ThreatLabz analyzed Conti ransomware’s January 2022 update, noting it appeared before the February 2022 leaks but continued attacks afterward and added encryption and evasion improvements. The update introduced Safe Mode boot encryption, new command-line options, registry-based persistence, and a redesigned ransom workflow, signaling Conti’s persistence and potential for rebranding after leaks. #Conti #ThreatLabz
Keypoints
- ThreatLabz identified an updated Conti ransomware version in January 2022 that persisted after the February 2022 leaks of Conti source code and chat logs.
- The update adds Safe Mode boot capabilities with networking to maximize file encryption, including network-share targets.
- New command-line arguments appeared, along with removal of some old flags, enabling Safe Mode login and automated startup of Conti.
- Persistence is achieved via registry changes (RunOnce) to launch Conti and registry values to auto-login in Safe Mode.
- Conti encrypts files with per-file 256-bit ChaCha keys, with each key protected by a hardcoded 4096-bit RSA public key; file extensions were expanded to mixed-case alphanumeric strings.
- Ransom note and portal were updated, including a streamlined direct link to a victim-specific chat portal and updated TOR URL.
- Despite leaks, ThreatLabz expects further updates or forking/rebranding, suggesting continued risk from Conti-like campaigns.
MITRE Techniques
- [T1547.001] Boot or Logon Autostart Execution – Conti creates a RunOnce registry entry to start at boot: ‘a registry value is created under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce with the name *conti and the value <path_to_conti_executable> -disablesafeboot’
- [T1112] Modify Registry – The malware sets registry values to enable automatic Safe Mode login: ‘AutoAdminLogon = 1 DefaultUserName = <username> DefaultDomainName = <computer_name or domain_name> DefaultPassword = <password>’
- [T1078] Valid Accounts – Logs in to Safe Mode with provided credentials: ‘Log in to Windows Safe Mode as the specified user’
- [T1059.003] Windows Command Shell – Uses cmd.exe commands to enable accounts or modify state: ‘cmd.exe /c net user <admin> /active:yes’ and ‘cmd.exe /c net user <admin> “”‘
- [T1021.002] SMB/Windows Admin Shares – Encrypts files on network shares by booting into Safe Mode with networking: ‘The network mode is enabled, so that Conti can still be used to encrypt files on network shares.’
- [T1486] Data Encrypted for Impact – Encrypts files with per-file 256-bit ChaCha keys and RSA-protects keys: ‘per file random 256-bit ChaCha symmetric key… Each file’s ChaCha key is protected by a hardcoded victim-specific 4,096-bit RSA public key.’
- [T1562.001] Impair Defenses – Executes in Safe Mode where security software is often not loaded: ‘many security software applications … will not be loaded by default when the system is running in Safe Mode.’
- [T1562.001] (Additional Context) – Ransomware also updates the wallpaper to disrupt analysis and user experience (not a formal MITRE technique; noted as an adversary action) – ‘the ability to change desktop wallpaper by writing an embedded PNG file to C:ProgramDataconti.png’
Indicators of Compromise
- [SHA256] Conti ransomware – fca8d48afa7e5535fb71fd22225e86602d47dcfa5a4924fcbc33aecd9c945847, 16cc7519945bace49ef729e69db7d19e00252f2bd559903e1631c8878c2360f4, and 3 more hashes