A new ransomware family packs multiple unique features, including to improve performance and give its operators the option to only target networked SMB shares, VMware-owned Carbon Black reveals.
Dubbed Conti, the malware improves performance through the use of “up to 32 simultaneous encryption efforts,” and is likely directly controlled by its operators, which means that it can target network-based resources and skip local files, similarly with what the Sodinokibi ransomware can do.
Furthermore, the new ransomware abuses the Windows Restart Manager to close applications that lock certain files, thus making sure it can encrypt all the data it wants.
Conti also includes various anti-analysis capabilities, such as a unique string encoding routine of 277 different algorithms per string. The ransomware employs obfuscation to hide Windows API calls used during execution.
While there are other ransomware families out there that target data on network shares, Conti is unique due to support for command line arguments that would direct the encryption to either the local hard drive or network shares, or even to specific IP addresses.
This suggests that the malware is manually executed by its operators, although Conti can be executed without interaction as well, in which case it attempts to encrypt all files it has access to.
“The notable effect of this capability is that it can cause targeted damage in an environment in a method that could frustrate incident response activities. A successful attack may have destruction that’s limited to the shares of a server that has no Internet capability, but where there is no evidence of similar destruction elsewhere in the environment,” Carbon Black explains.