Conti Ransomware source code: a well-designed COTS ransomware 

Introduction 

Since 27 February 2022, a few days after the apparition of the Conti’s gang support to the Russian invasion of the Ukrainian national territory, a new mysterious Twitter account appeared, “@ContiLeaks”. Nobody knows for sure who operates it, maybe a reluctant Conti gang member, some foreign intelligence, or police officer, but does not matter too much: it began dumping out internal data, conversations, source code, and transcripts of years of criminal operation by Conti gang members. 

For both the cyber intelligence community and the cybercrime operators it was like a hearth quake, a deep compromise like this for an established criminal organization is a heavy hit, probably a hard punch in the face for the entire criminal gang, including affiliates, now facing the serious risk to be caught by upcoming law enforcement.  

The disclosed material was so impressive that Conti, one of the most dangerous ransomware gangs that breached over 200 companies according to doubleextortion.com data, was forced to wipe their server. Across all the leaked material, there was also the Conti ransomware encryptor source code. 

We obtain a copy of such code and analyze it to figure out how this world-class ransomware threat code and prepare their cyber arsenal, with the objective to identify patterns in their operating model that may be useful for defenders to fight back Conti, and the other ransomware actors operating likewise: this organized criminal group heavily rely on malicious codebase leaked in the past, such as the Carberp malware source code leaked back in 2013, in the past also used as the foundation for the Carbanak backdoor. 

Technical Analysis 

The API Hashing 

Inside the main function the method “api::InitializeApiModule” is the first one executed, the sample loads the library “Kernel32.dll” and the API function “LoadLibraryA” by using the API camouflage technique through hashing them. In particular, the malware writers leveraged the MurmurHash2A algorithm, a well-known extremely fast, non-cryptographic hash suitable for general hash-based lookup. The implementation of the library has been pulled from an open-source library publicly available on the GitHub platform. 

That library is necessary to perform the so-called “Runtime Linking” method. In this way, the code is capable of loading other libraries used to complete its malicious behavior. In this way. It is possible to load all the other libraries and functions at runtime. This malicious behavior is delegated to “api.c” and “api.h” source files. However, studying the pieces of codes, a great compatibility emerges when we compared the code of the “GetApi” function of the “Carberp” botnet, which was leaked in 2013 and publicly available on Github platform. This is not the only proof, in fact, that library has been entirely copied inside the project in order to get example from the implementation of the module developed by FIN7/Carbanak gang.  

AntiHook Tricks 

The second call is again in the api module the “api::DisableHooks” makes the debugging session harder for the analyst, in this function the sample loads the following libraries: Kernel32.dll, ws2_32.dll, Advapi32.dll, ntdll.dll, Rstrtmgr.dll, Ole32.dll, OleAut32.dll, Netapi32.dll, Iphlpapi.dll, Shlwapi.dll, Shell32.dll, and for each successfully loaded library, the sample calls “antihooks::removeHooks”. 

The “removeHooks” function works in this way; GetModuleFileNameW will retrieve the path of the passed module, the path will be used to create a handle using “CreateFile”, the file is then used by “CreateFileMapping” and “MapViewOfFile”. In short, the library is mapped again in another memory section, in such a way your breakpoints will not work. 

To determine if the library function has been hooked by security programs, Conti locker directly compares the currently loaded function with the original files. In fact, once the original .dll files are mapped into the process memory, it checks the first two bytes only. Obviously, this detection approach does not cover all the hooking techniques but is enough to trick many antiviruses and unsophisticated automated malware analysis sandboxes. 

Mutex and Command Line Parsing 

Once done, it creates a mutex with the hardcoded name “kjsidugidf99439”. This plaintext string is obfuscated during the compilation through the application of the “OBFA” macro which stores it in the executable in an encrypted format. 

Figure 6: Defining Mutex 

Also, the Conti source code shows debugging directives unveiling an example of the parameters handled by the locker. In particular, the default arguments pre-configured in the debug version of the compiled locker are “C:\\1.exe -prockiller enabled -pids 322”. Such parameters, and many other, are then processed within the routine “HandleCommandLine” where we noticed more other supported options: 

The multi-threaded encryption 

After parsing the arguments, the sample proceeds to the encryption depending on the encryption mode  

The encryption modes provided by the malware are four. Each of them has an unique identificatory globally defined inside an Enum Structure. So, when the command line is parsed, there is a different routine to encrypt.  

The methods are: 

• ALL_ENCRYPT (code 10): encrypt both local and network files 
• LOCAL_ENCRYPT (code 11): encrypt only the files on the local machines 
• NETWORK_ECNRYPT (code 12): encrypt only files inside the networks through SMB protocols 
• BACKUPS_ENCRYPT (code 13): encrypt backups  

Once established the encryption method, the control passes to the “threadpool” class, having the main purpose to manage the encryption phase in the best way, by instantiating the adequate number of threads basing on the architecture. The function “pGetNativeSysInfo” provides the numbers of processors of the target system and then all the info is passed to the “threadpool” module. 

