The year has already seen several new ransomware strains emerge into the wild as well as some new campaigns from new ransomware families. With the discovery of Conti this trend continues. Conti does not deserve mention for being part of a trend but rather for the unique features and the unique spin on ransomware traits the ransomware’s developers have instilled in the malware. In a technical report published by security firm Carbon Black, the curtain has been drawn back to reveal a dangerous strain of the ransomware despite being in its infancy.
According to the report, the ransomware boasts three features that separate it from the mass of other ransomware strains currently making up the threat landscape. Those being that the ransomware has a network only encryption mode, high-speed file encryption, and the ransomware’s capability to abuse Windows Restart Manager. Returning to the network only encryption mode, for the time being, in essence, this allows the ransomware an incredible amount of control over what is targeted for encryption which in turn can be done by the attacker via a command-line client. In practice, this allows the attacker to skip encrypting files on local drives and focus solely on targeting network drives and the files shared on them.
This is done simply by inputting the IP address of the network drive into the command-line client. Explaining this feature further Brian Baskin, Technical Director of Threat Research at Carbon Black noted,
“The notable effect of this capability is that it can cause targeted damage in an environment in a method that could frustrate incident response activities. A successful attack may have destruction that's limited to the shares of a server that has no Internet capability, but where there is no evidence of similar destruction elsewhere in the environment. This also has the effect of reducing the overall 'noise' of a ransomware attack where hundreds of systems immediately start showing signs of infection. Instead, the encryption may not even be noticeable for days, or weeks, later once the data is accessed by a user,”
Further, this feature would make it harder for those responding to an infection incident to pinpoint exactly where the exact entry into the victim’s network occurred. This is an incredibly useful feature to have amongst what researchers call “human-operated” ransomware that is dependent on the human operator to find a target, compromise said target then execute the ransomware.
To be able to hide an entry point potentially leaves an organization open for another attack as well as preventing comprehensive malware analysis that could prevent a future attack by the same malware and hacker. Highlighting this feature it is hoped that the dangers posed by “human-operated” ransomware can be illustrated better. The strains and those operating them have a unique understanding of how large corporations are structured as well as as their IT infrastructure, some even look to actively recruit disgruntled employees with privileged system access. All effort is placed on turning the specific target into a victim.
Hyper Speed Encryption
Another factor worth mentioning is the speed that Conti can encrypt data once executed. Encrypting data is a noisy process and is a clear indicator of security products that something is wrong and needs to be stopped. By increasing the rate of encryption helps the attacker to encrypt targeted files before either security software or system admins can react. Once encryption begins, stealth is thrown out the window, and speed and efficiency are now the primary requirements.
To speed up the encryption process Conti run multiple encryption threads in memory. This is not a new or even unique tactic, Sodinokibi is perhaps the best example of a well-known ransomware that does this. However, what makes Conti noteworthy in this regard is the number of threads run concurrently. In Conti’s case, it runs 32 concurrent threads allowing for far faster encryption than many of the other ransomware families it would inevitably be compared with. Other than the speed at which encryption is done, the ransomware does not seek to innovate in any other areas of the encryption process. Conti uses the now gold standard in encryption algorithms, namely AES-256. For those who fall victim to the ransomware, it is identifiable by the extension it adds to encrypted files, namely .CONTI. The ransom note likewise can be treated as an identifier and is dropped onto the victim's machines as CONTI_README.txt.
Interestingly as Conti searches for the files it wants to encrypt via a series of command-line executions it does not include a list of file extensions to target. Many other ransomware strains will target important file extension types, especially those related to business operations, and include them in a list. Once files for encryption are found will be cross checked against the list. If it appears on the list then it will be encrypted. As it does not have an extension list the malware does a check of sorts, namely, it checks to ensure that the IP addresses it connects, to begin with, either “172.”, “192.168.”, or “10.”. These prefixes specify the most common IP address ranges for local, non-Internet, systems. Any other prefix is disregarded. Once network drives have been encrypted Conti can attack local storage and here again the malware will apply 32 concurrent threads to the encryption process.
Abusing Windows Restart Manager
The last feature of Conti worth mentioning is how Conti will abuse Windows Restart Manager, a component that unlocks files before performing a system restart. According to Carbon Black, Conti invokes this component to unlock and shut down app processes so it can encrypt their respective data. This trick can be incredibly useful on Windows Servers where most sensitive data is usually managed by a database that's almost always up and running thus preventing the encryption process from running smoothly. Typically files in use or in a database like when on a Windows Server often cannot be modified or encrypted on mass easily.
Carbon Black researcher’s noted that this is an incredibly rare feature only seen by them being used in MedusaLocker which was analyzed by the firm recently and published a subsequent report detailing MedusaLocker’s abuse of the restart manager. With regards to MedusaLocker, researchers noted that,
“One unique aspect of Medusa Locker is its use of the Windows Restart Manager to ensure each file is accessible for encryption. This is necessary as many applications “lock” a file, preventing other applications from writing, or even reading, the contents. Typically, unlocking a file requires identifying the application that has the file open and terminating it. However, Windows has a built-in feature called Restart Manager that assists with that. The malware will use the Restart Manager API calls on each file to encrypt to determine if it is open and, if so, use these API calls to terminate the application. This ensures that as many files are encrypted as possible while performing safe, graceful closure of applications.”
Conti’s abuse of the Windows component is eerily similar and done for the exact same reason as MedusaLocker. Further, when Windows restarts it will apply the component to every instance that is running, Restart Manager can be configured to close and unlock specific files making it incredibly useful to ransomware operators. Conti will process each file earmarked for encryption and process it through the Restart Manager. The advantage of doing this is that files that are targeted for encryption will be encrypted, other ransomware families simply try and encrypt as much as possible in the shortest time frame which may leave files unencrypted as they were running at the time. This is not the case for Conti and increases the potential damage done by the ransomware exponentially. In concluding the researchers summarised this new threat as,
“Overall, Conti represents a unique twist in modern ransomware. We have tracked numerous families that are designed to be driven by the adversary while on the network, with access gained through weak RDP access or vulnerable Internet-facing services. Conti shows an intention behind the actor to also respond to reconnaissance to determine worthwhile servers in the environment that are sensitive to data encryption. It’s implementation of multi-threaded processing, as well as the use of the Windows Restart Manager, shows a feature of incredibly quick, and thorough, encryption of data. The use of large-scale service termination supports this with a focus on targeting a vast array of applications that can be found all across the small business and enterprise fields.”