Decoding Conti: Analysis and Recovery
Conti spreads through a network quickly using 32 concurrent threads and can launch both manually and without human interaction.
Conti has been on everyone’s lips since the Irish healthcare system takedown (if everyone you know is a malware geek). Running as a Ransomware as a Service affiliate program, the Conti ransomware has infected, encrypted, and held high-profile data to ransom.
The ransomware gang is evidently experienced. Military-grade encryption, no known vulnerabilities, and ready to leak data make for a nasty combination.
Conti Ransomware Analysis
This RaaS comes with a number of features that differentiate it from other ransomware samples.
Conti spreads through a network quickly using 32 concurrent threads and can launch both manually and without human interaction. The binary is stored remotely on the command and control server, making it difficult for security teams to analyze the code at all.
Infection
As of yet, the Conti ransomware infects systems through one of three methods:
-
An open RDP port
-
An email phishing attack
-
Exploiting a security vulnerability
The ransomware also obfuscates the source of infection, meaning that it is difficult to identify how the threat entered the system.
Stage One: Loading Into Memory
When the malware has entered the system, it launches a Cobalt Strike DLL that allocates space in memory to load the malicious code from the C&C server.
At this point, the ransomware is undetectable to the victim.
Stage Two: Full-Scale Encryption
Using a sample CS script from Github (trevor.profile), the ransomware connects to Menus.aspx on the C&C server. From here, two payloads affect the computer:
-
Instructions for the reflective DLL loader
-
Contact is made with 312-s-fourth-st.html on the C&C server; the ransomware binary is found at this remote location
When the contact has been made, the malware encrypts selected file types on the system. Identifying the affected files is easy – all affected files have .CONTI attached to the extension.
Note that even if the malware cannot contact the C&C servers, it will still begin to encrypt the data thanks to the RSA public key.
The infection also infiltrates network sections that do not have internet capabilities. This means that infection can go undetected even after encryption has begun. This has been unique amongst ransomware attacks.
Encryption
The Conti malware is encrypted with AES-256 and has an RSA-4096 public encryption key which is unique to every victim (identified by an ID number in the CONTI.readme.txt file that is loaded onto the desktop after files are encrypted). This level of encryption has meant that there have been no successful attempts at decrypting the attack without the Conti tools.
When all data has been encrypted, a .txt file is saved onto the home screen – CONTI.readme.txt.
CONTI.readme.txt file
The readme file contains instructions on how to pay the ransom and receive the decryption tool. (Quite kindly, the team says that you can have two files decrypted for free – what a wholesome ransomware gang they are!)
The file contains a link to the .onion site, a unique ID, and a password for navigating to the Conti recovery service portal. Here, the victim can negotiate the extortion with the attackers and receive the decryption tool.
At present, there are no known flaws in the code. Exploiting the malware has proved unsuccessful, meaning that recovering data from affected devices requires victims to make a payment.
Recovery
As with most ransomware attacks, the best defenses are the ones implemented beforehand. Backups, system updates, and end-user training to avoid phishing are the only known way to stop this ransomware in its tracks.
At present, recovery from the Conti ransomware is impossible without paying the ransom to receive decryption tools. Using the CONTI.readme.txt, the victim needs to access the attackers’ onion link to send the payment and receive the decryption tool.
The Conti team also uses this portal to leak information about organizations that have been infected but refused to pay/attempt to decrypt the threat themselves. Even a full restore of all devices might not be enough to avoid losing money to ransomware gangs using this RaaS.
New Developments
A disgruntled malicious actor on the Conti team leaked information to a darknet forum about the malicious group. Apparently legitimate, you can see the tweet here.
Included are IP addresses for the C&C servers and effective “how-to” for affiliate attackers. It will be interesting to see in the coming days what information can be gleaned from these leaks.