Conti Ransomware Practical Study of Static and Dynamic Methedologies
Conti Ransomware Practical Study of Static and Dynamic Methedologies
Volume 8, Issue 4, April – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
Conti Ransomware Practical Study of Static and
Dynamic Methedologies
Sarthak Thakur
Amity Institute of Information Technology, AUR, 303002
Abstract:- Ransomware viruses have grown to represent .onion. Since then, the CONTI extortion websites
a serious concern over the past few years. Ransomware https://continews.click and http://continewsnv5otx5 kaoje7
called Conti is one of the variations. Data on the victim's krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion have been
PC was encrypted, transmitting distributing it to other used to transfer data from 567 different firms. Only victims
machines on the same network and demanding a whose identities are posted on the extortion website or
ransom, attacks turn into a serious threat and harm the whose data is exchanged and then erased are included in this
system. Families of ransomware usage sophisticated total. Additionally, Conti serves the victim data that was
encryption, dissemination techniques, removing all obtained via another covert TOR service.
prospects for data recovery. Analysis of ransomware is
essential to determine its characteristics and prevent its The Conti ransomware attacked ExaGrid, a backup
spread to design and create appropriate detection and storage business, in May 2021. The Conti group of
mitigation methods. In this paper, we provide the results Conti sought a $7 million ransom; ExaGrid was able to
of our investigation of the notorious Conti malware. The bargain and ultimately paid $2.6 million [17]. In May
research that is being presented in particular looks at 2021, the Conti ransomware targeted the Health
the behaviour of Conti; it is detonated in a designated Services Executive (HSE) in Ireland [17] and demanded
created virtual lab environment. We employ several a $20 million ransom, which Ireland [17] refused to go
malware analysis technologies to do static and dynamic for a settlement.
analysis. The information may be utilised to develop Conti is most aggressive and lucrative ransomware,
efficient Conti detection and mitigation tools in addition with ransom demands as high as $25 million, according
to those for other ransomware families that exhibit to the FBI. The invasion in Ukraine, the Conti group
similar behaviours. declared in February 2022 that it would fully back the
Russian government.
I. INTRODUCTION
The Conti group additionally promised to use key
Ransomware is widely regarded as the primary method infrastructure as a target for retaliation actions in the event
for cybercriminals to monetize their activities and the that cyberattacks were conducted against Russia. Due to
biggest threat to web users. Ransomware that encrypts files, such announcement, an unidentified person who supported
often known as crypto ransomware, seeks to prevent victims Ukraine disclosed almost 60000 communications from
from accessing their systems by requesting to unlock the internal Jabber chat logs [17]. The leaker releases the stolen
data and restore the machine to its pre-attack state, you must files using recently created Twitter account [17] with the
pay a ransom. Typically, the ransom is settled using a handle @ContiLeaks [17]. Along with the sources for
cryptocurrency, which is an untraceable and anonymous further internal projects that Conti group uses to conduct
payment option. Unfortunately, since 2012, the threat posed their business. The disclosed files also contain the Conti
by this particular type of malware has escalated due to a ransomware’s source code.
lack of specialised security solutions.
An emerging trend in the ransomware industry is
ransomware as a service (RaaS). As seen in Fig. A, it
represents a business structure which is similar to Software
as a Service (SaaS). Anyone can begin a ransomware assault
using pre-made ransomware tools thanks to RaaS. Affiliates
of RaaS make money by taking a portion of each successful
ransom. The RaaS ecosystem is used by ransomware
variations including Ryuk, Satan, Netwalker, Egregor, and
many [17] others. Conti is among the most hazardous
Ransomware as a Service ransomware programmes.
History of Conti Ransomware:
In October 2019, the first signs of the distinct Conti Fig 1 Victims of the Conti Dark Web by Location
ransomware gang surfaced. It wasn't until early 2020 that https://arcticwolf.com/resources/blog-uk/conti-ransomware-an-
analysis-of-key-findings
the gang launched its own website at http://fylszpcqfel7joif
IJISRT23APR144 www.ijisrt.com 170
Volume 8, Issue 4, April – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
The Business Model for Raas: has the ability to encrypt data without establishing a
The various affiliates of RaaS owners use to connection to a C2 server, propagate swiftly via networks of
compromise victim’s networks and encrypt their files. computers following execution, and target encrypts data
Among highly experienced hackers with histories in with the "TIYSV" file extension. These traits make Conti
penetration testing, these affiliates are primarily chosen assaults a serious hazard that may propagate throughout
from forums. If a person has a network set up for gaining computer networks.
