A lesser-known ransomware strain has now come up with some special features, along with blazing-fast encryption speeds.
The Conti ransomware is using up to 32 simultaneous CPU threads to encrypt files on infected systems for superfast encryption speeds. it is a human-operated ransomware which is deployed during targeted intrusions into corporate or government networks.
Although this ransomware strain performs functions similar to any other ransomware, it comes with some unique features as well.
- It uses the Windows Restart Manager to ensure that all files are encrypted.
- It leverages command-line options while scanning for data on the targeted systems, suggesting human control. This entails the skipping of encryption for local files and only targeting SMB shares.
- The ransomware also boasts of having multiple anti-analysis attributes to slow detection and reverse engineering attempts.
- Conti has the capability of causing targeted damage in an environment to disrupt incident response activities.
Abusing Windows Restart Manager
In the history of ransomware families, this is the second time a ransomware family was found abusing the Windows Restart Manager; the other one being Medusa Locker.
- Windows Restart Manager can be controlled by an app to open and close certain files.
- For each file to be encrypted, the ransomware will process that file through the Restart Manager to ensure that it is unlocked and open for encryption, thereby maximizing its the extent of damage.
- This method is useful in attacks against Windows servers where the most crucial information is managed by a database.
The bottom line
Apart the usual recommended preventive measures, there is no way to recover the files locked by Conti. Unless organizations can afford to pay huge amounts of ransom to the attackers, keeping offline backups, and securing workstations, open remote management ports, and network perimeter devices, should be prioritized.