Conti Ransomware (Analysis and Recovery Options)
This page details everything you need to know about Conti ransomware. If you have been hit by Conti ransomware and need help recovering your data, we're here to help.
Table of Contents
What is Conti ransomware?
Conti ransomware is a Ransomware-as-a-Service (RaaS) variant. The Conti ransomware variant was first detected in December 2019, increasing in prominence in the summer of 2020.
Linked to the developers of Ryuk, Conti operators typically target corporate networks. Conti ransomware spreads laterally until it has acquired domain administrative credentials. Conti can rapidly encrypt files thanks to its auto-spreading functionality. Conti ransomware is commonly distributed by the TrickBot or Emotet trojan.
Conti operators utilize multiple concurrent computations to expedite the execution of the attack. Conti is not the only ransomware that uses multi-threaded tactics. However, Conti has been found to be faster than many variants due to its use of 32 concurrent threads.
Conti ransomware operators are suspected to be experienced hackers that distribute the ransomware in exchange for a significant portion of the ransom amount.
This behavior is a further indication that Conti is manually executed by its operators. Conti can also be executed without interaction, exemplified in attempts to encrypt all accessible files.
Conti ransomware often limits its encryption to partitions of the server without internet capability. This tactic allows Conti ransomware to remain undetected in the environment. This is a feature that is unique to Conti ransomware; most ransomware variants display signs of destruction across multiple systems.
Conti ransomware Indicators of Compromise (IoC)
There are several Conti ransomware Indicators of Compromise (IoC) that signal the malware is present on a victim computer.
Conti Encrypted Files
If your data is encrypted from Conti ransomware, you will notice a different extension attached to each file. These extensions are 5-8 characters long, randomly generated.
Conti Ransom Note
You will also find a Conti ransom note as a .TXT file located in every folder on your computer README.TXT.
Below you will find an example of a Conti ransom note
The Conti ransom note provides the victim with instructions on what to do next if they want their files decrypted. Each Conti ransom note includes:
- Unique key ID needed to access the Tor portal and associated with encrypted file extensions on your computer
- Tor browser portal address
If you are looking to have your data recovered, it is important to not delete the Conti ransomware note as this information will be used during the ransomware recovery process.
Conti Ransomware Portal
A Tor portal is uniquely generated for each Conti ransomware victim. This site is only available via the Tor browser link found in the .TXT ransom note file on the victim computer.
Below you will find an example of a Tor portal:
There is the option to upload the README.TXT file found on the victim computer. Once uploaded, the ID is scanned from the Conti ransom note and the user is prompted to enter an Email ID and Name used for communication.
How to stop Conti ransomware
You can stop Conti ransomware from spreading by isolating the infected devices from the rest of your network. Disconnecting the device will help stop the ransomware from encrypting files on other devices.
Once devices are isolated, you can start scanning with antivirus software to remove the malware and any potential back doors that have been left behind.
How much will Conti ransomware recovery cost?
Factors that influence the total cost of Conti recovery include:
- Assessment fee
- Number of encrypted systems
- Selected priority of service
- Ransom demand amount
How much do Conti ransom demands cost?
Our data from Q4 of 2020 concludes that the initial average Conti ransomware demand is $1,384,833.
This ransom payment is sent as the only last resort to receive a decrypter and to regain access to the encrypted files.
Given the sophistication of the Conti ransomware, they tend to target medium to large organizations.
Like many other ransomware groups, it is suspected that they tailor the ransom amounts to the following:
- Size and type of the victim company
- Size of the victim network
- Reconnaissance opening financial documents while on the victim network
The graph below shows the comparison between the average initial ransom demand of Conti ransomware and other common variants.
How to decrypt Conti ransomware
If your files are locked from Conti ransomware, you’re trying to see what ransomware recovery options are available to decrypt your data.
Unlock Conti encrypted files
Conti uses an AES-256 encryption key per file. Your files are then encrypted with a bundled RSA-4096 public encryption key. This RSA key is unique per victim. The encryption algorithm for Conti is too strong to be broken. Additionally, there are currently no known flaws in the malware that can be utilized with data restoration efforts.