access to information from other cybercriminals, they may
also become affiliates. Before hiring affiliates in both Categories of Ransomware:
situations, RaaS owners request references from well-known A type of malicious program called ransomware
online criminals. encrypts data or locks down the interface in order to prevent
users from accessing the machine until the ransom payment
With the RaaS business model, success for is done.
cybercriminals depends on their reputation. The majority of
affiliates give the proprietors of RaaS a commission of Lockers and cryptors are the two main categories of
between 10 and 30 percent of each ransom payment they ransomware that are usually separated.
receive. In some circumstances, the operators' fee may also
be automatically subtracted from the ransom money. In Lockers: They are less complex kind of ransomware
order to facilitate affiliate assaults, RaaS owners frequently that only locks the user interface of the device,
offer virtual machines, exploitation tools, and other restricting access to applications and data. The user is
technologies. Each affiliate has access to a management typically only given a small number of alternatives,
panel through which they can keep track of and contact such as letting the victim communicate with the attacker
victims. Typically, an affiliate panel has the following and paying a ransom. Lockers often keep underlying
resources: system and files intact, allowing for a clean removal.
Due of this, cryptors, lockers' more damaging relatives,
A generator of ransomware executables are more successful at extorting ransom payments.
A different ransomware decryption tool Cryptors: A more sophisticated kind of ransomware,
A platform enabling victims to pay with cryptors encrypts just certain files on the infected
cryptocurrencies machine. Different cryptographic algorithms, including
Tools and statistics for victim monitoring symmetric and public-key based ones, are used by
Using secure chat to negotiate with victims cryptors. Since the encryption keys are kept on a remote
command and control (C&C) server, public-key
cryptors are particularly challenging to counteract.
Cryptors generally provide a deadline for the ransom to
be paid, an unique website where users may buy
cryptocurrency (like Bitcoins), and detailed instructions
on how to do so. The following processes often make
up the lifespan of current ransomware: dissemination,
infection, communications, file search, file encryption,
and ransom demand.
II. ANALYSIS OF RANSOMWARE
There are common methods for ransomware analysis.
Static analysis and dynamic analysis are included in these
methods. Static analysis concentrates on looking at malware
files without running it. In [7], the authors explained the
statically examine an Avaddon ransomware Portable
Executable (PE) file using programmes like PeStudio,
x64dbg, and BinaryNinja. The extraction of import
Fig 2 Less complexity model of RaaS Business. To find
functions and strings in the PE file is successful. Before
potential victims, RaaS associate employ ransomware that
running the ransomware, these strings and functions might
has already been created by the industry. Associates of the
display useful information about the malware's capabilities.
RaaS receive a portion of the ransom on every
successful assault.
The most current ransomware families frequently use
obfuscated approaches to delay the analyst or conceal their
The infamous Conti ransomware has been thoroughly
examined in this work. Results of static and dynamic data from static analysis tools. Additionally, they may
analyses are presented. The strategies described here can be contain an anti-debugging technique to cover up their true
used against additional ransomware families that share traits behaviour while running in a debugger. The ransomware
creator may change PE files towards misleading information
with Conti. Conti Ransomware malware is a complex 2021
to deceive the analyst, which is another drawback of static
model. It can transmit malicious and encrypted data
analysis.
concurrently, the sample used in this investigation. Conti
IJISRT23APR144 www.ijisrt.com 171
Volume 8, Issue 4, April – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
Dynamic analysis, often known as behaviour analysis, The dynamic link library, API function calls, and
is the second form of analysis. This kind of ransomware assembly levels can all be used to access these behaviour
operates in a regulated, segregated setting. The writers of aspects. These attributes are then given to a ransomware
[18] examine more than 20 distinct ransomware's validation and detection model made up of machine learning
tendencies. The writers build a sandbox environment to run classifiers and Natural Language Processing (NLP)
the ransomware inside the safe environment. They observe classifiers to assess if the sample is ransomware or benign.
that certain ransomware employs a variety of evasion
strategies, including antidetection and anti-virtual machine While some ransomware employs dynamic analysis,
technologies. The malware does not start or act differently others use obfuscation to conceal their APIs. Even if they
when it realises it is operating in a virtual environment. are executed, some may not display their true API calls
since they can identify virtual environments.
