Conti Ransomware Development Evaluation

Abstract

The world has been witnessing an increase in malware attacks in recent years. Specifically, ransomware attacks, where attackers lock or encrypt victims' files and ask for a ransom to unlock or decrypt the files and restore the device's state. Ransomware dark market has become very profitable, and its cybercriminals make millions of dollars in revenue. One of the most active ransomware attacks in recent years is Conti ransomware. It works under a ransomware-as-a-service (RaaS) business model. The first beta version of Conti ransomware was seen in October 2019, and its first known attack was reported in July 2020 and has been operational since then. In this paper, we track the development of Conti ransomware, categorize its samples, and compare their features to understand its success and efficiency, which made it top the charts in terms of revenue and the number of attacks. First, we collect many Conti ransomware samples from its beta version to the latest known release. Then we analyze them in an isolated environment and categorize them into seven versions based on their release date and feature similarities. Finally, for each version, we list its features and the previous version's addition, deletion, and/or modification with our reasoning for these changes. This research shows that although Conti started as a beta version with minimal ransomware features, it gradually added new features or modified existing ones through the adoption of continuous development and delivery. For example, API hashing, API run-time loading, and efficient encryption mechanism area are all features added over time and have yet to exist in their earlier releases.