Ransomware Conti – An Overview

Did you know that there are ransomware trojans with a code of conduct? For example: The DarkSide ransomware doesn't attack hospitals, schools, or government agencies.

However, all other victims often face ransom demands between 200,000 and 2,000,000 Swiss Francs. Payable in cryptocurrency (mostly Bitcoin or Monero). If payment is not made, the threat is destruction or publication of the data. Never before have so many detections been reported as in 2020, with the number steadily increasing from quarter to quarter.

Statistics for 2020

• 31% of companies worldwide are attacked by cybercriminals at least once a day
• The Maze ransomware (more on this later) accounted for almost 50% of all known ransomware cases
• Malware is increasingly being automatically generated and modified, resulting in up to 100,000 new variants appearing per day (that's why heuristic, behavior-based detection is so important)

The Ransomware "Conti"

Conti was first discovered last year and has spread significantly since then. Here we present its basic functionality:

• The average ransom demand is equivalent to less than 90,000 Swiss Francs
• Conti uses Windows' restart manager to close all open or unsaved data before encryption
• Contains more than 250 decryption routines and a list of 150 services to terminate
• Performs rapid encryption in 32 simultaneous threads using Windows internal tools
• Has its own data leak website where regular publications take place
• Recently exists as a variant where Conti is loaded directly into memory via DLL reflection, without storing binary files on the hard drive

The execution of this ransomware is automatically prevented by our solution Cyber Protect.

The Solution: Cyber Protect detects malware and ransomware using artificial intelligence and cloud-based behavior pattern matching

Every malware has its individual behavior pattern. That's why we rely on Acronis and the renowned BitDefender engine (Behavioral Detection Engine) with our Cyber Protect solution to recognize these patterns immediately. Simultaneously, the patterns are matched with those in the cloud. This ensures that even unknown malware is detected immediately.

The 10 most dangerous malware and ransomware variants (Currently these are Maze, REvil, SNAKE, Nemty, NetWalker, Ragnar Locker, MegaCortex, CLOP, DoppelPaymer, Thanos) are also automatically detected and stopped by Cyber Protect. Any already compromised files are automatically restored from backup.

Built-in self-protection functions prevent the Cyber Protection Agent from being terminated or the backup rhythm from being interfered with. A selection of behaviors that are detected and stopped by Cyber Protect:

• A process accessing certain (system) files
• A process having a suspicious code pattern
• A process accessing a large number of files and processing them according to a suspicious pattern (e.g., encryption)
• A process attempting to deliberately disable protection functions or exploit known but unpatched vulnerabilities in the operating system or third-party software

In each of the above cases, you will be immediately informed about the finding, including reporting on what led to the detection and what the process did. Additionally, a black and white list can be set up where processes or folders can be excluded from the scan.

If you would like to learn more about Cyber Protect or test the solution, we look forward to hearing from you.