Fappy Ransomware

Conti is a human-operated ransomware and was first detected in December 2019, in unrelated attacks. Researchers consider Conti to be a replacement for Ryuk crypto-malware. The new malicious software is notable for its advanced capabilities such as fast encryption, anti-analysis, and direct execution.

Similar to other strains of ransomware, Conti has multithreading capabilities – 32 concurrent CPU threads for encryption – which makes it faster. This ransomware abuses Windows Restart Manager functionality by closing applications that lock certain files. Conti then disables Windows services responsible for security, backup, database, email solutions, which allows it to encrypt these files. Conti also allows executing command line arguments to directly encrypt local hard drives, data and network shares, and even specific IP addresses of the threat actors’ choice.

Once the ransomware takes over, it deletes Windows Shadow Volume copies to prevent recovery of the files on the local system. Conti appends ‘.CONTI’ extension to the encrypted files and leaves a ransom note in each folder. To encrypt the data, the ransomware uses AES-256 encryption key for each file, which is again encrypted with a bundled RSA-4096 public encryption key that is unique for each victim.

Conti ransomware has targeted the following industries:

  • Financial & Educational Institutions
  • Private Organizations
  • Government Agencies
  • Healthcare
  • Enterprise Businesses
  • Small-Medium Businesses

Conti is even capable of accessing data from systems that are/ have been connected to the compromised machine. It can access remote devices and encrypt the files present on those devices as well.

MITRE ATT&CK Framework

T1204 – User Execution: Malicious Link

The adversary prompts users to click on a malicious link, which in turn leads to the exploitation of browser/ application vulnerabilities. Similarly, links that redirect to downloadable malicious files are also used to deploy Conti.

T1486 – Data Encrypted for Impact

The adversary could potentially interrupt accessibility to the victim’s system by encrypting their data. They can attempt to render stored data impenetrable by encrypting files or data on the local and remote drives, by withholding access to the decryption key.

IOCs/ Hashes

  1. Encrypted Files Extension- [.]Fappy
  2. Ransom Demanding Message- HOW TO DECRYPT FILES.txt
  3. Cyber Criminal Contact- fappism@opentrash.com
  4. MD5- 5e5cf87c2bd6c75b9bd1bf328250bc1e
  5. SHA1- 1e46359929051753bae257cafca9c5410e90f35d
  6. SHA256- 326caf2ef865e7354c7efb26d1f224ecc0176e074d99a734d40f8a0a39056201
  7. SSDEEP- 12288:5ei1y+QPehnIYkuDUreNuEpsOV1n60tct:Ei1XK8DLhubO31c

Preventive Measures

  1. Do not open suspicious emails.
  2. Use spam filters and antivirus programmes to detect and filter bad emails.
  3. Enable an endpoint security product or endpoint protection suite.
  4. Keep your software up-to-date.
  5. Back up data on a regular basis and keep archived copies offsite and offline.
  6. User privilege escalation should be strong; permit access privileges only to the admin.
  7. Do not install applications from unknown sources.