As per the latest security news, security experts have found new ransomware – Conti Ransomware: it is believed that the newly identified malware has similar traits like Ryuk.
First discovered in Dec 2019, Conti ransomware is targeting corporate networks and is a most advanced and quicker version of the well known Ryuk ransomware. Ever since its inception, the malware is spreading its roots all over.
Its modus-operandi is similar to any other ransomware, It exploits enterprise-level network connections to gain full control of the domain admin credentials. Once it gains full admin privilege, it threatens its victim to encrypt and lock the data stored on the victim’s device.
Underlying Connection Between Conti & Ryuk
Based on the analysis report of Vitali Kremez from SentinelLabs, Conti is a possible successor of the age-old Ryuk ransomware because of the following underlying reasons:
- Conti ransomware is based on the code used by the second version of Ryuk.
- In addition to this, the ransom message used by Conti is similar to those used by Ryuk in its earlier attacks.
- Moreover, the use of Trickbot infrastructure in both the variants also hints at the link between the two. Over time the decrease in the number of attacks by Ryuk has been balanced by the increase in the attacks carried by Conti Ransomware.
Interesting Facts About Conti Ransomware
- To start with, the malicious ransomware will block all major windows services associated with email, backup, security, and database.
- In the next step, it clears all the Shadow Volume copies and starts the encryption process.
- “.Conti” extension is used to encrypt files and a CONTI_README.txt is placed to display the ransom note.
- It uses an AES-256 encryption code to lock individual files which are then encrypted with RSA-4096 public key in a bundled form.
- It uses two types of encryption arguments. Firstly: It targets local drivers with “–encrypt_mode local” argument, Secondly: it uses “–encrypt_mode network” to encrypt the entire network in one go.
- In addition to this, it can also encrypt a list of host IP addresses using the “-h” argument.
- For quicker and faster encryption, Conti deploys a 32 thread encryption mechanism which also makes the system slow and sluggish.
- Apart from this, it also exploits the “Windows Restart Manager” which blocks normal functioning and prevents the encrypted files from opening.
Distinguishing Features: The RSA code used to encrypt victims’ files is different per victim and the ransom note has very minimal details.
Looking at the working of this malicious malware, organizations must take all the necessary steps to prevent it in the first place. Here are a few methods that security experts recommend to follow.
Preventive and Safety Measures
- Create a system backup regularly.
- Protect your device using strong firewall protection along with a system security suite.
- Avoid opening suspicious attachments and refrain from liking on unknown links.
- Update your device to patch security loopholes and enjoy enhanced system protection.
- Use an Ad-blocker tool to block infected ads from getting displayed on your device.
- Always use a strong VPN connection.