The latest ransomware on the block dubbed Conti takes advantage of Windows Restart Manager to shut down applications locking files. Therefore, it encrypts data it wants to compromise, and it has anti-analysis capabilities. It also utilizes Windows API calls to be hidden during execution.
Conti isn’t targeting data on network shares. Rather, it is going after command line arguments. It proceeds to lock recovery on local systems. Conti encrypts all the files possible, but not ones ending in the following:
It then adds .CONTI to all encrypted files. As a result, it gathers information from the compromised machines and tries to gain remote access to the devices connected to them.
This particular ransomware is a concern because it can be executed without interaction from its operators. The cyberattack can then be unseen for weeks. It is different because the majority of ransomware attacks happen, and computer systems see signs of compromise all at once.
SpearTip recommends specifically creating rules around Windows API calls and specifically the Windows Restart Manager.
Partner with a cybersecurity firm who monitors your environment around-the-clock preventing an attack from occurring. SpearTip’s ShadowSpear® Platform’s capabilities stop intrusions and business disruption.