Conti ransomware shows signs of being Ryuk's successor

The Conti Ransomware is an upcoming threat targeting corporate networks with new features that allow it to perform quicker and more targeted attacks. There are also indications that this ransomware shares the same malware code as Ryuk, who has slowly been fading away, while Conti's distribution is increasing.

Conti is enterprise-targeting ransomware that BleepingComputer started tracking at the beginning of June 2020.

The ransomware was first seen distributed in isolated attacks at the end of December 2019. Over time, attacks slowly increased, until the end of June, when we saw an increase in victims on the ransomware identification site ID Ransomware.

Like other ransomware infections in this category, Conti operators will breach corporate networks and spread laterally until they gain domain admin credentials. Once administrative privileges are achieved, the threat actors deploy the ransomware to encrypt its devices.

It is not known at this time if the Conti operators also steal files from their victims' networks before encrypting.

The Ryuk and Conti connection

In August 2017, the Hermes Ransomware was being sold by on the Exploit.in hacking forum by a Russian speaking threat actor.

Advanced Intel's Vitali Kremez, believes that threat actors might have purchased this ransomware builder and turned it into Ryuk.

At some point, the threat actors using Ryuk splintered, re-branded or decided to transition to the “Conti” name, which appears to be based off the code from Ryuk version 2.

In addition to similarities in the malware code, a more descriptive Conti ransom note has been seen that use the same exact template utilized by Ryuk in earlier attacks.

In addition to the ransom notes, Kremez has seen the same TrickBot infrastructure being used by both Ryuk and the Conti threat actors as part of ransomware attacks.

"Based on multiple incident response matters and current assessment, it is believed that Conti ransomware is linked to the same Ryuk ransomware developer group based on the code reuse and unique TrickBot distribution. The same distribution attack vector is used widely by the Ryuk deployment group," Kremez told BleepingComputer in a conversation about the two ransomware.

While it is not 100% clear if Conti is a successor to Ryuk, submission graphs on ID Ransomware clearly show Conti attacks increasing and Ryuk diminishing.

A nose dive into the Conti Ransomware

In a new report by Carbon Black, researchers provide insight into some of the interesting features found in the Conti Ransomware.

According to the researchers, when first started, Conti will prepare the computer for encryption by stopping 146 Windows services related to security, backup, database, and email solutions.

The ransomware will then clear the Shadow Volume copies and begin encrypting a computer.

When encrypting a computer, the ransomware will append the .CONTI extension to encrypted files and drop a ransom note named CONTI_README.txt in each folder.

Michael Gillespie, who analyzed the encryption algorithm in June, has told BleepingComputer that when encrypting data, the ransomware will use a unique AES-256 encryption key per file, which is then encrypted with a bundled RSA-4096 public encryption key.

This RSA key is unique per victim.

Unlike most ransomware seen by BleepingComputer, Conti's ransom note contains the barest amount of details regarding the attack and how to contact the attackers, which is similar to how Ryuk creates their ransom notes.

Coveware's Bill Siegel told BleepingComputer that the average ransomware demand for this ransomware is under $100,000. This amount is relatively low compared to other similar ransomware infections.

Conti supports an '--encrypt_mode' argument that modifies the default behavior of the ransomware to refine the encryption process.

When using '—encrypt_mode local,' only the local drives are encrypted, and when using the '—encrypt_mode network,' only the network shares are encrypted.

Conti also supports the '-h' argument to specify a list of IP addresses to target for encryption.

Some of the other interesting features of the ransomware are described below.

32 threads used during encryption

Carbon Black noted that when encrypting a device, Conti will use multiple threads to encrypt different files simultaneously.

While multi-threaded ransomware is not new, Conti's use of 32 threads stand out and allow the ransomware to encrypt a machine at very fast speeds.

However, this speed comes with a trade-off, as in BleepingComputer's tests, we saw a significant increase in CPU and disk utilization that caused the machine to slow down and become sluggish.

These symptoms could easily trigger suspicion and cause a user to investigate what may be wrong with their computer, leading to the ransomware discovery.

As most ransomware attacks occur after-hours, this may not be much of a concern as the computers would not be used during the encryption process.

Uses Windows restart manager to close open files

When encrypting files, Conti will use a Windows API called the 'Windows Restart Manager' that will terminate processes or Windows services that keep a file open during encryption.

Created by Microsoft to make it easier to install software updates without a restart, ransomware infections are now starting to utilize it to encrypt databases and other important files that are inaccessible while opened by another process.

"The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update. The primary reason software updates require a system restart during an installation or update is that some of the files that are being updated are currently being used by a running application or service. The Restart Manager enables all but the critical system services to be shut down and restarted. This frees files that are in use and allows installation operations to complete," Microsoft explains in their API documentation.

Conti is not the first ransomware to utilize this API. 

REvil (Sodinokibi), Medusa Locker, SamSam, and LockerGoga are also utilizing the Windows Restart Manager API during their encryption, and in some cases, decryption process.

With Conti's increased distribution and advanced features, this ransomware is one that we will need to keep an eye on.

IOCs:

Associated file names:

CONTI_README.txt

Associated emails:

flapalinta1950@protonmail.com
xersami@protonmail.com

Ransom note text:

The network is LOCKED. Do not try to use other software. For decryption KEY write HERE:

flapalinta1950@protonmail.com
xersami@protonmail.com