Conti ransomware shuts down backup services and unlocks files with Windows Restart Manager

Acronis Cyber Protect Cloud
for service providers

Conti ransomware shuts down backup services and unlock files with Windows Restart Manager before encryption

Summary

  • First seen in December 2019.
  • The average demand for this ransomware is under $100,000. 
  • Uses Windows Restart Manager to close open and unsaved files before encryption.
  • Contains more than 250 strings decryption routines and about 150 services to be terminated.
  • Performs fast file encryption in 32 simultaneous threads using Windows I/O Completion Ports.
  • The ransomware follows the trend and recently has launched the 'Conti.News' data leak site.

Conti is a ransomware that supposedly inherits its code from Ryuk family and used in targeted attacks against enterprises since December 2019. Recently, Conti operators started the data leak site called ‘Conti.News’ to publish stolen data in case the ransom is not paid. Being a successor of Ryuk ransomware, Conti can be delivered by Trickbot trojans. Conti also implements the Ransomware-as-a-Service model

Acronis

fylszpcqfel7joif.onion site is created for publishing stolen company’s data.   

Acronis

Operation modes

The Conti ransomware can be launched with one of the two parameters: ‘-h’ and ‘--encrypt-mode’.

  •  ‘--encrypt-mode’ indicates which files are being encrypted, there are 3 possible values: ‘all’, ‘local’, ‘network’. ‘all’ supposes both types of encryption, local and network. Network encryption means to encrypt shared resources inside the local network. By default, ransomware is run with ‘all’ parameters. 
  • ‘-h’ parameter should be run with corresponding filename, where the list of DNS or NetBIOS names of the remote servers is written on which the function NetShareNum() is to execute. By default ‘-h’ is assigned to null, to retrieve information about each shared resource on a current computer.

ProliferationThe ransomware is looking shared resources inside the local network by the local following IP address patterns:  

●     “172.”

●     “192.168”

●     “10.”

Killing services  

The ransomware deletes shadow copies of the files and resizes shadowstorages for disks from C: to H: that may also result in shadow copies disappearing.

cmd.exe /c vssadmin Delete Shadows /all /quiet cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded cmd.exe /c vssadmin Delete Shadows /all /quiet

The next step is stopping services that belong to SQL, antivirus, and backup and cyber security solutions such as BackupExec and Veeam. It also tries to terminate the Acronis Cyber Protection solution, but fails due to our self protection feature. List contains about 146 services, most of them are SQL databases. The Acronis self-protection technology successfully prevents the backup services from being terminated by the ransomware.  

