Carbon Black researchers have found a new ransomware strain called Conti, which is boasted about using 32 simultaneous threads for encrypting the files very quickly. Further, it’s also found to be exploiting the Windows Restart Manager to unlock apps and encrypt the data within. As of now, there’s no decryption available for this ransomware as per researchers, thus suggested to secure network and have offline backups for safety.
Conti Ransomware Exploiting Windows with Unique Features
Conti group is not so known in the ransomware space and is so wondering that this strain is using unique capabilities in encrypting the users’ network. While it operates as normal ransomware after being deployed, it’s initially controlled by the adversary.
These types of ransomware are called human-operated ransomware, which is targeted towards specific people in the organization. While security researchers have first seen a Conti Dev build in February this year, the Carbon black team has now reported with evidence that the ransomware is in wild.
This ransomware is unique because it uses 32 threads of a CPU simultaneously. Though other ransomware like Sodinokibi, Rapid, Phobos, LockerGoga, LockBit, and Thanos groups are found to be using CPU threads for faster encryption, those were never up to 32 threads. Thus, Conti has made its name. Usage of many threads as such would benefit in faster encryption, thus avoiding being detected by any anti-virus softwares.
Conti ransomware is appraised for encrypting only files that are from targeted machines. It can’t skip locking files from local drive and focus on SMB sharable files among the network but just giving the targeted IP addresses in its command command-line. Thus, the ransomware would be sitting inside the targeted machine until it’s detected.
At last, it’s found to be having yet another unique feature that helps in encryption. Conti can exploit the legitimate Windows Restart Manager, which is used for unlocking files before restarting OS. Thus, it is used for unlocking files and shutting down the app process to encrypt them successfully.
As of now, there’s no deception key or method available for this ransomware strain, thus suggested to have offline backups, securing workstations, open remote management ports, etc to avoid being infected.
Via: ZDNet
