Conti Ransomware
Tactical report of Conti Ransomware
Identification:
Vendor |
Detection |
TrendMicro |
Ransom.Win32.CONTI.D |
Microsoft |
Ransom:Win32/Conti.SW!MSR |
Symantec |
Ransom.Conti |
The
following table contains a list of artifacts that had been analyzed within this
document.
PE
timestamp |
MD5 |
Size in
bytes |
File name |
Description |
2020/06/04
Thu 00:02:10 UTC |
B7B5E1253710D8927CBE07D52D2D2E10 |
101.00 KB
(103424 bytes) |
contuer.exe |
Ransomware |
Summary
Conti is ransomware
which encrypts network files using AES algorithm and adds extension ”.CONTI” at the end of each encrypted file. It disables some important services like antiviruses services,
sql services and backup services. Group called Carbon Black Threat Analysis Unit
(TAU) discovered Conti ransomware.
Technical analysis:
Persistence
It creates
mutex called _CONTI_ to ensure that there’s only
version of ransomware running as shown in figure (1) , if it can’t so it closes
immediately as shown in figure (2).
Figure (1) |
It searches
for resource “0x101”, gets size, loads in memory
and locks as shown in figure (3). Resource contains message of ransomware when
network already unlocked as shown in figure (4).
Figure (3) |
Figure (4) |
If it can’t
find resource it will Release Mutex and exit
code as shown in
Figure (5).
Figure (5) |
It creates
thread which generates AES-256 encryption key to encrypt local and network
files as shown in figure (6).
Figure (6) |
It uses api
called CreateIoCompletionPort to make encryption
fast with the following parameters as shown in figure (7).
Figure (7) |
It determines
number of drivers in machine before starting encryption as shown in figure (8).
Figure (8) |
It starts
encryption of drivers based on random AES key as shown in figure (9). It adds
extension “CONTI” at each encrypted file.
It creates new called CONTI_README.txt file at directory of encrypted file as shown in
figure (10).
Figure (9) |
Figure (10) |
Figure (11) |
It
enumerates resources of network for encryption as shown in figure (12).
Figure (12) |
Important
commands
It pushes some commands as shown in table below.
Commands |
Purpose |
vssadmin Delete Shadows /all /quiet |
Delete volume shadow copy |
net stop MSSQL$SQLEXPRESS |
Stop sql service |
stop avp service |
Stop kaspersky service |
net stop ESHASRV /y |
Stop ESET endpoint security service |
net1 stop ekrn /y |
Stop ESET endpoint security service |
net1 stop EhttpSrv /y |
Stop ESET endpoint security service |
stop "SQL Backups" /y |
Stop Backups service of SQL |
net stop Smcinst /y |
Stop Symantec Endpoint Protection
service |
stop SAVService /y |
Stop SOPHOS Endpoint Protection
service |
References
- https://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/.
- https://www.bleepingcomputer.com/news/security/conti-ransomware-shows-signs-of-being-ryuks-successor/.
- https://cyberflorida.org/2020/07/14/conti-ransomware/.
If you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malware and some methods to analysis malwares.
Please don't forgot subscribe my channel Than you ♥
YouTube channel
https://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA
Contact me : mahmoudmorsy372@gmail.com
Conti Ransomware >>>>> Download Now
ReplyDelete>>>>> Download Full
Conti Ransomware >>>>> Download LINK
>>>>> Download Now
Conti Ransomware >>>>> Download Full
>>>>> Download LINK