III. CONTI STATIC METHODOLOGIES
We give our conclusions from our static study of Conti in this section. Two virtual machines (VMs) were used to the analysis. The
host computer features are as follows: 2.4 GHz Intel Core i7 and 8 GB of RAM. The first virtual machine was infected with Conti
and was running Windows 10. REMnux, a free Linux toolset for reverse engineering and malware investigation, was operating on
the second virtual machine. From MalShare, samples of Conti were taken.
In Flowchart 1, we have shown the work flow of our practical Static Methodologies.
Flowchart 1 Workflow of Static Methodologies
IJISRT23APR144 www.ijisrt.com 172
Volume 8, Issue 4, April – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
We analysis the malware sample and found some details which is mentioned in the below table 1.
Table 1 Conti Components
Basic Components
MD5 0c4502d6655264a9aa420274a0ddeaeb
SHA1 b5510bd27327c7278843736aac085e16a508ed99
SHA256 14f9538dd611ca701bdbc6b34a0562e8b18c2492ff323b32557b3667343454
1a
File Type Win32 EXE
Dynamic-link libraries (DLLs) are present in the malware components, as seen in figure 3, according to analysis with the
Pestudio tool. The dynamic link libraries we have found are: KERNEL32.dll, USER32.dll, WS2 32.dll. The malware calls WS2
32.dll during execution in order to get the host's network configuration information. The libraries kernel32.dll and USER32.dll are
frequently called by encryption module. This indicates two libraries process the primary Conti encryption functionality.
Fig 3 Dll Libraries
Since Conti uses internal APIs for various operations, we were able to get useful import information with the aid of this
Pestudio tool as well. This information will aid us in determining the functionality and capabilities of Conti. The below figure 4,
shows the details.
Fig 4 List of API Components
IJISRT23APR144 www.ijisrt.com 173
Volume 8, Issue 4, April – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
We also extracted the timestamps of the malware figure 5, because it gives the indication about the compile time of the
execution of the malware. In this case the malware timestamps is Wednesday February 03 2021 and the time is 13:43:54.
Fig 5 Malware Timestamps
Now we will be analysing the File Type Identification. Knowing the file type is crucial since it allows us to determine the
destination OS and the appropriate architecture. In the below figure 6, by the help of the Pestudio tool we found out the valuable
information i.e. first-bytes-hex the value of the hexadecimal is 4D 5A in the first 2bytes, first-bytes-text i.e. MZ. And also we can
see that the file type is executable and the CPU architecture is 32-bit.
Fig 6 Identification of File Type, Architecture and First-byte hexadecimal values
To cross check the value of file type identification we are using another static tool name Exeinfo PE tool. The below figure
7, shows the analysis part of the Exeinfo PE tool.
IJISRT23APR144 www.ijisrt.com 174
Volume 8, Issue 4, April – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
Fig 7 Analysis by Exeinfo PE Tool
The PE is a Windows executable file (Portable Executable). PE can take the shape of an .exe, .dll, etc. We must examine the
file signature in order to recognize the file type and prevent false positives caused by duplicate extensions. And in here we also
got to know about that the malware file we are analysing it is unpacked.
The file header contains the file signature. The first two bytes of PE files, file signatures include the hexadecimal numbers
4D 5A or MZ (0-1). The message "This application cannot be run in DOS mode" is also seen in PE programmes. Hex 50 45
marks the start of the PE header. Keeping all these values in mind we can say that it’s represent a Portable Executable file. The
below figure 8, shows the values.
Fig 8 File Signature
Table 2 PE Header
Number of sections 5 {.text, .rdata, .data, .rsrc, .reloc}
Signature PE
Size of Optional Header 0x00E0
Machine IMAGE_FILE_MACHINE_I386
Time date stamp 03-Feb-2021 13:43:54
Pointer to Symbol Table 0x00000000
Number of symbols 0
IJISRT23APR144 www.ijisrt.com 175
Volume 8, Issue 4, April – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
In figure H, it showing the number of the sections that malware file contained total 5 sections i.e.
“.text”, “.rdata”, “.data”, “.rsrc”, “.reloc”. And the different section contains different characteristics functions. The “x” sign
denoted in the figure H, replicate that the section contains that particular characteristics function has the permissions. The “.text”
section has an executable characteristic, “.rdata” has the permissions to initialized-data, “.rdata” has two permissions writable and
initialized-data, “.rsrc” has the permission of initialized-data and lastly “.reloc” section has the permissions of both initialized-data
and uninitialized-data. And also we have got some information of the various properties of sections like raw-address, raw-size,
virtual-address and virtual-size. Based on these sections we can ensure that it is portable executable.
