ENCRYPTION
Conti seems to select 3 ways of doing its encryption games
they are listed in the following:
ENCRYPT_MODES {
FULL_ENCRYPT = 0x24,
PARTLY_ENCRYPT = 0x25,
HEADER_ENCRYPT = 0x26
let’s discuss them
FULL_ENCRYPT:
(database files) and (files under 1 mega) will be encrypted in the full method.
PARTLY_ENCRYPT
(VM files) and (files more than 5 megabytes) will be encrypted in the partly method.
HEADER_ENCRYPT
Files between 1 to 5 megabytes will be encrypted in the header method.
DELETE SHADOW COPIES
it is being processed in 7 layers
1- initializing COM objects:
The code starts with the definition of a function named “DeleteShadowCopies” within a class called “locker.” The function returns a BOOL value then, It initializes COM (Component Object Model) by calling the function “CoInitializeEx” and checks if it fails. If it fails, the function returns FALSE.
2- setting general COM security levels: The code then sets the security levels for COM by calling “CoInitializeSecurity.” If it fails, the function returns FALSE.
3- getting the initial locator to WMI: the code creates an instance of the “IWbemLocator” interface using “CoCreateInstance.” This interface is used to connect to WMI (Windows Management Instrumentation) then, The code checks the system architecture and performs additional steps if it detects an AMD64 architecture. It creates an instance of the “IWbemContext” interface and sets a specific value for the “__ProviderArchitecture” property.
4-connecting to the server: the code proceeds to connect to WMI by calling “ConnectServer” on the “IWbemLocator” interface, providing the path to the “ROOT\CIMV2” namespace. If it fails, the function returns FALSE.
5-set security levels on the proxy: The code sets security levels on the proxy by calling “CoSetProxyBlanket.” If it fails, the function returns FALSE.
6- enumeration: Using the obtained “IWbemServices” interface, the code executes a query to retrieve information about shadow copies by calling “ExecQuery” with the WQL query “SELECT * FROM Win32_ShadowCopy.” If it fails, the function returns 1.
7-getting the data and doing the cleanup:
first: The code then retrieves the data from the query results by calling “Next” on the enumerator interface. It retrieves the value of the “ID” property from each result.
second: For each shadow copy ID obtained, the code constructs a command line string to delete the shadow copy using “cmd.exe” and the “wmic” command. It then executes this command by calling “CmdExecW.”
third: After executing the command, the code releases resources and continues the loop until there are no more query results.
using WMI to delete shadows
KILL FILE OWNER TO ENCRYPTION
The code defines a function named “KillFileOwner” that takes a parameter named “PathName” of type LPCWSTR and returns a BOOL value.
It first checks if the Restart Manager is loaded by calling the “IsRestartManagerLoaded” function from an “API” namespace (not shown in the code snippet). If it’s not loaded, a log entry is written, and the function returns FALSE.
If the Restart Manager is loaded, the code proceeds with initializing some variables and a session for the Restart Manager. It calls “RmStartSession” to start a session and obtain a session key.
If starting the session is successful, the code proceeds to register a resource (in this case, a file) with the session by calling “RmRegisterResources.” It passes the session ID, the path of the file to register, and some additional parameters.
DIRECTORY BLACKLIST
you can notice that the last 2 files are the ransom log and readme files
