Rewterz Threat Alert – Conti Ransomware – Active IOCs

Severity

High

Analysis Summary

Conti is a type of ransomware that was first discovered in December 2019. It is a highly sophisticated and dangerous malware that is designed to encrypt files on a victim’s computer and demand a ransom payment in exchange for the decryption key. The ransomware is typically spread through phishing emails or by exploiting vulnerabilities in unpatched software. Once a computer is infected, Conti will encrypt files and append the “.conti” extension to the file names. The malware also drops a ransom note on the victim’s desktop, which provides instructions on how to pay the ransom and regain access to the encrypted files. It is important to note that paying the ransom does not guarantee that the files will be decrypted, and it is generally not recommended to pay the ransom as it only encourages the attackers to continue their activities.

Conti ransomware is considered to be a particularly dangerous and sophisticated strain of ransomware, and it has been responsible for a number of high-profile attacks on businesses and organizations around the world. To protect against Conti ransomware, it is important to keep computer systems up-to-date with the latest security patches, to use anti-virus software, to regularly backup important files, and to avoid clicking on suspicious links or downloading attachments from unknown sources.

Impact

• Sensitive File Theft
• File Encryption

Indicators of Compromise

MD5

• cc94e9ab396fef0d9ee7caa7e9d44b8c
• 4f713ba76b4b750bfade446af30cef55

SHA-256

• 583f35d8d15dd19cd1cdcc1e03f6b3e1eaf1fa0df452eb80868d3767292d523b
• f6dfa1e569f6c7da647224cf0553694462c5717c4793fb21f8e1d7476f5f708d

SHA-1

• ea701578e445fddc71fc61f4073ccc1000c77220
• 55edd83d6e0febf7b3bdb27ba5b3784371cbcaad

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.