Conti ransomware encrypts files using ChaCha20/8, and then demands a ransom in bitcoins to get the files back.
Conti ransomware (a.k.a. Hermes, Ryuk, Wizard Spider) is a malicious program that prevents users from accessing their data unless the victims pay a ransom. Conti automatically scans networks for valuable targets, spreads through the network, and encrypts every PC that can find.
The first indications of a unique Conti ransomware group appeared in October 2019. The group did not establish its website until early 2020 on fylszpcqfel7joif.onion. Since then, we’ve observed data belonging to 567 different companies have been shared on the Conti extortion site continews.click and continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion. This number only represents victims whose names are shared on the extortion site or whose data is shared and subsequently deleted. In addition, Conti uses another TOR hidden service for serving the stolen victim data. Data download links point to the domain nilbxxtm5mava3k2r5vzkuuu2g4bp5wlupo3nzry3c6q5rm5sti5ktqd.onion with a random path.
Conti Ransomware Blog
Everything You Need to Know about the Conti Ransomware
Conti ransomware group appears to be one of many private cybercrime groups that have set up their operations by leveraging the booming ransomware-as-a-service (RaaS) ecosystem. Such gangs obtain their foothold in their victims’ networks by purchasing access from other threat actors, who sell it as a commodity. They can also procure infrastructure, malware, communications tools, and money laundering from other RaaS providers.
Most of these actors use the same methods of access found in many ransomware attacks, such as phishing emails and exploiting unprotected internet-facing applications, the lack of multi-factor authentication (MFA), as well as the typical avenues used to preserve and enhance access once it’s achieved, such as through the use of Cobalt Strike or PowerShell.
These approaches are not particularly smart or sophisticated, but often they are effective. For example, Conti’s group methodology usually follows the “double extortion” approach many leading ransomware groups use. When using double extortion, attackers will not only lock up a victim’s files and demand ransom, but they will also steal files and threaten to publish them on a website or otherwise leak them if their initial ransom demand is not met.