March 03, 2022

Conti Ransomware – How it Works and 4 Ways to Protect Yourself

By Ofir Yaakobi

What is Conti Ransomware?

Conti is a ransomware-as-a-service (RaaS) affiliate program, first appearing in early 2020. Associated with Russian-speaking cybercrime actors, Conti ransomware developers sell or lease their ransomware technology to affiliates, who then use that technology to carry out their attacks.

The group behind Conti has published a website where they leak documents extracted by the attackers. Data belonging to hundreds of different sectors and organizations have been shared on the Conti extortion site.

Conti’s extortion site

How does Conti ransomware work?

Conti automatically scans networks for valuable targets, encrypting every file it finds and infecting all Windows operating systems. Conti acts in a similar manner to most ransomware, but it has been engineered to be even more efficient and evasive. Once executed on the victim’s endpoint, Conti works by:

  • Immediately encrypting files and changing the file extension of the encrypted files. Each sample has a unique extension that the malware adds to the encrypted files.
  • Attempting to connect to other computers on the same network subnet using the SMB port (445).
  • Leaving a ransom note in every folder that has the filename readme.txt/conti_readme.txt
Conti ransomware note

Initial deployment

The attack kill chain begins as soon as the actors first gain access to the network. This often occurs via an email phishing campaign that contains malicious attachments – such as a macro-enabled Microsoft Word document or password-protected zip file, which installs a first-stage malware (such as BazarLoader or Cobalt Strike) onto target systems. Conti today is sold behind a RaaS affiliation program and operated by different threat actors. Once Conti is executed, it initiates its encryption and spreading routines.

Evasion techniques

The Conti code is sophisticated with many obfuscation techniques designed to evade the common security techniques and security teams – including a multithreading technique used to encrypt all the files quickly. This allows for maximum damage before it can be identified and stopped by endpoint security products. Conti uses 32 concurrent CPU threads to hasten the encryption process, making it much faster than most ransomware.

The ransomware uses relatively common anti-analysis techniques, which are runtime API loading and obfuscating specific API calls by using hash values. It also uses an API-unhooking mechanism built inside to disable EDR-based API hooks.

Conti’s developers have hardcoded the RSA public key into the data section of the PE file, which the ransomware uses to perform its encryption. This means that it can begin encrypting files even if the malware is unable to reach its C&C servers.

Public RSA key in the Conti sample

Lateral movement

The Conti ransomware immediately moves laterally within the network. It does this by attempting to connect to other computers on the same network subnet using the SMB port. If it finds any shared folders it can access, it will try to encrypt the files on the remote machines as well.

SMB scanning by Conti during the infection

Suggested Next Reads

What Is Network Topology Mapping?

Network topology mapping is the process of visually documenting the physical and logical structure of a network.