Conti ransomware uses 32 simultaneous CPU threads for blazing-fast encryption

The Conti ransomware also abuses the Windows Restart Manager component to unlock apps and free up their data (for encryption).
Written by Catalin Cimpanu, Contributor

A lesser-known ransomware strain known as Conti is using up to 32 simultaneous CPU threads to encrypt files on infected computers for blazing-fast encryption speeds, security researchers from Carbon Black said in a report on Wednesday.

Conti is just the latest in a long string of ransomware strains that have been spotted this year. Just like most ransomware families today, Conti was designed to be directly controlled by an adversary, rather than execute automatically by itself.

These types of ransomware strains are also known as "human-operated ransomware," and they're designed to be deployed during targeted intrusions inside large corporate or government networks.

Security researchers first spotted a Conti dev build earlier this year, in February, but Carbon Black has now reported that its Threat Analysis Unit (TAU) has spotted Conti infections in the wild.

32 CPU threads, for the win!

Under the hood, Conti operates like most ransomware; however, it also comes with its own kinks, including some features that have not been seen in other strains.

In a technical report published on Wednesday, Carbon Black's TAU says the item that stood out during their analysis of Conti's code was its support for multi-threaded operations.

This isn't entirely unique. Other ransomware strains also support multi-threaded operations, running multiple concurrent computations on the CPU to gain speed during their execution and allow the encryption process to finish faster before the file-locking operation is detected and stopped by antivirus solutions.

Other ransomware strains seen using multiple CPU threads include the likes of REvil (Sodinokibi), LockBit, Rapid, Thanos, Phobos, LockerGoga, and MagaCortex -- just to name a few.

But Carbon Black says that Conti stood out because of the large number of concurrent threads it utilized -- namely, 32 -- which resulted "in faster encryption compared to many other families."

Tricky network-only encryption mode

However, this was not the solely unique detail that Carbon Black has seen in Conti. The second was a fine-grained control over the ransomware's encryption targets via a command-line client.

Carbon Black researchers say the ransomware can be configured to skip encrypting files on the local drives and encrypt data on networked SMB shares just by feeding the ransomware's binary a list of IP addresses via the command-line.

"The notable effect of this capability is that it can cause targeted damage in an environment in a method that could frustrate incident response activities," Brian Baskin, Technical Director of Threat Research at Carbon Black, explained.

"A successful attack may have destruction that's limited to the shares of a server that has no Internet capability, but where there is no evidence of similar destruction elsewhere in the environment.

"This also has the effect of reducing the overall 'noise' of a ransomware attack where hundreds of systems immediately start showing signs of infection. Instead, the encryption may not even be noticeable for days, or weeks, later once the data is accessed by a user," Baskin said.

Furthermore, this behavior might also confuse security teams performing incident response, who may not be able to pinpoint the point of entry into a network unless they perform a full audit of all systems, and allowing hackers to linger hidden inside a single machine on the victim's network.

Conti abuses the Windows Restart Manager

The third unique technique spotted in the Conti code is its abuse of Windows Restart Manager -- the Windows component that unlocks files before performing an OS restart.

According to Carbon Black, Conti invokes this component to unlock and shut down app processes so it can encrypt their respective data. This trick can be incredibly useful on Windows Servers where most sensitive data is usually managed by a database that's almost always up and running.

Carbon Black told ZDNet that this is a very rare technique that until now has been seen used by less than half a dozen malware families. Among ransomware families, this was the second time that one abused the Windows Restart Manager, with the first being Medusa Locker -- analyzed by Carbon Black last month.

At the time of writing, there is no way to recover files locked through the Conti ransomware, meaning prevention methods -- like keeping offline backups, securing workstations, open remote management ports, and network perimeter devices -- should be prioritized, unless companies can afford topay huge ransom demands to the Conti gang.

Inside an encrypted external hard drive -- in pictures

Editorial standards