Connect with us

Hi, what are you looking for?



Powerful Conti Ransomware Emerges

A new ransomware family packs multiple unique features, including to improve performance and give its operators the option to only target networked SMB shares, VMware-owned Carbon Black reveals.

A new ransomware family packs multiple unique features, including to improve performance and give its operators the option to only target networked SMB shares, VMware-owned Carbon Black reveals.

Dubbed Conti, the malware improves performance through the use of “up to 32 simultaneous encryption efforts,” and is likely directly controlled by its operators, which means that it can target network-based resources and skip local files, similarly with what the Sodinokibi ransomware can do.

Furthermore, the new ransomware abuses the Windows Restart Manager to close applications that lock certain files, thus making sure it can encrypt all the data it wants.

Conti also includes various anti-analysis capabilities, such as a unique string encoding routine of 277 different algorithms per string. The ransomware employs obfuscation to hide Windows API calls used during execution.

While there are other ransomware families out there that target data on network shares, Conti is unique due to support for command line arguments that would direct the encryption to either the local hard drive or network shares, or even to specific IP addresses.

This suggests that the malware is manually executed by its operators, although Conti can be executed without interaction as well, in which case it attempts to encrypt all files it has access to.

“The notable effect of this capability is that it can cause targeted damage in an environment in a method that could frustrate incident response activities. A successful attack may have destruction that’s limited to the shares of a server that has no Internet capability, but where there is no evidence of similar destruction elsewhere in the environment,” Carbon Black explains.

By employing this technique, the attack might go unnoticed for days or even weeks, unlike typical ransomware incidents, where multiple systems show signs of infections at once.

Advertisement. Scroll to continue reading.

Conti also blocks recovery on the local system, leveraging vssadmin to ensure the deletion of Windows Volume Shadow Copies and executing no less than 146 commands for stopping services that might interfere with its routine.

The malware encrypts all files it finds, except those that have the extensions exe, dll, lnk, and sys. It also ignores a series of folders during the encryption process. The ransomware appends the extension .CONTI to the encrypted files.

Conti also gathers information on the systems that the compromised machine has been connected to recently, and then attempts to access those remote devices to encrypt files on them as well.

“Overall, Conti represents a unique twist in modern ransomware. Conti shows an intention behind the actor to also respond to reconnaissance to determine worthwhile servers in the environment that are sensitive to data encryption. Its implementation of multi-threaded processing, as well as the use of the Windows Restart Manager, shows a feature of incredibly quick, and thorough, encryption of data,” Carbon Black concludes.

Related: Try2Cry Ransomware Spreads via USB Drives

Related: Ransomware Operators Demand $14 Million From Power Company

Related: ICS-Targeting Snake Ransomware Isolates Infected Systems Before Encryption

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.