Table 3 Section Function
Name of the Sections Functions
.rsrc Stores Resources {strings, icons}
.reloc Modify another section in the file
.text Executable code
.rdata Stores Data {Read Only}
.data Stores Data {R/W}
Fig 9 Sections Details of Conti
The test file findings are shown in Figure 10, which demonstrates that malware sample we are analysing, includes Trojan
virus. Based on it, the subsequent procedure analyses the actual assaults that took place.
Fig 10 Virus Total Result
IJISRT23APR144 www.ijisrt.com 176
Volume 8, Issue 4, April – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
IV. CONTI DYNAMIC METHODOLOGIES
Dynamic analysis refers to the technique of evaluating and testing a programme utilising real-time data execution. The
objective is to find bugs in software when it is being used, as opposed to continually analysing the code offline. So in this section
we have created a sandbox environment, where we will detonate the malware sample and observed the behaviour of the malware.
So for our sandbox we are using Windows 10 OS which will be infected by the malware and REMnux, a free Linux toolset for
reverse engineering and malware investigation was operating on the second virtual machine.
In Flowchart 2, we have shown the work flow of our practical Dynamic Methodologies.
Flowchart 2 Workflow of Dynamic Methodologies
IJISRT23APR144 www.ijisrt.com 177
Volume 8, Issue 4, April – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
In figure 11, it’s showing images of two random .jpg files that we have used for the test purpose before the Conti
ransomware affects the system. On the other hand in figure 12 it’s showing the after effect of the malware where the same images
file has been encrypted with "TIYSV" extension and we cannot able to view the images. And in the figure 13, it’s showing the
ransom note where it has mentioned all the details and address of the URL of onion site to pay the ransom.
Fig 11 Before detonating the malware
Fig 12 After Detonating The Malware
Fig 13 Ransom Notes of Conti
IJISRT23APR144 www.ijisrt.com 178
Volume 8, Issue 4, April – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
In the ransom note figure 13, we have found that the negotiate with the affiliates on ce they post a legitimate
first ransom letter instructs victims to visit the websites ransom letter. For businesses, this style of ransom letter
contirecovery.best and contirecj4hbzmyzuydyzrvm2c65 format poses a da nger of data leaking. The malware itself
blmvhoj2cvf25zqj2dwrrqcq5oad.onion, which provide contains hard coded victim IDs.
information on how to get decryption keys from Conti
affiliate attackers. The TOR browser installation instructions This implies that the conversation becomes publicly
are also included in the ransom message so that you may available once harmful files are posted to any m alware
access the Conti group's covert web service. service or the IDs are compromised.
At the conclusion of this ransom message, there is a Now to analyse the network artefacts we have used
distinct victim ID value (readme.txt). It is the str ing that is process monitoring tool to understand the behaviour of the
bounded by the delimiters —BEGIN ID— and —END ID— Conti malware while detonating it. In the figure 14, it
showing that once the malware detonated it’s tried to send
On the website for Conti's ransom note recovery the Syn packet to port 445 and the protocol its using is TCP
service, victims are urged to upload their ransom le tter. The and its process ID (PID) is 3036.
website directs the victim to a chat window where they may
Fig 14 Network Traffic Capture
After observing it for some times when the Handshake get failed then the sample_mal2.exe file infect the system with
.TIYSV extension. The actual fact is that once the malware gets the successful Handshake it will create a backdoor for hacker.
Due to the Handshake Failure the malware automatically encrypts the targeted file guiding with a ransom txt file to pay it for the
decryption key.
Fig 15 Host Based Indicators Processes
IJISRT23APR144 www.ijisrt.com 179
Volume 8, Issue 4, April – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
In this section we are analysing the host based indicators. We have used the Procmon tool to uncover all the processes the
malware is operating. From figure N, shows that the process id (PID) 6820 running the sample_mal2.exe which is our malware
file that we have detonated. After detonating it first Create File and then QueryStandardInformationFile is generated then it go for
the ReadFile and after that its close the file once the process is completed. This way the Conti malware is affecting the whole
system files. In our static analysis we have noted the dynamic link libraries KERNEL32.dll, USER32.dll, WS2 32.dll. The
malware calls WS2 32.dll during execution in order to get the host's network configuration information and the other two is using
for the encryption method. On further analysis in figure 16, we got the .TIYSV extension has been added and once it’s done its
close the process. That means its encrypt with .TIYSV extension.
