Ransomware Profile: Conti

Conti is a strain of ransomware that targets organizations in the private and public sectors. It includes some novel features that allow for faster and more selective attacks than most other ransomware families. 

What is Conti?  

Conti is a ransomware family that encrypts files on compromised systems using a unique AES-256 encryption key per file, which is then encrypted with an RSA-4096 encryption key. Conti incidents usually involve the theft of data, which is published on Conti’s data leak site if the victim refuses to pay the ransom. 

Conti typically functions as human-operated ransomware. It features command line capabilities that enable operators monitoring the target environment to directly control, spread and execute the ransomware. This functionality gives attackers the unique ability to selectively choose to encrypt local files, network shares and/or specific IP addresses. 

Prior to encryption, Conti prepares the compromised system by deleting Windows Volume Shadow Copies and disabling 146 Windows services related to backup, security, database and email solutions. 

During encryption, Conti utilizes the Windows Restart Manager API to terminate Windows services that would otherwise keep a file open and unencryptable. A number of ransomware families have adopted this technique, including REvil, SamSam, Medusa Locker and more. Conti uses 32 concurrent threads to perform encryption, making its encryption process faster than most other ransomware strains. All files are encrypted except for those with a .exe, .dll, .lnk or .sys extension. Encrypted files are appended with the .conti extension.  

The Ryuk connection 

It was initially believed that Conti was being operated by the same group responsible for Ryuk, a sophisticated strain of ransomware that was extremely prolific throughout 2019 and the first half of 2020. The indicators included:

• Code: Conti appears to be closely based on the malware code from Ryuk version 2. 
• Distribution: Conti is typically delivered via TrickBot, the same distribution infrastructure used to deploy Ryuk. 
• Ransom note: Conti utilizes the same ransom note template used in early Ryuk attacks. 
• Incident rate: ID Ransomware showed that the number of Conti submissions began increasing mid-June 2020, while Ryuk submissions steadily declined after July, suggesting a possible link.

However, later events indicated that Conti may not be Ryuk’s successor after all. In early 2021, a new Ryuk variant with worm-like capabilities was observed, which proved that the ransomware was still being updated. This suggested that there were two separate groups operating, as it’s unlikely that one ransomware group would maintain two ransomware families.

It is also possible that Conti is a splinter group of Ryuk. The fact that Conti incidents started to increase around the time that Ryuk incidents began to decrease before ramping up again six months later could have been due to Ryuk needing some time to rebuild its team.

The history of Conti 

Conti was first detected in December 2019. There were a handful of isolated Conti incidents over the next few months, with activity increasing significantly in mid-June 2020.

In August 2020, the Conti group launched a leak site (on both the dark web and surface web) where it publishes the stolen data of non-paying victims. The threat of being publicly named and having sensitive data exposed puts additional pressure on victims to pay the ransom. 

Conti ransom note  

After encryption, Conti drops a ransom note named CONTI_README.txt within each encrypted directory. 

In contrast to the verbose notes left by many other ransomware groups, the Conti ransom note contains minimal information. It simply informs victims that their network is locked and remediation should not be attempted, and instructs them to contact an email address to obtain a decryption key. The final line of the note states that private data will be published if payment is not made. 

Who does Conti target?    

Conti targets entities in both the public and private sectors. Government organizations, healthcare providers, schools, charities and enterprises across a wide range of verticals have been impacted by Conti. 

Geographically, Conti incidents are concentrated in North America and Europe.

How does Conti spread? 

Conti is typically delivered via TrickBot, a modular banking trojan that acts as a dropper for other malware and offers a variety of reconnaissance and propagation capabilities. After successfully infiltrating a network, Conti operators seek to obtain privileged credentials and conduct comprehensive reconnaissance in order to maximize the impact of an attack. 

Data encryption is usually the final phase in the attack chain. Attackers may be present on the network for days or even weeks before executing the ransomware. 

