Conti is a new strain of ransomware recently discovered by Carbon Black’s Threat Analysis Unit (TAU). Most features of the ransomware are as anyone might expect from just about any other ransomware, but what does stand out are some of its features for speed and efficiency. Analysis by TAU revealed that Conti uses 32 threads for encryption. Multi-threading in malware is nothing new, but rarely do we ever see samples attempt to use that much of the CPU.
A second notable feature is that Conti has command line switches for running in local-only, network-only, and a more manual mode that accepts a list of hosts. While it can be run without any command line arguments, these switches suggest that Conti may also be run by the actor at times rather than complete automation with the goal of spreading across the enterprise. If run with the “-h” switch to specify hosts, Conti will first port scan the provided list to look for open SMB shares. Rather than connecting to every network share, it retrieves the ARP cache of the to focus only on network shares the victim normally connects to.
The most notable feature pointed out by TAU is Conti’s use of the Windows Restart Manager. Not many other malware families currently use this feature, but it can be abused to ensure maximum damage is caused. Some applications on Windows can “lock” files so that only that process can make changes, preventing corruption. With the Windows Restart Manager, however, an application could forcefully unlock a file. Abuse of this would allow ransomware to encrypt files that would have otherwise been safe.