Fig 16 TIYSV extension
Based on this analysis we have spotted a suspicious file name directory-hash has been installed it’s the encryption program
file once it installed it encrypts the entire file and tries to steal some valuable data. In the figure 16, it shows that the suspicious
“directory-hash” file has installed after the malware detonation take place.
Fig 16 Malicious File Name Directory-hash been installed
In figure 17, showing the data what the directory-hash file contains. Unknown forms of data. It’s the malicious data of the
malware.
Fig 17 Data Containing in the Directory-Hash Folder
IJISRT23APR144 www.ijisrt.com 180
Volume 8, Issue 4, April – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
V. ENCRYPTION TECHNIQUES OF COTNI The Conti ransomware divides the file content into ten
pieces for non-Virtual Machine disc files or seven chunks
Depending on the size and kind of the data, the Conti for Virtual Machine disc files in the most recent encryption,
ransomware uses one of three possible encryption methods. which speeds up the encryption process. For virtual machine
The smallest file is 4 bytes, the largest is 8950410 bytes, and disc files, each chunk size is equal to (file size / 100 * 10) or
the middle file is 1790082 bytes (1.70 MB) (8.53 MB). Full (file size / 100 * 7) [17]. Then, until the conclusion of the
Encryption, the initial encryption method, is intended for file, it begins encrypting the very first chunk, skipping to the
data under 1.4 MB [7]. Conti produces a random encryption next one, and so forth, encrypting five or three chunks total.
key throughout the Full Encryption process. It uses this key
to encrypt the entire file's content using a hard-coded RSA For every file, Conti produces an encrypted key. Each
public key. The encrypted data is then written back into the file receives an embedded RSA public key, which is used to
file along with the encryption key, the encryption method encrypt this encryption key. It has to know the following
value (24 for complete encryption), and the original file information to decrypt the files: The encrypted key; the
size. encrypted mode; the original file size; the RSA private key
has the permission to access by the Conti group only and it
The second encryption method, Header Encryption, is is modified for every individual versions and attacks.
designed to protect data between 1.04 MB and 5.24 MB size
[17]. Conti merely encrypts the highest 1 MB of the file Report
throughout this encryption mode while writing the Based on our static and dynamic malware research,
encrypted data back to the file. The remaining information this section presents a general summary of data describing
that is not even encrypted, the encryption key, the encrypted about the signature of a Conti ransomware assault in the
method value (26 for Header Encryption) [17], and the file's network. The ultimate outcome of the static analysis that
starting size are all added on after this. uncovers the indication compromise data (IOCs) displayed
in Table 3 is as follows.
Table 3 IOC DATA
FILE RESULT
sha1 0c4502d6655264a9aa420274a0ddeaeb
md5 b5510bd27327c7278843736aac085e16a508ed99
sha256 14f9538dd611ca701bdbc6b34a0562e8b18c2492ff323b32557b36673434541a
File Extension TIYSV
Size 196.6 Bytes
Signature Microsoft Visual C++ 8
Library ws2_32.dll, kernel32.dll, user32.dll
Table 3, displays the cost of employing IOCs data to identify and secure computers from Conti ransomware virus assaults.
The hash values md5, sha1, and sha256 are used in the signature file to represent IOCs data. As shown in Table 4, we have
showcase the behavioural activities of the Conti based on our analysis.
Table 4 Behavioural Activities of Conti
MALICIOUS SUSPICIOUS INFORMATIONS
Create files Reads the computer name Manual execution by user
Dropped file can have ransomware checks the languages it supports Checks Windows Trust Settings
instructions
Actions that appear to be data theft Create documents in the programme TOR URLs might be found in dropped
directory. items.
stealing login information from Reads the cookies of the Checks supported languages
web browsers browsers
files in the Chrome extension PowerShell script executed Dropped object may contain Bitcoin
folder are modified addresses
Creates files in the user directory
IJISRT23APR144 www.ijisrt.com 181
Volume 8, Issue 4, April – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
VI. RESULTS OF DYNAMIC ANALYSIS Conti ransomware to propagate before beginning an attack.
These phishing attempts target people by delivering emails
A. Defense and Resistance: that contain links to fraudulent websites and BazarLoader
download pages for Microsoft Office or Google Docs. The
Authenticate using many Factors Conti gang can use this malware's backdoor access to spread
Impose multifactor authentication requirements for the ransomware and further investigate the affected
remote network access from outside sources. computers. Additionally, the phishing emails could include
zip files containing malicious JavaScript scripts to run
Implement Traffic Filtering And Network Segmentation BazarLoader.
