Conti ransomware has been sold as a RaaS (Ransomware as a Service) in underground forums and it’s known that it has been deployed by TrickBot or BazarLoader. The ransomware can run with the following parameters: “-p”, “-m”, “-size”, “-log” and “-nomutex”. The malware creates a new mutex called “YUIOGHJKCVVBNMFGHJKTYQUWIETASKDHGZBDGSKL237782321344”, which ensures that only one instance of the process is running at a single time. All SMB shares and available drives are encrypted, and the volume shadow copies are deleted using wmic and COM objects. The files are encrypted using ChaCha8, with the key and nonce being encrypted by a public RSA key.
The following table describes the meaning of different parameters:
Whether the logging mode is enabled, the malware records different actions in a log file:
Conti comes with a hard-coded public RSA key that is used to encrypt the ChaCha8 key and nonce:
The encrypted files’ extension is changed to a 5-letter string that consists of capital letters only (for example .LSNWX). An example of an encrypted file is shown below (note the plaintext that was encrypted using ChaCha8, the ChaCha8 key and nonce that were encrypted using RSA):
The ransomware creates a ransom note in every directory that was encrypted. An example of ransom note is displayed in the following picture:
Conti also has a list of targeted file extensions; however, the ransomware encrypts other file extensions as well via a different execution flow:
• .4ddf, .4dl, .accdb, .accdc, .accde, .accdr, .accdt, .accft, .adb, .ade, .adf, .adp, .arc, .ora, .alf, .ask, .btr, .bdf, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, .dadiagrams, .daschema, .db, .db-shm, .db-wal, .db3, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .ddl, .dlis, .dp1, .dqy, .dsk, .dsn, .dtsx, .dxl, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmpsl, .fol, .fp3, .fp4, .fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .ib, .idb, .ihx, .itdb, .itw, .jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc, .lwx, .maf, .maq, .mar, .mas, .mav, .mdb, .mdf, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, .ns2, .ns3, .ns4, .nsf, .nv, .nv2, .nwdb, .nyf, .odb, .oqy, .orx, .owc, .p96, .p97, .pan, .pdb, .pdm, .pnz, .qry, .qvd, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sql, .sqlite, .sqlite3, .sqlitedb, .te, .temx, .tmd, .tps, .trc, .trm, .udb, .udl, .usr, .v12, .vis, .vpd, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff, .abcddb, .abs, .abx, .accdw, .adn, .db2, .fm5, .hjt, .icg, .icr, .kdb, .lut, .maw, .mdn, .mdt, .vdi, .vhd, .vmdk, .pvm, .vmem, .vmsn, .vmsd, .nvram, .vmx, .raw, .qcow2, .subvol, .bin, .vsv, .avhd, .vmrs, .vhdx, .avdx, .vmcx, .iso