Conti is a new family of ransomware believed to be based on code from Ryuk’s second version. Conti also uses the same ransom note its predecessor used in earlier attacks and reportedly leverages the same Trickbot infrastructure. Conti was recently observed by the Carbon Black Threat Analysis Unit (TAU). Most notably, Conti’s attributes appear to be better and faster than most malware families, as it allows up to 32 simultaneous encryption efforts, resulting in faster encryption of targeted files. However, Conti is discriminate in its file selection; according to TAU, it will encrypt all files except those with the extensions of: exe, dll, lnk, and sys. Conti represents another human-operated ransomware variant. While it is able to execute independently, Conti appears to have been primarily designed with the capability of direct execution by an adversary who is presumably monitoring the environment. Human-operated ransomware is less likely to be delivered via phishing campaigns, though not out of the question. The initial attack vector is more likely to be gained through techniques that leverage system vulnerabilities, such as brute forcing weak remote service configurations or exploiting insecure internet-facing systems. Once initial access has been gained, actors will steal privileged credentials through bulk harvesting methods, hide in plain sight by using built-in system tools, and maintain persistence through the creation of new accounts and modifying system configurations before deploying the ransomware payload. A few of the more notable human-operated ransomware families are REvil, NetWalker, Robbinhood, Maze, PonyFinal, Bitpaymer, and Ryuk. To increase resilience against ransomware, WaterISAC encourages members to:
- Review/update ransomware and data breach playbooks/policies/procedures and discuss them with your teams.
- Check device and network logs and events for potential intrusions, and consider configuring alerts for changes to files.
- Test backups before you need them and make sure you have a valid copy stored offline.
Read more about Conti’s functionality at Carbon Black