To stop the spread of ransomware, implement and make The Conti ransomware takes use of new security flaws
sure there is strong network segmentation across where the users failed to patch, even though the bulk of
networks and functions. Establish a demilitarised zone these flaws are patchable, to elevate its privileges and move
to stop unchecked network connectivity. laterally via the victim's network. Some of the well-known
Filter network traffic to block communications coming flaws that the Conti group exploited in past assaults are
from or going out of known malicious IP addresses. included in the list below:
Enable strong spam filters to prevent phishing emails
from reaching end users. To prevent consumers from PrintNightmare:
accessing harmful websites or opening malicious With the help of the Windows Print Spooler service,
attachments, implement a user education campaign. To the attacker [17] may access files with SYSTEM rights
stop emails with executable files from getting to end thanks to the remote code execution flaw known as
users, filter them. PrintNightmare. The attacker has complete user access, so
To stop users from visiting harmful websites, they may install applications, remove files, and even create
implement a URL block list and/or allow list. new accounts.
Check for Security Holes and keep your Software up to Zerologon
Date This flaw affects Netlogon, a Windows Server
function used to verify user identities within a domain. An
Set up antivirus and antimalware programmes to attacker can launch an application on a network device
periodically check network assets for the newest using the Netlogon Remote Protocol to [17] establish a
signatures. Netlogon secure channel connection to a domain controller
On network assets, promptly update apps, operating [17].
systems, software, and hardware. Think about
implementing a central patch management system.
FortiGate
Apply controls and remove any unused programmes.
The FortiGate SSL VPN from Fortinet has a route
Remove any programme that isn't thought to be
traversal vulnerability. This flaw enables an unauthenticated
essential for regular business. To facilitate in the
attacker to remotely access device files by sending a
malicious exploitation of a company's enterprise, Threat
carefully constructed request to a Fortigate SSL VPN
actors from the Conti employ lawful tools like remote
endpoint that includes a route traversal sequence.
desktop software and programmes for surveillance and
administration.
Downloadable fixes are available for all of the above-
Any unapproved software should be looked at, mentioned vulnerabilities. It's crucial to patch systems with
especially any remote desktop or remote monitoring the most recent security patches to stave off ransomware
and management programmes. assaults. The Conti ransomware may encrypt data using the
SMB connection, according to the source code and dynamic
Employ Endpoint Response and Detecting Tools analysis of the malware. Consequently, limiting network-
wide access to resources can lessen harm; it's also strongly
Tools for endpoint detection and response provide high advised to disable SMBv1 use and mandate at least SMBv2.
level of visibility towards the endpoint security which Last but not least, avoiding a complete business shutdown in
may successfully thwart hostile cyber actors. the event of an attack requires having a reliable backup
solution.
Limit Network Resource Access, Particularly by
Limiting RDP VII. CONCLUSION
If RDP is determined to be operationally required after In the study investigation the Ransomware Conti
risk assessment, limit the sources and demand assault on the sandbox machine, we were able to obtain a
multifactor authentication. pictorial image of the behavioural signature based on the
analysis utilising the practical methods of static and
Knowing the strategies that the Conti ransomware use dynamic malware analysis methodologies with the aid of
to propagate allows us to defend our system from assaults of various tools. This study demonstrates a practical
this nature. Phishing assaults are a common way for the
IJISRT23APR144 www.ijisrt.com 182
Volume 8, Issue 4, April – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
investigation of the virus and its behavioural activities. [10]. Ferdiansyah, “Analisis Aktivitas Dan Pola Jaringan
Systems for network activity detection in network traffic Terhadap Eternal Blue Dan Wannacry Ransomware,”
records should be used with extreme caution. The study of JUSIFO (Jurnal Sist. Informasi), vol. 2, no. 1, pp. 44–
how virus encrypts files once it affects the system is another 59, 2018, [Online]. Available:
important topic. Finally, it discussed the malware's http://eprints.binadarma.ac.id/3873/1/Ferdiansyah-
mitigating measures. Future research might focus on the Analisis Aktivitas dan Pola Jaringan Terhadap
creation of online data backup systems as well as detection Eternal Blue dan Wannacry Ransomware.pdf.
systems based on network traffic logs or certain internet [11]. C. Manzano, C. Meneses, and P. Leger, "An
protocols. Empirical Comparison of Supervised Algorithms for
Ransomware Identification on Network Traffic,"
REFERENCES: Proc. - Int. Conf. Chil. Comput. Sci. Soc. SCCC, vol.