Acronis VSS Provider Enterprise Client Service SQLsafe Backup Service SQLsafe Filter Service Veeam Backup Catalog Data Service AcronisAgent AcrSch2Svc Antivirus ARSM BackupExecAgentAccelerator BackupExecAgentBrowser BackupExecDeviceMediaService BackupExecJobEngine BackupExecManagementService BackupExecRPCService BackupExecVSSProvider bedbg DCAgent EPSecurityService EPUpdateService EraserSvc11710 EsgShKernel FA_Scheduler IISAdmin IMAP4Svc McShield McTaskManager mfemms mfevtp MMS mozyprobackup MsDtsServer MsDtsServer100 MsDtsServer110 MSExchangeES MSExchangeIS MSExchangeMGMT MSExchangeMTA MSExchangeSA MSExchangeSRS MSOLAP$SQL_2008 MSOLAP$SYSTEM_BGC MSOLAP$TPS MSOLAP$TPSAMA MSSQL$BKUPEXEC
MSSQL$SBSMONITORING MSSQL$SHAREPOINT MSSQL$SQL_2008 MSSQL$SYSTEM_BGC MSSQL$TPS MSSQL$TPSAMA MSSQL$VEEAMSQL2008R2 MSSQL$VEEAMSQL2012 MSSQLFDLauncher MSSQLFDLauncher$PROFXENGAGEMENT MSSQLFDLauncher$SBSMONITORING MSSQLFDLauncher$SHAREPOINT MSSQLFDLauncher$SQL_2008 MSSQLFDLauncher$SYSTEM_BGC MSSQLFDLauncher$TPS MSSQLFDLauncher$TPSAMA MSSQLSERVER MSSQLServerADHelper100 MSSQLServerOLAPService MySQL57 ntrtscan OracleClientCache80 PDVFSService POP3Svc ReportServer ReportServer$SQL_2008 ReportServer$SYSTEM_BGC ReportServer$TPS ReportServer$TPSAMA RESvc sacsvr SamSs SAVAdminService SAVService SDRSVC SepMasterService ShMonitor Smcinst SmcService SMTPSvc SQLAgent$BKUPEXEC SQLAgent$ECWDB2 SQLAgent$PRACTTICEBGC SQLAgent$PRACTTICEMGT SQLAgent$PROFXENGAGEMENT SQLAgent$SBSMONITORING SQLAgent$SHAREPOINT SQLAgent$SQL_2008 SQLAgent$SYSTEM_BGC MSSQL$PRACTICEMGT
SQLAgent$TPS SQLAgent$TPSAMA SQLAgent$VEEAMSQL2008R2 SQLAgent$VEEAMSQL2012 SQLBrowser SQLSafeOLRService SQLSERVERAGENT SQLTELEMETRY SQLTELEMETRY$ECWDB2 SQLWriter VeeamBackupSvc VeeamBrokerSvc VeeamCatalogSvc VeeamCloudSvc VeeamDeploymentService VeeamDeploySvc VeeamEnterpriseManagerSvc VeeamMountSvc VeeamNFSSvc VeeamRESTSvc VeeamTransportSvc W3Svc wbengine WRSVC MSSQL$VEEAMSQL2008R2 SQLAgent$VEEAMSQL2008R2 VeeamHvIntegrationSvc swi_update SQLAgent$CXDB SQLAgent$CITRIX_METAFRAME SQL Backups MSSQL$PROD Zoolz 2 Service MSSQLServerADHelper SQLAgent$PROD msftesql$PROD NetMsmqActivator EhttpSrv ekrn ESHASRV MSSQL$SOPHOS SQLAgent$SOPHOS AVP klnagent MSSQL$SQLEXPRESS SQLAgent$SQLEXPRESS wbengine mfefire MSSQL$PROFXENGAGEMENT MSSQL$ECWDB2 MSSQL$PRACTTICEBGC

The last step before encryption is terminating SQL-related processes. The predefined “sql” string is matched with the list of the running processes. 

 

Acronis

Unlocking files  

To unlock the currently opened files for encryption, Conti calls Windows Restart Manager to force the files closing. To do that, Conti loads an unusual for malware dynamic linking library rstrtmgr.dll for operating with the Restart Manager service. In short, Restart Manager is responsible for saving and not damaging open and unsaved files before system reboot. It prompts the user to save his data before the system will be shut down. The main feature which is abused by Conti is files unlocking. Before a file will be encrypted, it is checked by the piece of code below, to ensure that file is unlocked and can be closed immediately to prevent the file from being damaged as much as possible. 

Acronis

Encryption

Conti ransomware uses RSA-4096 and AES-256-CBC encryption algorithms. The embedded public master RSA-4096 key is used for encrypting AES keys generated per file and appending them in the footer of every file.   

Conti`s encryption is implemented using Windows I/O Completion Ports to speed up the encryption process by running 32 concurrent threads.

Acronis
Acronis
Acronis

Lastly, Conti retrieves the result of file encryption using GetQueuedCompletionStatus() and adds the encrypted AES-256-CBC file key to the footer. 

The hardcoded master RSA-4096 key is imported from the  ‘.data’ section to the Microsoft Cryptographic Provider.  

Acronis
Acronis

The folders that are ignored during encryption:

 

tmp

winnt

Application Data

AppData

temp

thumb

$Recycle.Bin

$RECYCLE.BIN

System Volume Information

Program Files

Program Files (x86)

Windows

Boot

The file extensions that are skipped by ransomware:

.exe

.dll

.lnk

.sys

.CONTI

The encrypted files are appended with ‘.CONTI’ extension and look as follows.

Acronis

Ransom note

CONTI leaves a ransom note in every folder to notify a user about infection. It does not generate a user ID and asks to write to one of the email addresses mentioned in the note.   

Acronis

Detection by Acronis

Acronis Cyber Protection successfully blocks Conti ransomware with the help of anti-ransomware protection engine and restores encrypted files.

Acronis

IoCs

MD5: c3c8007af12c9bd0c3c53d67b51155b7 SHA256: 8c243545a991a9fae37757f987d7c9d45b34d8a0e7183782742131394fc8922d Mutex =_CONTI_ .CONTI extension CONTI_README.txt flapalinta1950@protonmail.com xersami@protonmail.com

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.