Skip to main content
Conti Ransomware

Conti is an advanced ransomware tool that uses a unique encryption routine to identify and encrypt files incredibly quickly.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Conti is an advanced ransomware tool that uses a unique encryption routine to identify and encrypt files incredibly quickly.


Affected platforms

The following platforms are known to be affected:

Threat details

Introduction

Conti is a  ransomware tool used in human-operated attacks against targets in North America and Europe. Conti is operated by Wizard Spider group and is offered to affiliates as Ransomware-as-a-Service (RaaS). Unlike the vast majority of ransomware, Conti uses an entirely bespoke encryption implementation.


Delivery

Conti is delivered through phishing emails containing links to Google docs, which, when clicked, download and execute either Bazar backdoor or IcedID trojan. In other attacks, Conti is delivered directly to target networks via exposed vulnerable services, such as RDP.


Activities

Once present on a system, Conti will attempt to delete Volume Shadow Copies and terminate a number of services, using the Windows Restart Manager to ensure any files used by these services are able to be encrypted.

By default, Conti will encrypt all files on local and networked SMB drives, but will ignore any files with DLL, EXE, LNK, or SYS extensions. Files are encrypted with a unique AES-256 implementation that uses up to 32 individual logical threads, resulting in Conti performing far faster than most ransomware.

Conti is also able to target specific drives, both local and networked, when provided with the required parameters. It is even able to target individual local IP addresses, a capability it shares with the older Sodinokibi ransomware.


Threat updates

Date Update
17 May 2021 Conti used in ransomware attack on Irish Health Service Executive

A variant of Conti has been attributed to a recent ransomware attack on the Irish Health Service Executive.

Conti now use double extortion tactics to coerce an organisation into paying the ransom. Data is extracted from compromised systems prior to encryption, with the threat of publication should the organisation choose not to pay the ransom.

The Conti operators are known to gain initial access via phishing campaigns and have also been observed targeting vulnerabilities in software running on internet-facing devices. After gaining access, operators commonly use Cobalt Strike tools for lateral movement and extraction of data. Fileless deployment via reflective Dynamic-Link Library (DLL) injection has been used to launch the Conti payload on compromised endpoints. Command and control is used to deliver the ransomware code, which is executed directly into memory, resulting in encryption without the malware being written to disk. Once deployed, Conti performs sandbox evasion via system checks to determine if it is running on a virtual machine environment or sandbox. There is evidence of some variants of Conti achieving this via calls to bogus WINAPI to intentionally generate exceptions.


Remediation advice

If a device on your network becomes infected with ransomware it will begin encrypting files, which may also include remote files on network locations. The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup.

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

To limit the impact of a ransomware infection, NHS Digital advises that:

  • Critical data is frequently saved in multiple backup locations.
  • At least one backup is kept offline at any time (separated from live systems).
  • Backups and incident recovery plans are tested to ensure that data can be restored when needed.
  • User account permissions for modifying data are regularly reviewed and restricted to the minimum necessary.
  • Infected systems are disconnected from the network and powered down as soon as practicable.
  • Any user account credentials that may have been compromised should be reset on a clean device
  • Where infected systems cannot be quarantined with confidence, then an affected organisation should disconnect from national networks to limit propagation.

Indicators of compromise

Host indicators

Filenames

  • conti.exe
  • _EXE.bat
  • _COPY.bat

MD5 hashes

  • b7b5e1253710d8927cbe07d52d2d2e10

SHA1 hashes

  • 596f1fdb5a3de40cccfe1d8183692928b94b8afb

SHA256 hashes

  • 1429190cf3b36dae7e439b4314fe160e435ea42c0f3e6f45f8a0a33e1e12258f
  • 234e4df3d9304136224f2a6c37cb6b5f6d8336c4e105afce857832015e97f27a
  • 5a2e947aace9e081ecd2cfa7bc2e485528238555c7eeb6bcca560576d4750a50
  • 63625702e63e333f235b5025078cea1545f29b1ad42b1e46031911321779b6be
  • 8837868b6279df6a700b3931c31e4542a47f7476f50484bdf907450a8d8e9408
  • a390038e21cbf92c36987041511dcd8dcfe836ebbabee733349e0b17af9ad4eb
  • d21c71a090cd6759efc1f258b4d087e82c281ce65a9d76f20a24857901e694fc
  • d4a1cd9de04334e989418b75f64fb2cfbacaa5b650197432ca277132677308ce
  • eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe

Definitive source of threat updates

Last edited: 1 June 2021 1:51 pm