Anyone who thinks that “retail” ransomware that infects system users and claims a ransom is a threat, may not be aware of the ransomware used against company networks. After years among us, ransomware has developed. It has industrialised, specialised and acquired a sophisticated appearance to target far more lucrative victims. Conti, the fastest ransomware, is just one example of the speed at which they are developing. Let’s look at some of its tricks and why they are used.
Carbon Black has led the analysis of Conti’s latest version, discovering new levels of sophistication, because where the real action and true innovation in malware takes place is in the attacks directed at companies. These attacks are usually disguised as regular e-mails with attached files, such as an Excel or Word file with macros or that exploit Office’s vulnerabilities.
They move laterally until they become attached to a specific server and wait to strike. From here, they launch data hijacking attacks and ask for millionaire ransoms in exchange for the company to continue with its normal operation. The crafted ransomware that affects user systems is an annoying prank compared to this. But let’s see how these attackers have become more sophisticated and why.
The Fastest in the West
Conti uses 32 simultaneous CPU threads. These allow it to encrypt a whole hard-disk quickly or any other file that gets in its way. It is like sending 32 copies of a “normal” ransomware in parallel. Why do they do this? Why do they want to go so fast?
These attacks are usually launched when they are already located in a powerful server availing itself of all the privileges within the company’s network (normally in the local domain control). The system is assumed to be powerful in CPU and capable of launching all these threads. It also allows it to attack systems with a hard-disk that has the capacity to store large amounts of data (also backup). The faster the ransomware, the simpler it will be to go unnoticed by any alert system, whether it is reactive or preventive. It will always be too late.
Hide the Hand That Throws the Stone
Another interesting feature of Conti is that, again attached to a server, it can attack the surrounding network and encrypt the shared drives of neighbouring systems. In this way, network administrators will not know where the attack is coming from because it is natural to think that the machine containing the encrypted files is the infected one. Not at all: patient zero can be far, triggering very fast encryptions willy-nilly.
ARP Avoid Making Noise Using ARP
To find out which machines are around you, you have two options: analyse the IPs of the network itself and go through the range, or use an ARP-a and find out which machines you have recently contacted. This is exactly what Conti does.
For Conti, a Locked File Is Not a Problem
If you are on a server with a rich database, normally your data will always be “locked” by the operating system or the database itself. Encrypting them will be impossible because you cannot handle a file that belongs to a process holding it exclusively. From the attackers’ point of view: How to encrypt it then?
First, Conti kills any process including “sql” in its name. Very few families use in addition the trick used by this ransomware to encrypt the files, which consists of using Restart Manager, the formula that Windows itself uses to cleanly kill the processes before shutting down the operating system. It is like killing processes cleanly like Windows before rebooting, but without the need to reboot.
And this is also where you need speed and the reason for having 32 threads. Killing a critical process is very noisy, administrators will notice right away that something is going wrong. From a malware point of view, if you have a lot of heavy files, the best option is to encrypt them quickly after killing the parent process if you want to achieve your goal.
Encrypts All Extensions Except exe, dll, lnk, and sys
Conti is very aggressive. Most “homemade” ransomware looks for potentially useful extensions for the victim. Documents, photos, data, etc. Conti encrypts everything but executables, binaries, and drivers. To speed up, it avoids some system directories.
Of course, all this does not prevent ransomware from having the usual technologies for this type of attack. From the deletion of shadow copies (although in a special way) to the public keys that encrypt the 256-bit AES key embedded in each encrypted file. Finally, the value of the analysis of this sample is greater when it is known to obfuscate its own code in a special way. Conti tries to hide every string, every system API call using a different algorithm for it with different keys, and so up to 277 functions (algorithms) used internally only to de-obfuscate itself “on the fly”.