Conti ransomware is a threat that targets corporate networks with features that allow it to perform fast and targeted attacks. There are also many indications that this ransomware shares the same code as Ryuk ransomware, which has slowly been fading away according to reports. This ransomware strain was first seen in isolated attacks that occurred at the end of December 2019, and since then, attacks have gradually increased.
The Conti and Ryuk Ransomware Connection and Differences
In August of 2017, Hermes ransomware was made available for sale on the Exploit.in hacking forum by a Russian cybercriminal. According to Advanced Intel’s Vitali Kremez, hackers may have purchased this ransomware builder and turned it into Ryuk ransomware. It seems that eventually, the hackers using Ryuk may have re-branded and slowly transitioned towards the use of “Conti,” which looks to be based on code from the 2nd version of Ryuk. In addition to similarities in code, the Conti ransom note has been identified to use the same template utilized by Ryuk in earlier attacks.
Like most other ransomware strains, Conti ransomware determines which files to encrypt by scouring through files on local systems and SMB network shares. Then, it uses AES-256 encryption via a hard-coded public key to encrypt the files. Conti ransomware also sports multiple anti-analysis features, including a unique string encoding routine in nearly every string text meant to slow detection and reverse engineering. This technique is used to hide the ransomware’s various Windows API calls.
When encrypting victim’s files, Conti uses a Windows API called ‘Windows Restart Manager’ that terminates processes or Windows services that maintain a file open during encryption. Windows Restart Manager was created by Microsoft to make it easier to install software updates without having to restart your computer, and ransomware strains are starting to use it to help encrypt databases and other vital files that are unobtainable while opened by other processes.
“The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update. The primary reason software updates require a system restart during an installation or update is that some of the files that are being updated are currently being used by a running application or service. The Restart Manager enables all but the critical system services to be shut down and restarted. This frees files that are in use and allows installation operations to complete,” according to Microsoft’s API documentation.
Conti ransomware is not the first ransomware to use this API. Ransomware strains such as REvil or Sodinokibi, Medusa Locker, SamSam, and LockerGoga are also using the Windows Restart Manager API during their encryption process, and in some cases, their decryption process. With Conti ransomware’s distribution increasing and impressive advanced features, this ransomware is sure to be a nuisance for at least the time being.