CONTI Ransomware

The CONTI Ransomware is a file-locking Trojan that blocks your PC's files. The Trojan also leaves symptoms such as extensions specific to its name, changes to the user's Shadow Volume Copies, and text messages with e-mail negotiating demands. While the ransom details are unknown, most victims should have a backup for recovery without paying and use anti-malware programs when needed for finding or deleting the CONTI Ransomware.

This Trojan in Progress is a Real Square

A Trojan in progress supposedly, but with all the working functions of a full release like the STOP Ransomware, might be targeting victims administrating Windows servers. The CONTI Ransomware has no apparent relatives, nor an accompanying Ransomware-as-a-Service family, but shows many of the symptoms of similar threats. The CONTI Ransomware also re-emphasizes how the standard backups of a Windows environment are, too often, inadequate for redressing the injuries such Trojans can inflict.

The CONTI Ransomware is circulating with the disguise of 'CUBE.exe,' which might refer to a movie franchise or game, but is more likely a fake component for the Microsoft's Exchange 2003 Server. The Trojan's first samples became available for analysis late in 2019, although more are arriving months later. As usual, the modus operandi for the CONTI Ransomware involves encrypting media files and then leaving a text message with ransom demands.

The CONTI Ransomware locks Word DOCs, JPGs, and other media formats with an unknown algorithm, before adding an extension referring to itself in their names. Although the name is a possibly-European surname, the Trojan's communications are in generic English, and malware experts see no propagation models specific to nations such as the UK or Germany. With its attack out of the way, the CONTI Ransomware drops a desktop message that asks for victims' contacting one of two e-mails for entering into the negotiating phase and, presumably, paying for the decryptor that unlocks their files.

Don't Get Trapped in the Shape of a Trojan's Campaign

The CONTI Ransomware makes in-depth attacks against the Shadow Volume Copie, particularly, which abuses the default Windows utility of CMD. Although the Trojan, like most file-locker Trojans, deletes the Shadow Volume Copy data, the CONTI Ransomware also performs additional resizing operations for destroying backup content on most drives more thoroughly. This feature, while silent to the victim, further displays the limitations of Windows default backups, which are less effective than remotely-saved alternatives for recovering Trojan-disrupted files historically.

Along with such precautions, administrators also can implement additional ones for keeping infections from occurring or having excessive data access. Limiting admin privileges to as few accounts as possible, using conservative passwords, updating software related to server infrastructure, and checking firewall and RDP settings for vulnerabilities regularly all are necessary. The average users also might infect themselves through illicit torrent downloads or other means, such as a Web page-hosted Exploit Kit or a phishing e-mail.

The CONTI Ransomware's ancestry is up for grabs, but most security products should detect this threat through generic heuristics, regardless of its development history. Systems with appropriate anti-malware protection should delete the CONTI Ransomware immediately without ever being vulnerable to the data-locking feature.

Whether the author still is 'developing' the CONTI Ransomware or otherwise, it's a program with the capacity for causing harm and little other than that. Anyone with a Windows computer and files worth sparing will do the right thing and save them somewhere out of this Trojan's grasp.