CONTI ransomware threatens to keep your personal files lockedPossible successor of RYUK ransomwareRansomware SummaryList of extensions usedRaaS gone wrong – disgruntled affiliate leaks the gang’s playbooks onlineCONTI virus distribution explained: protect yourself against similar ransomware attacksRemove CONTI Ransomware Virus and Recover Files

The sole aim of CONTI ransomware virus is to restrict victim’s access to his/hers own personal files and to get one to pay a ransom for data decryption. Although the message dropped in the ransom note is very short and simply warns the victim not to try to use third-party tools for file decryption, the exact ransom amount required to purchase CONTI decryption tool isn’t specified. However, it is clear that the attackers will specify it once contacted via email, and for sure they will demand to send the transaction using cryptocurrency since this helps to keep the attackers anonymous. After locking all of victim’s files, the ransomware also deletes Windows Volume Shadow Copies so that the victim could not restore part of data using System Restore Points. Additionally, it disables a set of Windows services that are related to backups, databases and security. To ensure that all data gets encrypted, this ransomware uses Windows Restart Manager API to end Windows processes that keep specific files open. It is also worth mentioning that this ransomware uses a 32-thread encryption mechanism to speed up the whole encryption procedure, however, this significantly slows down the computer since a lot of resources are put into the data locking operation.

Possible successor of RYUK ransomware

According to insights of Vitali Kremez from SentinelLabs, Conti ransomware is most likely a new version of RYUK ransomware. As identified by the researcher, there are more than enough reasons to find such connection:

Conti ransomware code seems to be based on the second Ryuk’s version;The ransom note used by Conti appears similar to the one used in Ryuk’s attacks;Both ransomware variants use Trickbot infrastructure for its distribution, which also signals about a link between them;As Ryuk attacks slowly decreased, Conti’s attacks increased, which also gives researchers an idea of potential ransomware rebranding going on.

If you have fallen victim to this ransomware attack and now your files are encrypted, we strongly recommend you to refrain yourself from paying the ransom. In ideal situation, we would recommend the usage of backups to restore your files. However, before you do so, make sure that you remove CONTI ransomware virus from the system professionally and securely. For this matter, we advise using a robust security software that will be capable of ensuring computer’s protection in real time – for example, INTEGO Antivirus. To repair virus damage on Windows OS files, consider downloading RESTORO.

Ransomware Summary

REPAIR VIRUS DAMAGE

List of extensions used

The said ransomware is controlled and distributed by a criminal gang which has a tendency to use different email addresses and file marker extensions. You can find a list of currently known extensions below. .YZXXX, .YFSEK, WENWZ, .KSLHB, .IUAGT, .EXQED, .JVUAE, .RZQNV, .YTZTG, .MYURQ, .UQWZI, .GFYPK, .HJAWF, .ALNBR, .FMOPQ, .XMEYU, .WHAUN, .AWSAK, .QMIBK, .UWTJF, .TJMBK, .FBSYW, .KCWTT, .PMQHP, .MRBNY, .UBCGP, .SYTCO, .KKBKR, .ITTZN, .CONTI

RaaS gone wrong – disgruntled affiliate leaks the gang’s playbooks online

It appears that this ransomware is distributed on a Ransomware-as-a-Service basis by a Russian cybercriminal gang (known under Wizard Spider name) that allows even poorly skilled affiliates to join in. It appears that one of such affiliates, allegedly one that uses m1Geelka username in dark web forums, had some financial problems with the gang (was most likely underpaid for distribution), thus decided to leak the gang’s playbook online. The book appears to be written in Cyrillic mostly, and was recently translated by Cisco Talos team. According to them, Conti playbooks are so thorough so that even amateur cybercriminals could join the malicious operations and thus distribute the ransomware successfully.

CONTI virus distribution explained: protect yourself against similar ransomware attacks

Conti ransomware distribution mainly relies on remote desktop protocol (RDP), phishing, and also vulnerabilities in installed software. When it comes to phishing campaigns, the gang has been noticed using legitimate Google document URLs in email messages; the email invites to open it, which results in download and execution of Bazar Trojan, IcedID Trojan or a backdoor. The ransomware gang also uses compromised Word documents with malicious macros in them. Since majority of this virus’ attacks aren’t automated and are more human-operated, the latter attack stage relies on tools such as weak RDP security, PsExec, or penetration testing software Cobalt Strike. Once the attacker gains access to the target system, it typically dwells before launching the final payload, collecting information about the system or enterprise infrastructure. The file-encrypting malware is then executed manually in the compromised system. What is even worse that Conti also steals files found on the compromised system in addition to encrypting them. This is done in order to threaten to publish stolen data online in their leak site, in case the victim refuses to pay the ransom. To give you a general idea of how typical ransomware-type threats spread, we must mention that the majority of them can hide in illegal downloads (various software cracks, activation key generation tools and similar), malicious email attachments (which are typically named as invoices, payment details or similar) or, as mentioned previously, included links. To protect your computer from similar attacks, we strongly recommend downloading software only from its official developer’s or distributor’s websites only. Do not rely on shady torrent downloads as these often come packed with dangerous additions that are later used to hack into your computer and perform illegal activities. Moreover, stay away from emails that you weren’t waiting for and check for red flags such as spoofed email address, grammar mistakes, suspicious-looking logos and other details that indicate the email doesn’t come from a friendly party.

Remove CONTI Ransomware Virus and Recover Files

If your computer or your company was hit by this notorious malware variant, we strongly recommend that you take actions to remove CONTI ransomware virus from the system as soon as possible. One of the ways to remove viruses that fall into ransomware category is to use an up-to-date antivirus software, such as INTEGO Antivirus, to exfiltrate malware remains. Downloading RESTORO might also be a good idea to repair virus damage on Windows OS files. However, in case of a corporate attack, please consult with cybersecurity experts to control the damage caused for your computer infrastructure. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Alternative software recommendations

Malwarebytes Anti-Malware

Method 1. Enter Safe Mode with Networking

Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it: Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users Now, you can search for and remove CONTI Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future. Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.