Once the multithreading process is configured, the control flow passes to the “locker” module. For each file, the method “locker::GenKey” generates the Key and the Initial Vector (IV) for the ChaCha20 algorithm, a variant of the Salsa20 encryption algorithm. In detail, the malware writers pulled another publicly available implementation and stored inside the package named “chacha20”.  

Now, the malware writers need to protect the keys, so they use the RSA algorithm to encrypt them:  

The generated ChaChaKey and ChaChaIV are then copied in the field “EncryptedKey” of the FileInfo Structure, as shown in the above figure. Then, “FileInfo->EncryptedKey” is encrypted with the RSA Public Key and it will be used in the function “locker::WriteEncryptInfo” to write the encrypted buffer inside the file. Finally, The cleartext IV and Key of the Chacha algorithm are erased thanks to “locker::CloseFile” function and “RtlSecureZeroMemory” API. 

The encryption may vary depending on the size or extension of the file, for the following extensions: 

• .4dd, .4dl, .accdb, .accdc, .accde, .accdr, .accdt, .accft, .adb, .ade, .adf, .adp, .arc, .ora, .alf, .ask, .btr, .bdf, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, .dadiagrams, .daschema, .db, .db-shm, .db-wal, .db3, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .ddl, .dlis, .dp1, .dqy, .dsk, .dsn, .dtsx, .dxl, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmpsl, .fol, .fp3, .fp4, .fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .ib, .idb, .ihx, .itdb, .itw, .jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc, .lwx, .maf, .maq, .mar, .mas, .mav, .mdb, .mdf, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, .ns2, .ns3, .ns4, .nsf, .nv, .nv2, .nwdb, .nyf, .odb, .oqy, .orx, .owc, .p96, .p97, .pan, .pdb, .pdm, .pnz, .qry, .qvd, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sql, .sqlite, .sqlite3, .sqlitedb, .te, .temx, .tmd, .tps, .trc, .trm, .udb, .udl, .usr, .v12, .vis, .vpd, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff, .abcddb, .abs, .abx, .accdw, .adn, .db2, .fm5, .hjt, .icg, .icr, .kdb, .lut, .maw, .mdn, .mdt 

The encryption mode will be always “FULL_ENCRYPT”, meanwhile for these: 

• .vdi, .vhd, .vmdk, .pvm, .vmem, .vmsn, .vmsd, .nvram, .vmx, .raw, .qcow2, .subvol, .bin, .vsv, .avhd, .vmrs, .vhdx, .avdx, .vmcx, .iso 

Will be “PARTLY_ENCRYPT” (50%). 

If the size of the file is less or equal to 1048576 bytes, it will be fully encrypted, else if is less or equal to 5242880 only the 1048576 bytes will be encrypted, else a partial encryption (50%) will be performed. 

After the completion of the encryption, also the extension is replaced with “.EXTEN”, which is statically defined inside the code, and in each moment can be modified. 

Network Propagation 

When the encryption mode is “ALL_ENCRYPT” or “NETWORK_ENCRYPT”, the sample retrieves information about shared resources calling the method “network_scanner::EnumShares” 

 By using “NetShareEnum” from the native WinAPI, it starts looking for shared resources having the following types: 

• STYPE_DISKTREE 
• STYPE_SPECIAL 
• STYPE_TEMPORARY 

Then the code compares the “shi1_netname” from the “SHARE_INFO_1” structure with the string “ADMIN$”, if equal proceeds building this string: “\\\\” + “.” (servername is NULL, so the local computer is used) + “\\” + “{shi1_netname}”. 

 Once the shared resources are found, the Conti Ransomware calls “network_scanner::StartScan” and tries to obtain the function pointer to “ConnectEx”, this is done by making a call to the WSAIoctl function with the SIO_GET_EXTENSION_FUNCTION_POINTER opcode specified. 

The String Obfuscation 

One of the most common properties of every malware, and even in this one, is the obfuscation of the sensitive strings of the malware configs. In this case, that capability is done by using two different macros, “OBFA” for the ASCII strings and “OBFW” for the UNICODE ones.  

The macro works by using the Extended Euclidean Algorithm, you can find an example of decryption using Python here 

 Conclusion 

The “@ContiLeaks” event represents a turning point in cybercrime ecosystem, from this case, we expect many changes in the way cybercriminal organizations operate. From one side, less mature gangs might use the new material, techniques and tools leaked by the Conti’s insider, increasing their dangerousness and maturity of operation, instead, the already mature gangs will learn from Conti’s mistakes and take advantage, grow in number, and acquire new affiliates. 

The ransomware source code we analyzed in this report is an extraordinary example of the digital weapons part of modern criminal cyber arsenals, dissecting and intimately understand it is a huge advantage that cyber defenders need to exploit to protect companies and organization from the upcoming evolution of the cybercriminal environments, nowadays intersected even with geo-political interests and warfare. 

Appendix 

This blog post was authored by Luigi Martire, Carmelo Ragusa, and Luca Mella of Yoroi Malware ZLAB