A security firm has identified that an updated version of Conti ransomware is still actively being used in attacks in the wild. This update was released before the recent leak of Conti source code and chat logs.

Conti in attack mode

According to Zscaler, even after suffering massive leaks, Conti continues to operate, upgrade, and claim new victims. 
  • This most recent Conti update comprises new features added to the ransomware code, including new command-line arguments.
  • These new features allow it to reboot the system in Safe Mode with networking enabled and begin file encryption. 
  • Doing so allows Conti to maximize file encryption since business applications are likely to remain close in the Safe Mode.

Features to avoid detection

To thwart malware analysis, Conti dynamically resolves most Windows API functions by using a hash algorithm. 
  • In this version, Conti uses the Murmur3 hashing algorithm, which produces different hash values for all API functions used, which helps avoid security software that searches for the related hash values.
  • Further, a new set of file extensions (includingZG7Ak, .wjzPe, .LvOYK, .C5eFx, and .fgM9X) is believed to be used for bypassing endpoint security solutions, which may spot the previous Conti pattern that used five uppercase letters.

Conclusion

Multiple source code and conversations leaked but Conti actors appear to proceed confidently by adding new features in an attempt to stay ahead in the game. Organizations are advised to ensure robust anti-ransomware solutions and trustworthy backup solutions.
Cyware Publisher

Publisher

Cyware