Powerful Conti Ransomware Emerges

2020-07-09 11:35

A new ransomware family packs multiple unique features, including to improve performance and give its operators the option to only target networked SMB shares, VMware-owned Carbon Black reveals.

Dubbed Conti, the malware improves performance through the use of "Up to 32 simultaneous encryption efforts," and is likely directly controlled by its operators, which means that it can target network-based resources and skip local files, similarly with what the Sodinokibi ransomware can do.

The new ransomware abuses the Windows Restart Manager to close applications that lock certain files, thus making sure it can encrypt all the data it wants.

While there are other ransomware families out there that target data on network shares, Conti is unique due to support for command line arguments that would direct the encryption to either the local hard drive or network shares, or even to specific IP addresses.

"Overall, Conti represents a unique twist in modern ransomware. Conti shows an intention behind the actor to also respond to reconnaissance to determine worthwhile servers in the environment that are sensitive to data encryption. Its implementation of multi-threaded processing, as well as the use of the Windows Restart Manager, shows a feature of incredibly quick, and thorough, encryption of data," Carbon Black concludes.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/RK5WHpqTwCo/powerful-conti-ransomware-emerges

#ransomware