observed, which proved that the ransomware was still being updated. This suggested that there were two separate groups operating, as it’s unlikely that one ransomware group would maintain two ransomware families.

It is also possible that Conti is a splinter group of Ryuk. The fact that Conti incidents started to increase around the time that Ryuk incidents began to decrease before ramping up again six months later could have been due to Ryuk needing some time to rebuild its team.

The history of Conti 

Conti was first detected in December 2019. There were a handful of isolated Conti incidents over the next few months, with activity increasing significantly in mid-June 2020.

In August 2020, the Conti group launched a leak site (on both the dark web and surface web) where it publishes the stolen data of non-paying victims. The threat of being publicly named and having sensitive data exposed puts additional pressure on victims to pay the ransom. 

Conti ransom note  

After encryption, Conti drops a ransom note named CONTI_README.txt within each encrypted directory. 

In contrast to the verbose notes left by many other ransomware groups, the Conti ransom note contains minimal information. It simply informs victims that their network is locked and remediation should not be attempted, and instructs them to contact an email address to obtain a decryption key. The final line of the note states that private data will be published if payment is not made. 

Who does Conti target?    

Conti targets entities in both the public and private sectors. Government organizations, healthcare providers, schools, charities and enterprises across a wide range of verticals have been impacted by Conti. 

Geographically, Conti incidents are concentrated in North America and Europe.

How does Conti spread? 

Conti is typically delivered via TrickBot, a modular banking trojan that acts as a dropper for other malware and offers a variety of reconnaissance and propagation capabilities. After successfully infiltrating a network, Conti operators seek to obtain privileged credentials and conduct comprehensive reconnaissance in order to maximize the impact of an attack. 

Data encryption is usually the final phase in the attack chain. Attackers may be present on the network for days or even weeks before executing the ransomware. 

Major Conti attacks  

Conti has impacted dozens of organizations in both the public and private sectors. Below is an overview of some of the most notable incidents:

How to protect the network from Conti and other ransomware  

The following practices may help organizations reduce the risk of a Conti incident. 

How to remove Conti and other ransomware   

Conti uses sophisticated encryption methods that currently make it impossible to decrypt data without paying for an attacker-supplied decryption tool.   

Victims of Conti should be prepared to restore their systems from backups, using processes that should be defined in the organization’s incident response plan. The following actions are recommended

Emsisoft Endpoint Protection: Award-Winning Security Made Simple

Experience effortless next-gen technology. Start Free Trial


Emsisoft Malware Lab

Emsisoft Malware Lab

The Lab team is a group of cybersecurity researchers whose mission is to enhance protection in Emsisoft products, help organizations respond to security incidents and create analysis that helps decision-makers understand the threat landscape.

What to read next