Major Conti attacks  

Conti has impacted dozens of organizations in both the public and private sectors. Below is an overview of some of the most notable incidents:

• The Fourth District Court of Louisiana: In September 2020, the Fourth District Court of Louisiana was hit with Conti. The court’s website was forced offline and attackers published on their leak site exfiltrated court documents relating to defendant pleas, witnesses and jurors. 
• Total System Services Inc: In December 2020, U.S. payments processor Total System Services (TSYS) was impacted by Conti. The group leaked more than 10 GB of data, which it claimed was just 15 percent of the total information exfiltrated from TSYS servers.
• Scottish Environment Protection Agency: On Christmas Eve 2020, the Scottish Environment Protection Agency (SEPA) fell victim to Conti, which impacted the organization’s contact center, internal systems, processes and communications. During the incident, more than 4,000 files were stolen – a portion of which was published on the Conti leak site a few weeks later. SEPA did not engage with threat actors or pay the ransom.
• Rehoboth McKinley Christian Health Care Services: In February 2021, Rehoboth McKinley Christian Health Care Services, a not-for-profit hospital in New Mexico, was allegedly hit by Conti. The attack caused significant disruption and forced staff to resort to pen and paper to keep the hospital running. During the attack, threat actors exfiltrated a range of sensitive patient information, including patient ID cards, passports and treatment information, as well as employee files such as job applications and background check authorizations.

How to protect the network from Conti and other ransomware  

The following practices may help organizations reduce the risk of a Conti incident. 

• Cybersecurity awareness training: Because the majority of ransomware spreads through user-initiated actions, organizations should implement training initiatives that focus on teaching end users the fundamentals of cybersecurity. Ransomware and propagation methods are constantly evolving, so training must be an ongoing process to ensure end users are across current threats.
• Credential hygiene: Practicing good credential hygiene can help prevent brute force attacks, mitigate the effects of credential theft and reduce the risk of unauthorized network access. 
• Multi-factor authentication: MFA provides an extra layer of security that can help prevent unauthorized access to accounts, tools, systems and data repositories. Organizations should consider enabling MFA wherever possible.   
• Security patches: Organizations of all sizes should have a robust patch management strategy that ensures security updates on all endpoints, servers, and appliances are applied as soon as possible to minimize the window of opportunity for an attack. 
• Backups: Backups are one of the most effective ways of mitigating the effects of a ransomware incident. Many strains of ransomware can spread laterally across the network and encrypt locally stored backups, so organizations should use a mixture of media storage, and store backup copies both on- and off-site. See this guide for more information on creating ransomware-proof backups.
• System hardening: Hardening networks, servers, operating systems and applications is crucial for reducing attack surface and managing potential security vulnerabilities. Disabling unneeded and potentially exploitable services such as PowerShell, RDP, Windows Script Host, Microsoft Office macros, etc. reduces the risk of initial infection, while implementing the principle of least privilege can help prevent lateral movement.
• Block macros: Many ransomware families are delivered via macro-embedded Microsoft Office or PDF documents. Organizations should review their use of macros, consider blocking all macros from the Internet, and only allow vetted and approved macros to execute from trusted locations. 
• Email authentication: Organizations can use a variety of email authentication techniques such as Sender Policy Framework, DomainKeys Identified Mail, and Domain-Based Message Authentication, Reporting and Conformance to detect email spoofing and identify suspicious messages. 
• Network segregation: Effective network segregation helps contain incidents, prevents the spread of malware and reduces disruption to the wider business. 
• Network monitoring: Organizations of all sizes must have systems in place to monitor possible data exfiltration channels and respond immediately to suspicious activity. 
• Penetration testing: Penetration testing can be useful for revealing vulnerabilities in IT infrastructure and employees’ susceptibility to ransomware. Results of the test can be used to allocate IT resources and inform future cybersecurity decisions. 
• Incident response plan: Organizations should have a comprehensive incident response plan in place that details exactly what to do in the event of infection. A swift response can help prevent malware from spreading, minimize disruption and ensure the incident is remediated as efficiently as possible.   

How to remove Conti and other ransomware   

Conti uses sophisticated encryption methods that currently make it impossible to decrypt data without paying for an attacker-supplied decryption tool.   

Victims of Conti should be prepared to restore their systems from backups, using processes that should be defined in the organization’s incident response plan. The following actions are recommended: 

• Take action to contain the threat.
• Determine the extent of the infection. 
• Identify the source of the infection.
• Collect evidence. 
• Restore the system from backups.
• Ensure all devices on the network are clean. 
• Perform a comprehensive forensic analysis to determine the attack vector, the scope of the incident and the extent of data exfiltration.
• Identify and strengthen vulnerabilities to reduce the risk of a repeat incident.