This leaves victims of Conti with the only option of considering paying the ransom to obtain the decryption key and unlock their files.
As with many ransomware variants, we may be able to assist with restoring certain file types without paying the ransom. To find out more information, you can reach out to a Proven Data representative.
Conti Decrypter Instructions
The Conti decrypter is straight forward utility that has a command console like interface.
Here are the steps to run the Conti decrypter tool:
1. Ensure the decrypter does not contain malicious code (a ransomware recovery company should be able to help you with this).
2. Disable anti-virus software on the machine you will be running the tool from. This includes Microsoft Defender.
3. Make sure to connect all the devices with encrypted files to the system you are going to be running the decrypter from. This includes mapping network shares and attaching external hard drives.
4. Right click the decryption executable file and run as administrator.
5. The decrypter console will appear and start the decryption process immediately. It will start to go through all devices connected to the system and decrypt encrypted files it finds. Unlike other ransomware decrypters, the tool does not have a progress bar nor list the files it decrypts.
6. When the process is finished, the decrypter will close automatically.
How long does it take to recover from a Conti ransomware attack?
There are several factors which contribute to the time it takes to recover from a Conti attack. These include:
- Cleaning the environment from malware
- Securing vulnerabilities
- Negotiation time
- Compliance checks & making the ransom payment
- Decrypting the data
- Size of the network
- Number of files, file sizes & types
- Backing up and verifying the data
For a network with 1-3 servers and 10-15 workstations it takes approximately 1-3 business days to complete the full recovery process.
What attack vectors did Conti ransomware use?
Conti ransomware attacks are deployed by a hacker who has gained unauthorized access to the network via an unsecure RDP port, successful email phishing or by exploiting a software security vulnerability.
Preserving evidence from Conti ransomware
In order to determine what the attackers removed from your network, you will need a forensic investigation performed. If you are considering a forensic investigation, it is important to preserve the evidence as soon as possible.
Here are the steps to preserve the forensic evidence:
- Do not shut down the computer or server as this will erase some artifacts
- Create a forensically sound image and take it offline
- Download firewall, VPN, and remote software logs
- Document all information pertaining to the ransomware attack
Complete instructions on preserving ransomware evidence can be found as part of the ransomware forensics process.
Does Conti ransomware steal data?
Conti ransomware operators are known to leak data of victims who do not pay the ransom. Conti ransom notes specifically disclose that they will publish the encrypted data online if the victim does not if a ransom is not paid.
The operators of the ransomware host a public Conti leak site where leaked data can be found on the internet and the dark web.
Victims may fear:
- Brand reputation damage
- Loss of intellectual property
- Data breach liability
Why choose Proven Data Conti ransomware recovery?
Businesses that suffer downtime from a ransomware attack need a proven, time-tested solution to resume operations. That’s why we provide 24/7 access to staff who have significant experience recovering from the Conti ransomware variant.
Our firm understanding of the Conti ransomware from our vast experience guides you to make informed decisions for your business. Understanding the attack vectors, threat actor profile, and negotiation expectations are essential to fully recover from the attack.
To meet compliance needs, we adopted a sanctions compliance program to ensure we are making ransom payments on behalf of our clients responsibly. At the service’s conclusion, we provide you with an incident and compliance report that can be used for insurance or law enforcement reporting purposes.
If you are looking for a transparent experience from a professional ransomware incident response company to help you move past your unfortunate Conti cyber incident, we are here to help.
Most frequent questions and answers
There are currently no publicly available Conti ransomware decryption tools to assist victims unlock their files. If your files are encrypted by Conti, you may have to recover your data by:
- Recreating the data from scratch
- Restoring from backups
- Paying the ransom
No, it is currently not possible to decrypt Conti encrypted files without paying the ransom. However, there are some file types that can be repaired. You may ask a Proven Data representative about those file types.
Conti is known to download sensitive data from victim’s networks when they gain access. A digital forensics investigation can help you learn about what may have been removed from your network during the incident.
The forensic report can be used to satisfy regulatory requirements for HIPAA or other regulated data you may store on your network.