The Conti ransomware, ever since its initial release, has impacted a lot of computer systems and unlike other common malware, it includes the ability to use all available CPU threads during its execution. As more and more samples are collected, researchers note that the main engine has been compiled to use 32 CPU threads at once, an ability that is not commonly seen with ransomware.
The Conti Ransomware Appears to be More Advanced Than Other Similar Malware
The Conti Ransomware as one of the recent malware from this category is now seen as an advanced threat. All of this is drawn from the analyses made on the captured samples. The virus is programmed with extended hardware compatibility which enables the threat to be able to extend its processing over multiple CPU cores. The analyzed samples are able to span to up to 32 threads at the same time which corresponds to the higher end of desktop and server processors currently available.
This particular threat is designed to be operated by the criminal collective rather than execute automatically and run an integrated sequence and then report the results to a hacker-controlled server. The Conti ransomware appears to be created as a hacking tool for intrusions on government agencies and large organizations. These kind of systems and networks are more likely to house servers and machines that have such hardware parts such as the these high-performing CPUs.
The main Conti ransomware can be controlled via a command-line client from the hackers remotely as soon as an infection is made. Other options which are available include the ability to skip certain data from being encrypted — certain files can be excluded from being encrypted, both on the local drive as well as accessible networked SMB share. The command to encrypt certain files can be done by feeding in a list of IP addresses of contaminated hosts with the necessary extensions.
One of the reasons to use this malware instead of alternatives is that it runs in an almost silent manner — it can infect systems without raising awareness of itself. The captured malware has been found to abuse the Windows Restart Manager — the service used by the operating systems that unlocks data before Windows is restarted.
It is very likely that the attacks are going continue as Conti can automatically unlock access to the system and manipulate running processes — including system and user-installed applications. This means that active ones can be shut down and also monitored for users actions. By using this approach the malware can access user input which can potentially be used for various crimes – identity theft, data gathering, financial abuse and etc.
The Conti ransomware is devised and run by an unknown hacking group – it appears that they are very experienced in devising such a complex threat. Further attack campaigns and updates to Conti are expected.