Conti Ransomware - How it Works and 4 Ways to Protect Yourself

By Ofir Yaakobi

What is Conti Ransomware?

Conti is a ransomware-as-a-service (RaaS) affiliate program, first appearing in early 2020. Associated with Russian-speaking cybercrime actors, Conti ransomware developers sell or lease their ransomware technology to affiliates, who then use that technology to carry out their attacks. 

The group behind Conti has published a website where they leak documents extracted by the attackers. Data belonging to hundreds of different sectors and organisations have been shared on the Conti extortion site.

Conti Ransomware - How it Works and 4 Ways to Protect Yourself
Conti’s extortion site

How does Conti ransomware work?

Conti automatically scans networks for valuable targets, encrypting every file it finds and infecting all Windows operating systems. Conti acts in a similar manner to most ransomware, but it has been engineered to be even more efficient and evasive. Once executed on the victim’s endpoint, Conti works by:

  • Immediately encrypting files and changing the file extension of the encrypted files. Each sample has a unique extension that the malware adds to the encrypted files.
  • Attempting to connect to other computers on the same network subnet using the SMB port (445).
  • Leaving a ransom note in every folder that has the filename readme.txt/conti_readme.txt
Conti Ransomware - How it Works and 4 Ways to Protect Yourself
Conti ransomware note

Initial deployment

The attack kill chain begins as soon as the actors first gain access to the network. This often occurs via an email phishing campaign that contains malicious attachments - such as a macro-enabled Microsoft Word document or password-protected zip file, which installs a first-stage malware (such as BazarLoader or Cobalt Strike) onto target systems. Conti today is sold behind a RaaS affiliation program and operated by different threat actors. Once Conti is executed, it initiates its encryption and spreading routines.

Evasion techniques

The Conti code is sophisticated with many obfuscation techniques designed to evade the common security techniques and security teams - including a multithreading technique used to encrypt all the files quickly. This allows for maximum damage before it can be identified and stopped by endpoint security products. Conti uses 32 concurrent CPU threads to hasten the encryption process, making it much faster than most ransomware.

The ransomware uses relatively common anti-analysis techniques, which are runtime API loading and obfuscating specific API calls by using hash values. It also uses an API-unhooking mechanism built inside to disable EDR-based API hooks.

Conti’s developers have hardcoded the RSA public key into the data section of the PE file, which the ransomware uses to perform its encryption. This means that it can begin encrypting files even if the malware is unable to reach its C&C servers.

Conti Ransomware - How it Works and 4 Ways to Protect Yourself
Public RSA key in the Conti sample

Lateral movement

The Conti ransomware immediately moves laterally within the network. It does this by attempting to connect to other computers on the same network subnet using the SMB port. If it finds any shared folders it can access, it will try to encrypt the files on the remote machines as well.

Conti Ransomware - How it Works and 4 Ways to Protect Yourself
SMB scanning by Conti during the infection

Four ways to protect against Conti ransomware

There are 4 primary ways of protecting against Conti Ransomware:

1. Detect Conti pre-delivery

    In the vast majority of Conti ransomware attacks, the phishing email is the starting point. Therefore, the logical and best place to start is with an email protection solution that detects advanced threats, such as Datto SaaS Defense. As a result, the threat is stopped upstream, preventing further damage.

    2. Protect each endpoint

      Next, it’s important to protect individual endpoints from infection. A remote monitoring and management (RMM) tool is critical here to ensure that no individual machines have been compromised and any attempt to infect individual machines is picked up and dealt with as early as possible.

      3. Prevent the lateral movement of the ransomware

        As we’ve seen, Conti ransomware will attempt to move laterally within the organisation using SMB. Again, at this stage, an RMM tool is your best chance of keeping your network secure and isolating the infected machine, without necessitating a complete shutdown of the entire network.

        4. Back up your data

          Properly backed-up data is key to ensuring business continuity in the case of an attack – and something that helps you sleep well at night. Specifically for MSPs, this is critical in ensuring your clients have a backup solution. When it comes to data backup, there are numerous backup solutions available including:

          • A full Business Continuity and Disaster Recovery (BCDR) suite: for example, Datto Unified Continuity which covers all business continuity and disaster recovery needs including protecting servers, files, PCs, and SaaS applications.
          • Datto SIRIS, a reliable, all-in-one business continuity and disaster recovery solution built for MSPs to prevent data loss and minimise client downtime.
          • Datto ALTO, a small but powerful business continuity and disaster recovery solution built for MSPs to minimise downtime and efficiently prevent data loss for their small business clients.
          • Datto Endpoint Backup for PCs which protects MSP clients’ Windows-based computers from downtime and data loss and rapidly recovers data in case of disaster.
          • SaaS Protection, which offers reliable and secure cloud-to-cloud backup for Microsoft 365 and Google Workspace to ensure critical cloud data is protected.

          Conti ransomware isn’t going anywhere

          Unfortunately, Conti ransomware is here to stay. We’ve seen recent news regarding activity from the Conti ransomware group as well as new variants that are sure to cause further damage in the future. With a robust defense and response plan for Conti ransomware, you can ensure users, clients, and your organisation are protected against Conti and other ransomware attacks.

          Discover how Datto can help protect your business against ransomware attacks.

          MSP Security Best Practices: Ransomware Attack Prevention

          View this checklist to learn which security measures should be high priority for MSPs to mitigate the risk of ransomware attacks.

          View the Resource

          Suggested Next Reads