Just when you thought ransomware couldn’t sport something new, the latest family discovered by VMware’s Threat Analysis Unit shows significant advances in capabilities and execution.
Ransomware has continually evolved over the past years, taking strides to expand its’ reach within a network, to thwart recovery efforts, and even to exfiltrate data. But the latest evolutionary steps uncovered by VMware shows how cybercriminals are thinking about approaching the problems of avoiding detection and improving their encryption efforts.
According to new research from VMware, the CONTI family of ransomware has taken steps to improve the performance of encryption while using new and old methods to ensure success. The more data ransomware can successfully encrypt, the more disruptive the attack, and the higher the likelihood that ransoms will be paid. CONTI uses up to 32 independent threads to simultaneously encrypt data, thereby speeding up the process. And to make certain files to be encrypted are not locked by applications, VMware researchers have spotted a new technique whereby CONTI uses the Windows Restart Manager to cleanly close applications with locked files, allowing those files to be included in the encryption process.
CONTI avoids detection by using 277 unique string encoding algorithms to obfuscate the original code and bloat the simple program into a larger application that is more difficult to identify as the ransomware.
There are tons more cool aspects of this ransomware – stopping 160 known applications that may hinder its’ efforts, command-line control over local vs. network targeting, and more.
This is one very powerful piece of ransomware.
Given CONTI’s ability to avoid detection using a number of methods, relying on security solutions as the primary means of prevention may prove to be less than effective. Organizations need to prevent these new forms of ransomware from ever launching in the first place. By empowering users with Security Awareness Training, users can identify phishing and social engineering tactics being used to trick them into launching malicious content, stopping attacks before they ever start.