An Analysis of Conti Ransomware Leaked Source Codes

Abstract

In recent years, there has been an increase in ransomware attacks worldwide. These attacks aim to lock victims' machines or encrypt their files for ransom. These kinds of ransomware differ in their implementation and techniques, starting from how they spread, vulnerabilities they leverage, methods to hide their behaviors from antivirus software, encryption methods, and performance. The Conti ransomware is sophisticated ransomware that operates as ransomware-as-a-service. It started in 2019 and had an unprecedented human impact by targeting healthcare systems and cost 45 million. This paper analyzes the Conti ransomware source codes leaked on February 27, 2022, by an anonymous individual. We first look at the general code structure. Then, we analyze its flow, starting with its application programming interface disguise techniques, anti hook mechanisms, command-line arguments, and finally, its multithreaded encryption. We also perform a static and dynamic analysis of the latest known Conti sample in an isolated environment and compare its behavior to its source code flows.