Saleh Alzahrani
Yang Xiao
Sultan Asiri
ABSTRACT
The world has been witnessing an increase in malware attacks in recent years. Specifically, ransomware attacks, where attackers lock or encrypt victims' files and ask for a ransom to unlock or decrypt the files and restore the device's state. Ransomware dark market has become very profitable, and its cybercriminals make millions of dollars in revenue. One of the most active ransomware attacks in recent years is Conti ransomware. It works under a ransomware-as-a-service (RaaS) business model. The first beta version of Conti ransomware was seen in October 2019, and its first known attack was reported in July 2020 and has been operational since then. In this paper, we track the development of Conti ransomware, categorize its samples, and compare their features to understand its success and efficiency, which made it top the charts in terms of revenue and the number of attacks. First, we collect many Conti ransomware samples from its beta version to the latest known release. Then we analyze them in an isolated environment and categorize them into seven versions based on their release date and feature similarities. Finally, for each version, we list its features and the previous version's addition, deletion, and/or modification with our reasoning for these changes. This research shows that although Conti started as a beta version with minimal ransomware features, it gradually added new features or modified existing ones through the adoption of continuous development and delivery. For example, API hashing, API run-time loading, and efficient encryption mechanism area are all features added over time and have yet to exist in their earlier releases.
- Lawrence Abrams. 2020. Ryuk Successor Conti Ransomware Releases Data Leak Site. BleepingComputer. https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-siteGoogle Scholar
- Ali Ahmed Mohammed Ali Alwashali, Nor Azlina Abd Rahman, and Noris Ismail. 2021. A Survey of Ransomware as a Service (RaaS) and Methods to Mitigate the Attack. In 2021 14th International Conference on Developments in eSystems Engineering (DeSE). IEEE, Sharjah, United Arab Emirates, 92--96. Google ScholarCross Ref
- Saleh Alzahrani, Yang Xiao, and Wei Sun. 2022. An Analysis of Conti Ransomware Leaked Source Codes. IEEE Access 10 (2022), 100178--100193. Google ScholarCross Ref
- Brian Baskin. 2020. Tau Threat Discovery: Conti Ransomware. https://blogs.vmware.com/security/2020/07/tau-threat-discovery-conti-ransomware.htmlGoogle Scholar
- Drew Batchelor. 2018. PATHISDIRECTORYW function. Microsoft. https://learn.microsoft.com/en-us/windows/win32/api/shlwapi/nf-shlwapi-pathisdirectorywGoogle Scholar
- Drew Batchelor, Michael Satran, Mike Jacobs, and David Coulter. 2020. About Restart Manager - WIN32 Apps. Microsoft. https://learn.microsoft.com/en-us/windows/win32/rstmgr/about-restart-managerGoogle Scholar
- Eduardo Berrueta, Daniel Morato, Eduardo Magaña, and Mikel Izal. 2019. A Survey on Detection Techniques for Cryptographic Ransomware. IEEE Access 7 (2019), 144925--144944. Google ScholarCross Ref
- Chainalysis Team. 2022. Crypto Crime Trends for 2022: Illicit Transaction Activity Reaches All-Time High in Value, All-Time Low in Share of All Cryptocurrency Activity. The Chainalysis 2022 Crypto Crime Report 2022. Chainalysis Inc, New York, NY, USA.Google Scholar
- Catalin Cimpanu. 2020. Conti Ransomware Uses 32 Simultaneous CPU Threads for Blazing-fast Encryption. https://www.zdnet.com/article/conti-ransomware-uses-32-simultaneous-cpu-threads-for-blazing-fast-encryptionGoogle Scholar
- CISA, FPI, and HHS. 2020. Alert (AA20-302A). https://www.cisa.gov/uscert/ncas/alerts/aa20-302aGoogle Scholar
- DarkTracker. 2019. Intelligence Report on Ransomware Gangs on the Darkweb. DarkTracker. https://drive.google.com/file/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3Google Scholar
- Jason Gerend. 2022. Volume Shadow Copy Service. Microsoft. https://learn.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-serviceGoogle Scholar
- Andrew Ivanov. 2019. The Digest "Crypto-Ransomware". Blogger. https://id-ransomware.blogspot.com/2019/11/conti-ransomware.htmlGoogle Scholar
- Youngjoon Ki, Eunjin Kim, and Huy Kang Kim. 2015. A Novel Approach to Detect Malware Based on API Call Sequence Analysis. International Journal of Distributed Sensor Networks 11, 6 (2015), 659101. arXiv:https://doi.org/10.1155/2015/659101 Google ScholarCross Ref
- Edward Kost. 2021. What is Ransom ware as a Service (RaaS)? the Dangerous Threat to World Security: Upguard. UpGuard. https://www.upguard.com/blog/what-is-ransomware-as-a-serviceGoogle Scholar
- Nir Kshetri and Jeffrey Voas. 2017. Do Crypto-Currencies Fuel Ransomware? IT Professional 19, 5 (2017), 11--15. Google ScholarDigital Library
- NCC Group. 2021. The Highlights, Trends, and Learnings from 2021's Threat Landscape. Annual Threat Monitor 2021 2021. NCC Group, Austin, TX, USA.Google Scholar
- Kris Oosthoek, Jack Cable, and Georgios Smaragdakis. 2022. A Tale of Two Markets: Investigating the Ransomware Payments Economy. Google ScholarCross Ref
- Proton. 2021. Proton Mail. Proton. https://proton.me/mailGoogle Scholar
- Joshua Saxe and Konstantin Berlin. 2015. Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features. In 2015 10th International Conference on Malicious and Unwanted Software (MALWARE). IEEE, Fajardo, PR, USA, 11--20. Google ScholarDigital Library
- Rusydi Umar, Imam Riadi, and Ridho Surya Kusuma. 2021. Analysis of Conti Ransomware Attack on Computer Network with Live Forensic Method. IJID (International Journal on Informatics for Development) 10, 1 (Jun. 2021), 53--61. Google ScholarCross Ref
- Reini Urban. 2021. Smhasher/MurmurHash2. GitHub. https://github.com/rurban/smhasher/blob/4db9ed2dc7/MurmurHash2.cppGoogle Scholar
- Steve Whims. 2021. WMIC - WIN32 Apps. Microsoft. https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmicGoogle Scholar
- Javier Yuste and Sergio Pastrana. 2021. Avaddon Ransomware: An In-depth Analysis and Decryption of Infected Systems. Computers & Security 109 (2021), 102388. Google ScholarDigital Library
Index Terms
- Conti Ransomware Development Evaluation
Recommendations
A Framework for Supporting Ransomware Detection and Prevention Based on Hybrid Analysis
Computational Science and Its Applications – ICCSA 2021AbstractRansomware is a very effective form of malware, which recently raised a lot of attention since an impressive number of workstations was affected. This malware is able to encrypt the files located in the infected machine and block the access to ...
Sorting Ransomware from Malware Utilizing Machine Learning Methods with Dynamic Analysis
MobiHoc '23: Proceedings of the Twenty-fourth International Symposium on Theory, Algorithmic Foundations, and Protocol Design for Mobile Networks and Mobile ComputingRansomware attacks have grown significantly in the past dozen years and have disrupted businesses that engage with personal data. In this paper, we discuss the identification of ransomware, malware, and benign software from one another using machine ...
Effectiveness of Android Obfuscation on Evading Anti-malware
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and PrivacyObfuscation techniques have been conventionally used for legitimate applications, including preventing application reverse engineering, tampering and protecting intellectual property. A malware author could also leverage these benign techniques to hide ...
Comments