Threat Signal Report

New Conti Ransomware Campaign Observed in the Wild

description-logo Description

FortiGuard Labs has observed a new wave of ransomware threats belonging to the Conti malware family, active in Mexico. These variants appear to target the latest Linux and ESX systems and enable the attacker to encrypt files on the victim's machine and guest virtual machines. The variants are all dynamically linked 64-bit ELF samples written in C.

A similar sample to the ones in this campaign was documented previously by Trellix.

Why is this Significant?
This is significant because the newly observed campaign was launched by the Conti ransomware group who are known for taking encrypted files and stolen information belonging to countless companies from varying sectors hostage for profits. The group announced it plans to retaliate against western targets after the Russian invasion into Ukraine adding a political motivation on top of financial gain.

This new campaign seems to be similar to the previous campaigns however, some of the samples involved have much lower detection rates at the time of this writing.

What Does the Malware Do?
Conti ransomware variants used in the new campaign performs activities identical to the previous ones; it encrypts files on the compromised machine and adds a ".conti" file extension to them after the threat actor exfiltrates information from victim's network. It will then demand a ransom payment from the victim in order to recover the affected files and to prevent stolen information from being released to the public.

It leaves a ransom note that reads:

All of your files are currently encrypted by CONTI strain. If you don't know who we are - just "Google it".

As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly.

DONT'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value.

DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publich it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.

DON'T TRY TO CONTACT feds or any recovery companies.
We have our informants in these as a hostile intent and initiate the publication of whole compromised data immediatly.

To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge.

You can contact our team directly for further instructions through our website :
(you should download and install TOR browser first hxxps://torproject[.]org)

We will speak only with an authorized person. It can be the CEO, top management, etc.
In case you are not such a person - DON'T CONTACT US
Your decisions and action can result in serious harm to your company
Inform your supervisors and stay calm

The malware can also be run on ESX environments and has the ability to shut down and encrypt the associated virtual machines.

The malware has a detailed helper dialog. This provides another indication for the fact Conti group consists of many people.

What is the Status of Coverage?
FortiGuard Labs provides the following AV signatures for the Conti ransomware samples observed in the new campaign:

  • Linux/Filecoder_Conti.083E!tr.ransom
  • Linux/Filecoder_Conti.0B97!tr.ransom
  • Linux/Filecoder_Conti.14E3!tr.ransom
  • Linux/Filecoder_Conti.3233!tr.ransom
  • Linux/Filecoder_Conti.3691!tr.ransom
  • Linux/Filecoder_Conti.3FA2!tr.ransom
  • Linux/Filecoder_Conti.5DE1!tr.ransom
  • Linux/Filecoder_Conti.638B!tr.ransom
  • Linux/Filecoder_Conti.65AB!tr.ransom
  • Linux/Filecoder_Conti.919D!tr.ransom
  • Linux/Filecoder_Conti.BDC5!tr.ransom
  • Linux/Filecoder_Conti.C2F5!tr.ransom
  • Linux/Filecoder_Conti.C3D1!tr.ransom
  • Linux/Filecoder_Babyk.H!tr
  • PossibleThreat

FortiEDR blocks the Conti samples pre-execution.


Conti Group Targets ESXi Hypervisors With its Linux Variant (Trellix)




















rule crime_RU_Conti_locker_Sep22 {


Author="FortiEDR Research Group"



$a1 = "\x00_Z13EncryptPartly"

$a2 = "\x00_Z11EncryptFullP9file_info"

$a3 = "\x00_Z11EncryptFile"

$a4 = "\x00_Z16WriteEncryptInfoP9file_info"

$a5 = "\x00_Z19KillVirtualMachines"

$a6 = "\x00_Z14GetDecryptNote"

$a7 = "Cannot create file vm-list.txt\x00"

$a8 = "http://contirec.poc.onion/-"

$a9 = "D90IXnZbm2xF5enn2UtGv9yFDoufSvFTAs2524xqqx"

$a10 = "All of your files are currently encrypted by CONTI strain." 

$a11 = "DON'T TRY TO CONTACT feds or any recovery companies" 

$a12 = "fork() error in GetVMList(). errno = %d\x0A\x00"

$b1 = "Cannot rename file %s\x0A\x00"

$b2 = "\x00--world-id=%d\x00"

$b3 = "\x00Cannot alloc memory\x00"

$b4 = "\x00Cannot opendir %s errno = %d\x0A\x00"

$b5 = ".conti\x00"

$c1 = {89 ?? ?? 8? ?? ?? ?? 01 ?? C? ?? 2E 63 6F 6E ?? C? ?? 04 74 69}

$c2 = {B? 2F 43 4F 4E 54 49 5F 52 ?? B? 45 41 44 4D 45 2E 74 78}


uint32(0) == 0x464c457f and (

2 of ($a*) or 

3 of ($b*) or (

any of ($a*, $b*) and 

any of ($c*)





Traffic Light Protocol

Color When Should it Be used? How may it be shared?


Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.


Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.


Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.


Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.