Conti Ransomware
GRIDINSOFT TEAMWhy so rude?
The Conti group seems to have no conscience and compassion. One of the most beloved targets for this ransomware group are hospitals and healthcare organizations. This fact is complemented with very high ransom amounts - average ransom reaches almost $850,000. Such a sum of money is pretty big for the companies that ransomware attacks, and it is paid pretty fast, since hospitals cannot conduct their activity without the document flow they have on their computers.
The majority of ransomware groups who apply the same distribution scheme - ransomware-as-a-service - take care to instruct all affiliates to avoid attacking “vital” facilities (in this case they are literally vital). That makes the “image” of these fraudsters slightly better, and helps the group to avoid the increased attention from FBI or other authorities. But not in the case of Conti ransomware.
Ransomware-as-a-service, or shortly RaaS, is a very popular spreading scheme. The developers of ransomware do not have to do a dirty job, which may lead to their capture - they delegate this work to third parties. Darknet is full of offers from various ransomware groups, where crooks offer you to buy the ransomware samples and get the right to distribute it. Of course, purchasing the ransomware is not a cheap action, but it may bring you a very large profit. However, spending it when you are imprisoned for committing cybercrimes is a quite hard task.
As with almost every ransomware group that aims at corporations, Conti ransomware uses additional malware to steal the files and/or confidential information you have on the computers in your network or on your server. Then, criminals ask about the additional ransom payment - to prevent publishing the stolen information or reselling it to the third parties in the Darknet. Sometimes, especially when the stolen data is really interesting for someone, the ransom amount for data may be even bigger than the initial ransom.
| Note | readme.txt |
| C&C Servers | [923.82.128.116], [62.244.80.235], [85.93.88.165], [185.141.63.120], [82.118.21.1] |
| File Extension | CONTI, COSWH, UAKXC, RHMLM, UAKXC, AWSAK, TJODT, SYTCO, TJMBK, FBSYW, KCWTT, KLZUB, MBRNY, EXTEN, PVVXT, ANCIF, WENZW, GFYPK, ALNBR, HJAWF, FMOPQ, XMEYU |
| Algorithm | ChaCha20/8 |
| Features | Can perform the encryption, using up to 32 CPU threads |
| Damage | Deletes Volume Shadow Copies. Disables Microsoft Defender. Steals the data from the disk drives of infected machines. |
| Contact | mantiticvi1976@protonmail.com fahydremu1981@protonmail.com, frosculandra1975@protonmail.com, trafyralhi1988@protonmail.com, sanctornopul1986@protonmail.com, ringpawslanin1984@protonmail.com, liebupneoplan19@protonmail.com, stivobemun1979@protonmail.com, guifullcharti1970@protonmail.com, phrasitliter1981@protonmail.com, elsleepamlen1988@protonmail.com, southbvilolor1973@protonmail.com, glocadboysun1978@protonmail.com, carbedispgret1983@protonmail.com, listun@protonmail.com, mirtum@protonmail.com, maxgary777@protonmail.com, ranosfinger@protonmail.com, bootsdurslecne1976@protonmail.com, rinmayturly1972@protonmail.com, niggchiphoter1974@protonmail.com, lebssickronne1982@protonmail.com, daybayriki1970@protonmail.com |
| Distribution | Email spam, phishing |
Encryption and further actions
Exactly after the injection, Conti ransomware manages to delete all Volume Shadow Copies that are present in your system. These copies are, exactly, the copies of your system disk drive with all files stored on it. Hence, it is pretty easy to use it to get some of the files back - but not with the case of Conti. Meanwhile, the majority of other ransomware variants do the same - cybercriminals who develop them know perfectly about that feature.
The encryption mechanism used by Conti ransomware is ChaCha20. The encryption module is capable of using up to 32 threads of your processor, so the more powerful your system is - the faster the encryption happens. Deals a blow to the companies who purchase Threadripper CPUs for some purposes!
When the encryption is completed, the virus creates a readme.txt file on the infected desktop. Variants of the ransom note:
Your system is LOCKED. Write us on the emails: mantiticvi1976@protonmail.com fahydremu1981@protonmail.com DO NOT TRY to decrypt files using other software.
The network is LOCKED. Do not try to use other software. For decryption KEY write HERE: flapalinta1950@protonmail.com xersami@protonmail.com
Your system is locked down. Do not try to decrypt, otherwise you will damage fails. For decryption tool write on the email: wellproxadsit1980@protonmail.com mabuhyli1982@protonmail.com If you do not pay, we will publish all private data on hxxp://conti.news/
The system LOCKED. For decryption key write on: rootlogin12@protonmail.com Do not try to use other software.
The system is LOCKED. Do not use OTHER software. For DECRYPTOR write on the emails: neucomsiocia1980@protonmail.com renviotiori1976@protonmail.com
How is Conti ransomware spread?
Conti brings nothing new into ransomware distribution. Its distributors use the same tactics as various other groups do - malicious email messages and phishing. However, why do you need to improve or change something that works so well? The efficiency of those methods is pretty high, and they’re cheap enough to keep the margin high. Moreover, it is quite hard to establish the protection from this way of penetration: while vulnerable RDP ports, that are used by Dharma virus, can easily be closed, you are not able to prevent the malicious email spam appearance.
The only way to make the chance of successful Conti infiltration lower is to show the employees who work with email messages how to distinguish the counterfeit with malicious contents from the legitimate message. Fake emails usually have a dubious email address - something like fiyewfbiyg1387@gmail.com or 32yuefbfyqq742@aol.com. Sometimes, fraudsters try to counterfeit a legit email address of the sender they try to mimic. But they still cannot get the domain of the corporation, so messages from amazonsupport@gmail.com are definitely untrustworthy. Other signs of counterfeit are the absurd contents - changes in security terms of the bank you don’t use for several years are irrelevant for you. Even if this email is real - there is no reason to open it.
Cybercriminals hide the Conti ransomware inside of the attached file. Microsoft Office has a pretty big security breach, known as macros. This function sometimes helps to make the document more interactive, but also acts as a perfect carrier for viruses. Because of the poor protection mechanisms, virus can easily pass the “sandbox” environment of MS Office and start actions exactly in your system. Microsoft set the macros disabled by default, but it does not help - each time launching the document that contains macros, you will see the pop-up message that offers you to enable macros.
More about Conti ransomware:
| 🔗 Angry Affiliate Leaks Conti Ransomware Gang Playbook |
| 🔗 Conti ransomware attacked the Health Service Executive (HSE) of Ireland |
| 🔗 Conti ransomware got its own website for stolen data |