CONTI Ransomware explained: How it works and how to defend it

CONTI is malicious software categorized as ransomware. Systems infected with this malware have their data encrypted and request a ransom for decryption to the victims. All the affected files are appended with the “.CONTI” suffix during the encryption process. For instance, a file originally called “Example.jpg” will appear as “Example.jpg.CONTI” following encryption. A text file “CONTI README.txt” is created on the victim screen after the encryption process is complete.

The message for ransom (“CONTI README.txt”) is short and merely states that the device has been locked. Users are advised to create communication with the cybercriminals behind CONTI malware to decrypt their files. For this reason, there are two email addresses assigned. The message concludes with a warning that to retrieve their files.

In certain cases of a ransomware attack, without the intervention of the hackers responsible, decryption is unlikely. Decryption methods accessed from other sources can lead to irreversible data loss in such instances. If malicious software is still in progress and/or has bugs (flaws), decryption may be feasible. Whatever the situation, you are firmly cautioned against dealing with cybercriminals and/or satisfying their demands.

They cannot be trusted, despite paying, the promised decryption tools/software is not obtained by victims. Therefore, beyond recovery, their archives remain locked, and they also suffer substantial financial losses. It must be deleted from the operating system to avoid further encryption by CONTI ransomware, but this would not recover already encrypted files. The only realistic solution is to restore it from a backup.

According to Bleeping Computer, Advanced Intel’s Vitali Kremez analyzed Conti and found ransomware based off the code for Ryuk, another crypto-malware family. He also discovered that Conti was using the same ransom note template that early versions of Ryuk employed in their attack campaigns.

Ransomware has struck the US criminal court systems, with court records leaked online in what is claimed to be the first ransomware attack of its kind.

For major ransomware gangs, it has now become a mainstream technique to build so-called ‘leak sites’ where they upload and release confidential information from firms that fail to pay the decryption price for ransomware. These “leak sites” are part of a recent cybercriminal underground pattern in which ransomware gangs are implementing a modern “double extortion” strategy mentioned by ZDNet.

The case of the University of Utah is the best example of how ransomware gangs used leak sites and double extortion to place pressure on victims to pay.

How did my machine get compromised by ransomware?

Trojans, spam campaigns, unauthorized activation, software, bogus updates, and untrusted download sites are the most common propagation strategies for ransomware and other malware. Trojans are malicious programs with different features, including the ability to trigger chain infections. Thousands of deceptive / scam emails sent on a wide scale are characterized by the word “spam campaigns.”

Messages are described as “official”, “significant”, “priority” and so on. They have connected to (or related within) infectious data. Dangerous attachments come in different formats (e.g. archive and executable files, Microsoft Office and PDF documents, JavaScript files, etc.). The infection is triggered by a mechanism when these files are executed, run, or otherwise released. Illegal activation tools (“cracks”) can download/install malicious software.

Fake updaters corrupt devices rather than the planned upgrades by leveraging bugs in obsolete applications or by downloading malware. Malicious distribution platforms such as unauthorized and free file-hosting sites, P2P sharing networks (BitTorrent, eMule, Gnutella, etc.), and other third-party downloaders may deliver malicious content.

How to defend yourself from infections with ransomware?

Do not open emails that are suspicious or irrelevant, especially those received from unknown or irregular senders (addresses). As these files are the possible sources of a virus, any attachments or connections that are contained in suspicious mail must never be opened. Both links must be from official and confirmed sources only. Programs should be enabled and upgraded by licensed developers, with tools/functions offered.

Unauthorized activation software or third-party updaters are high-risk, so it should be avoided. Get a reputable suite built and maintained up to date with anti-virus / anti-spyware. Using this program to run periodic device scans and to delete the threats/issues found. If your device is still compromised with CONTI, to eliminate this ransomware automatically, we suggest running a search with Malwarebytes for Windows.

Text presented in CONTI ransomware text file as “CONTI_README.txt”

“Your system is LOCKED. Write to us on the emails:

[email protected]

[email protected]

DO NOT TRY to decrypt files using other software.”

Cyber Criminal Contacts

[email protected][email protected]
[email protected][email protected]
[email protected][email protected]
[email protected][email protected]
[email protected][email protected]
[email protected][email protected]
[email protected][email protected]
[email protected][email protected]

Leave a Reply

Your email address will not be published. Required fields are marked *