May 29, 2023

A lesser-known ransomware strain known as Conti is using up to 32 simultaneous CPU threads to encrypt files on infected computers for blazing-fast encryption speeds.

Conti is just the latest in a long string of ransomware strains that have been spotted this year. Just like most ransomware families today, Conti was designed to be directly controlled by an adversary, rather than execute automatically by itself.

These types of ransomware strains are also known as “human-operated ransomware,” and they’re designed to be deployed during targeted intrusions inside large corporate or government networks.

This isn’t entirely unique. Other ransomware strains also support multi-threaded operations, running multiple concurrent computations on the CPU to gain speed during their execution and allow the encryption process to finish faster before the file-locking operation is detected and stopped by AV solutions.

Other ransomware strains seen using multiple CPU threads include the likes of REvil (Sodinokibi), LockBit, Rapid, Thanos, Phobos, LockerGoga, and MagaCortex — just to name a few.

Conti stood out because of the large number of concurrent threads it utilized — namely, 32 — which resulted “in faster encryption compared to many other families.”

Tricky network-only encryption mode
However, this was not the solely unique detail that Carbon Black has seen in Conti. The second was a fine-grained control over the ransomware’s encryption targets via a command-line client.

The ransomware can be configured to skip encrypting files on the local drives and encrypt data on networked SMB shares just by feeding the ransomware’s binary a list of IP addresses via the command-line.

“A successful attack may have destruction that’s limited to the shares of a server that has no Internet capability, but where there is no evidence of similar destruction elsewhere in the environment.

“This also has the effect of reducing the overall ‘noise’ of a ransomware attack where hundreds of systems immediately start showing signs of infection. Instead, the encryption may not even be noticeable for days, or weeks, later once the data is accessed by a user,” Baskin said.

The behavior might also confuse security teams performing incident response, who may not be able to pinpoint the point of entry into a network unless they perform a full audit of all systems, and allowing hackers to linger hidden inside a single machine on the victim’s network.

Conti abuses the Windows Restart Manager
The third unique technique spotted in the Conti code is its abuse of Windows Restart Manager — the Windows component that unlocks files before performing an OS restart.

Leave a Reply

%d bloggers like this: