New Conti Ransomware Campaign Observed in the Wild
Description
All of your files are currently encrypted by CONTI strain. If you don't know who we are - just "Google it".
As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly.
DONT'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value.DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publich it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.DON'T TRY TO CONTACT feds or any recovery companies.We have our informants in these as a hostile intent and initiate the publication of whole compromised data immediatly.To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge.You can contact our team directly for further instructions through our website :TOR VERSION :(you should download and install TOR browser first hxxps://torproject[.]org)hxxp://[Removed].onion/YOU SHOULD BE AWAREWe will speak only with an authorized person. It can be the CEO, top management, etc.In case you are not such a person - DON'T CONTACT USYour decisions and action can result in serious harm to your companyInform your supervisors and stay calm
- Linux/Filecoder_Conti.083E!tr.ransom
- Linux/Filecoder_Conti.0B97!tr.ransom
- Linux/Filecoder_Conti.14E3!tr.ransom
- Linux/Filecoder_Conti.3233!tr.ransom
- Linux/Filecoder_Conti.3691!tr.ransom
- Linux/Filecoder_Conti.3FA2!tr.ransom
- Linux/Filecoder_Conti.5DE1!tr.ransom
- Linux/Filecoder_Conti.638B!tr.ransom
- Linux/Filecoder_Conti.65AB!tr.ransom
- Linux/Filecoder_Conti.919D!tr.ransom
- Linux/Filecoder_Conti.BDC5!tr.ransom
- Linux/Filecoder_Conti.C2F5!tr.ransom
- Linux/Filecoder_Conti.C3D1!tr.ransom
- Linux/Filecoder_Babyk.H!tr
- PossibleThreat
Appendix
Conti Group Targets ESXi Hypervisors With its Linux Variant (Trellix)
IOCs
35ea625eb99697efdeb016192b25c5323ec10b0b33642cd9b2641e058e5e8dc6
8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201
0b188a6915aa7be71b224ef8a43795939bd90a44ba5818c644c1250e2e4c9a87
0780d010b8253a527796a0a078d0b15cf1862b75ecf0005028731c01d67d3f8b
8a07e896dc9273339bc895b2cc200cc856678bf25777c9acb79fb5f7bf7f3461
07174ea58d020596d467951591091435e4ee13f1dbb1dd033938acb1b7da772f
04b74b60222a795326d6e362026ea78602297655a316ff9521d5c0e333c9a005
67b96ba4d6d603ae7dee2882f605dd4e1fe38be1e46d9c8a8097af410fe34aa4
e863b3dcf6b7de76e34fcb990463830bc5810269937c5a32545cc059ab7da089
8b719b94dd3cea0da2f5571c5a7d5f3a05e9be623401174a7e75fbb7a2c0e699
393ccb61c378356a95cd3030a7609b9011f023790a9ac9fbd5ff0ecfce7bf925
cfdbdf019ae71d72e68a41744398ca85c1ab65b22c30e8432ffa165850804c47
13fa3e25f69c4e0c8f79208b8ab227d8a43df72b458b4825190d05697656d907
c7c5086378f1f12dbddb0a3ae88ee401dd7492040bee84498dcb271822b4bb86
daa7ee253e4bb7427dc6ba095d8ab0cba11e380b05f576b1997dfe11dff23e01
eb2b667d226813eafaf89ccab99a8a44a1da44647a0ab69c57b3dc21ead287bb
81f3e7a8ff6605e50e46ae837029a50572bdf0060ecc6a865c6ac910e5633efd
YARA Rule
rule crime_RU_Conti_locker_Sep22 {
meta:
Author="FortiEDR Research Group"
    date="04/09/22"
strings:
$a1 = "\x00_Z13EncryptPartly"
$a2 = "\x00_Z11EncryptFullP9file_info"
$a3 = "\x00_Z11EncryptFile"
$a4 = "\x00_Z16WriteEncryptInfoP9file_info"
$a5 = "\x00_Z19KillVirtualMachines"
$a6 = "\x00_Z14GetDecryptNote"
$a7 = "Cannot create file vm-list.txt\x00"
$a8 = "http://contirec.poc.onion/-"
$a9 = "D90IXnZbm2xF5enn2UtGv9yFDoufSvFTAs2524xqqx"
$a10 = "All of your files are currently encrypted by CONTI strain."ÂÂ
$a11 = "DON'T TRY TO CONTACT feds or any recovery companies"ÂÂ
$a12 = "fork() error in GetVMList(). errno = %d\x0A\x00"
$b1 = "Cannot rename file %s\x0A\x00"
$b2 = "\x00--world-id=%d\x00"
$b3 = "\x00Cannot alloc memory\x00"
$b4 = "\x00Cannot opendir %s errno = %d\x0A\x00"
$b5 = ".conti\x00"
$c1 = {89 ?? ?? 8? ?? ?? ?? 01 ?? C? ?? 2E 63 6F 6E ?? C? ?? 04 74 69}
$c2 = {B? 2F 43 4F 4E 54 49 5F 52 ?? B? 45 41 44 4D 45 2E 74 78}
condition:
uint32(0) == 0x464c457f and (
2 of ($a*) orÂÂ
3 of ($b*) or (
any of ($a*, $b*) andÂÂ
any of ($c*)
)
)
}