Conti Ransomware: Behavior and Techniques

Introduction

• T1082 - System Information Discovery

* Call to IsDebuggerPresent WIN API*

BeingDebugged flag (offset 0x2) inspection

• T1497 - Virtualization/Sandbox Evasion

• T1027 - Obfuscated Files or Information

• T1543 - Create or Modify System Process

• T1490 - Inhibit System Recovery

• T1486 - Data Encrypted for Impact

The Microsoft Windows native CRYPTSP API is used to generate a different encryption key per file, with an RSA-4096 public encryption key unique for each victim. The ".mabdg" file extension is added to the encrypted files. In each traversed directory, the malware writes the ransom note named ‘readme.txt’ shown below.

Conclusion

Related Content

Related Posts