Conti Ransomware widely discussed as being a worthy successor to the notorious Ryuk ransomware has been very effective in defeating the EDR tools and executing its ransomware payload. It is widely believed that Conti is the new Ransomware-As-A-Service (RAAS) being used by the Trickbot malware family. Trickbot family has increasingly been using Conti as their ransomware instead of Ryuk. While Ryuk has seen a steady decline since June this year, Conti has seen a rise since July confirming the hypothesis.

Conti, following on the footsteps of its predecessor has been publicly posting the news of the victims and the data stolen from the victims, if they don’t pay up. Data Stealing to be used for Ransom and Public shaming has been the new trend of ransomwares as if puts undue pressure on victims to pay up, with the fear of regulators and clients hanging on their neck.

Conti in part has lately been very successful due its surprising capability to bypass Endpoint security tools by unhooking the hooks set to capture malicious activity. Hooking is a prominent method used by endpoint security tools to understand and protect. More about it here. Conti compares the jmp instruction of each imported dll with memory resident code and its image on disk. If it finds a discrepancy it overwrites the hooked version, effectively unhooking the security tool(s) API hook.

BluArmour natively protects against such activity and prevents this behavior, effectively preventing the ransomware from ever executing. This unique process ensure that the endpoint remains protected at all times. We have been pulled into multiple such Incident Response scenarios where Conti has executed and popular endpoint protection tools have failed to adequately prevent the ransomware from encrypting the victim’s network.

Other BluArmour videos can be accessed here.