2020-Novem, 2020, DOI:
[1]. G. O. Ganfure, C. F. Wu, Y. H. Chang, and W. K. 10.1109/SCCC51225.2020.9281283.
Shih, "DeepGuard: Deep Generative User-behavior [12]. T. P. Setia, A. P. Aldya, and N. Widiyasono,
Analytics for Ransomware Detection," Proc. - 2020 “Reverse Engineering untuk Analisis Malware
IEEE Int. Conf. Intell. Secur. Informatics, ISI 2020, Remote Access Trojan,” J. Edukasi dan Penelit.
2020, DOI: 10.1109/ISI49825.2020.9280508. Inform., vol. 5, no. 1, p. 40, 2019, doi:
[2]. S. Sibi Chakkaravarthy, D. Sangeetha, M. V. Cruz, 10.26418/jp.v5i1.28214.
V. Vaidehi, and B. Raman, "Design of Intrusion [13]. B. Nunes, M. Mendonca, X. N. Nguyen, K.
Detection Honeypot Using Social Leopard Algorithm Obraczka, and T. Turletti, “A survey of software-
to Detect IoT Ransomware Attacks," IEEE Access, defined networking: Past, present, future of
vol. 8, pp. 169944–169956, 2020, DOI: programmable networks,” IEEE Communications
10.1109/access.2020.3023764. Surveys & Tutorials, vol. 16, no. 3, pp. 1617-1634,
[3]. S. Il Bae, G. Bin Lee, and E. G. Im, "Ransomware Feb. 2014.
detection using machine learning algorithms," [14]. A. Arabo, R. Dijoux, T. Poulain, and G. Chevalier,
Concurr. Comput. , no. December 2018, pp. 1–11, "Detecting ransomware using process behaviour
2019, DOI: 10.1002/cpe.5422. analysis," Procedia Comput. Sci., vol. 168, no. 2019,
[4]. Filip Truta, "City of Cartersville Admits Paying Ryuk pp. 289–296, 2020, DOI:
Ransomware Operators $380,000 - Security 10.1016/j.procs.2020.02.249.
Boulevard," www.securityboulevard.com, 2020. [15]. E. Berrueta, D. Morato, E. Magana, and M. Izal, "A
https://securityboulevard.com/2020/03/city-of- Survey on Detection Techniques for Cryptographic
cartersvilleadmits-paying-ryuk-ransomware- Ransomware," IEEE Access, vol. 7, pp. 144925–
operators-380000/ (accessed January 20, 2021). 144944, 2019, DOI:
[5]. Filip Truta, "University of California San Francisco 10.1109/ACCESS.2019.2945839.
Pays $1 Million to Ransomware Operators after June [16]. N. Hildayanti, "Forensics Analysis of Router On
1 Attack - Security Boulevard," Computer Networks Using Live Forensics Method,"
www.securityboulevard.com, 2020. Int. J. Cyber-Security Digit. Forensics, vol. 8, no. 1,
https://securityboulevard.com/2020/06/university-of- pp. 74–81, 2019, DOI: 10.17781/p002559.
californiasan-francisco-pays-1-million-to- [17]. Alzahrani, S., Xiao, Y., & Sun, W. (2022). An
ransomware-operators-after-june1-attack/ (accessed Analysis of Conti Ransomware Leaked Source
January 20, 2021). Codes. IEEE Access, 10, 100178-100193.
[6]. T. M. Liu, D. Y. Kao, and Y. Y. Chen, "Loocipher [18]. K. Cabaj and W. Mazurczyk, “Using software-
ransomware detection using lightweight packet defined networking for ransomware mitigation: The
characteristics," Procedia Comput. Sci., vol. 176, pp. case of CryptoWall,” IEEE Network, vol. 30, no. 6,
1677–1683, 2020, DOI: 10.1016/j.procs.2020.09.192. pp. 14-20, Dec. 2016
[7]. Akbanov, M., Vassilakis, V. G., Moscholios, I. D., & [19]. M. Hikmatyar, Y. Prayudi, and I. Riadi, "Network
Logothetis, M. D. (2018, July). Static and dynamic Forensics Framework Development using Interactive
analysis of WannaCry ransomware. In Proc. IEICE Planning Approach," Int. J. Comput. Appl., vol. 161,
Inform. and Commun. Technol. Forum ICTF 2018. no. 10, pp. 41–48, 2017, DOI:
[8]. A. H. Mohammad, "Ransomware Evolution, Growth 10.5120/ijca2017913352.
