What Is It?

Researchers from Carbon Black’s Threat Analysis Unit (TAU) have analyzed a new ransomware variant they have named Conti, based on the file extension appended to the files it encrypts. The ransomware is designed to access as many files as possible and encrypt them quickly without drawing undue attention to itself.

Through the use of command line parameters, Conti provides a unique option to execute three different ways: encrypt files on the infected system’s local drive, encrypt files on network shares, or both (which is the default behavior). An additional parameter allows a text file containing a list of IP addresses or hostnames to be used to identify the first targets for file encryption. When determining network targets, most ransomware will perform a scan of the whole network, a process that not only takes time to complete, it is also potentially noisy, betraying the presence of the ransomware. To avoid this, Conti extracts a list of recent network connections the infected machine has made and then reduces that list to only include IP addresses beginning with the most frequently used prefixes for private networks.

Conti takes several steps to encrypt as many files as possible on an infected system. For instance, it issues almost 150 commands to stop various Windows services, mainly those that may lock open files and prevent them from being encrypted, such as database servers. Conti also uses the previously unseen technique of calling the Windows Restart Manager for every file it attempts to encrypt. In normal use, Windows Restart Manager attempts to cleanly end applications and close their open files when the system is restarting.

Regarding file selection, most ransomware uses a list of file extensions to determine which files will be encrypted. In the case of Conti, it will encrypt all files except for executable files (.dll, .exe and .sys file extensions) and link files (.lnk files). Conti also contains a hardcoded list of directories to skip when encrypting and an optional, additional exclusion list can be provided. When encryption begins, Conti can create up to 32 concurrent encryption threads to ensure all targeted files are quickly encrypted. A text ransom note is dropped in each directory and contains two contact email addresses.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. No specific infection vector is known, though ransomware is often a secondary download, with the initial infection vector being malicious Office document attachments. In the case of Conti ransomware, it also contains optional command line options, suggesting the attackers may also manually deploy it into environments they have compromised.

When/How Did BluVector Detect It?

The sample analyzed by Carbon Black TAU is publicly available and BluVector’s patented Machine Learning Engine (MLE) detected it. Regression testing has shown the sample would have been detected 26 months prior to its release.