Conti ransomware has been sold as a RaaS (Ransomware as a Service) in underground forums and it’s usually deployed by other malware such as TrickBot and BazaLoader/BazarLoader. It can run with one of the following parameters: “-p”, “-m”, “-size”, “-log” and “-nomutex”. A new mutex called “YUIOGHJKCVVBNMFGHJKTYQUWIETASKDHGZBDGSKL237782321344” can be created to ensure that only one instance of ransomware is running at a single time. The malware has the ability to only encrypt network shares (“-m net” parameter), local drives (“-m local” parameter), or both of them (“-m all” parameter). The volume shadow copies are deleted using wmic and COM objects. The algorithm used to encrypt files is ChaCha8, with the key and nonce being encrypted using an RSA public key.
Download A Detailed Analysis of The Last Version of Conti Ransomware White Paper