and Recommendation for Detection," Mod. Appl. [20]. S. R. Davies, R. Macfarlane, and W. J. Buchanan,
Sci., vol. 14, no. 3, p. 68, 2020, DOI: "Evaluation of live forensic techniques in
10.5539/mas.v14n3p68. ransomware attack mitigation," Forensic Sci. Int.
[9]. Umar, R., Riadi, I., & Kusuma, R. S. (2021). Digit. Investig., vol. 33, p. 300979, 2020, DOI:
Analysis of Conti Ransomware Attack on Computer 10.1016/j.fsidi.2020.300979.
Network with Live Forensic Method. IJID [21]. A. Liu, H. Fu, Y. Hong, J. Liu, and Y. Li,
(International Journal on Informatics for "LiveForen: Ensuring Live Forensic Integrity in the
Development), 10(1), 53-61. Cloud," IEEE Trans. Inf. Forensics Secur., vol. 14,
no. 10, pp. 2749–2764, 2019, DOI:
10.1109/TIFS.2019.2898841.
IJISRT23APR144 www.ijisrt.com 183
Volume 8, Issue 4, April – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
[22]. R. Umar, A. Yudhana, and M. Nur Faiz,
"Experimental Analysis of Web Browser Sessions
Using Live Forensics Method," Int. J. Electr.
Comput. Eng., vol. 8, no. 5, p. 2951, 2018, DOI:
10.11591/ijece.v8i5.pp2951-2958.
[23]. M. KA, Learning Malware Analysis. Birmingham -
Mumbai: Packt Publishing Ltd., 2018.
[24]. R. Agrawal, J. W. Stokes, K. Selvaraj, and M.
Marinescu, "University of California, Santa Cruz,
Santa Cruz, CA 95064 USA Microsoft Corp ., One
Microsoft Way, Redmond, WA 98052 USA," pp.
3222–3226, 2019.
[25]. S. Sheen and A. Yadav, "Ransomware detection by
mining API call usage," 2018 Int. Conf. Adv.
Comput. Commun. Informatics, ICACCI 2018, pp.
983–987, 2018, doi: 10.1109/ICACCI.2018.8554938.
[26]. S. Baek, Y. Jung, A. Mohaisen, S. Lee, and D.
Nyang, "SSDassisted Ransomware Detection and
Data Recovery Techniques," IEEE Trans. Comput.,
vol. X, no. X, pp. 1–1, 2020, DOI:
10.1109/tc.2020.3011214.
[27]. M. Ahmed and H. Saeed, "Malware in Computer
Systems : Problems and Solutions," vol. 9, no. 1, pp.
1–8, 2020, DOI: 10.14421/ijid.2020.09101.
[28]. T. Xia, Y. Sun, S. Zhu, Z. Rasheed, and K. Shafique,
"Toward A network-assisted Approach for Effective
Ransomware Detection," arXiv, Aug. 2020, [Online].
Available: http://arxiv.org/abs/2008.12428.
[29]. Alzahrani, S., Xiao, Y., & Sun, W. (2022). An
Analysis of Conti Ransomware Leaked Source
Codes. IEEE Access, 10, 100178-100193.
[30]. A. O. Almashhadani, M. Kaiiali, S. Sezer, and P.
O'Kane, "A Multi-Classifier Network-Based Crypto-
Ransomware Detection System: A Case Study of
Locky Ransomware," IEEE Access, vol. 7, no. c, pp.
47053–47067, 2019, DOI:
10.1109/ACCESS.2019.2907485.
[31]. S. H. Kok, A. Abdullah, and N. Z. Jhanjhi, "Early
detection of crypto-ransomware using pre-encryption
detection algorithm," J. King Saud Univ. - Comput.
Inf. Sci., no. xxxx, 2020, doi:
10.1016/j.jksuci.2020.06.012.
[32]. A. Adamov, A. Carlsson, and T. Surmacz, "An
analysis of lockergoga ransomware," 2019 IEEE
East-West Des. Test Symp. EWDTS 2019, pp. 1–5,
2019, DOI: 10.1109/EWDTS.2019.8884472
