Skip to content
[email protected]
File security for Windows systems — since 2003

How FileSure Would Have Stopped the Conti Ransomware Operation

• By Gene Allen

A Ukrainian national pleaded guilty this week to conspiracy charges tied to the Conti ransomware operation — one of the most destructive cybercrime groups in recent history. Between 2021 and 2022, Conti targeted over 1,000 victims worldwide and collected more than $150 million in ransom payments.

The defendant admitted to deploying Conti ransomware on victim networks in the United States and abroad, stealing data and encrypting devices to extort Bitcoin payments. He also worked on coding a “loader” — malware designed to deliver the software needed to carry out attacks.

Conti targeted hospitals, businesses, schools, and government agencies. The group shut down in 2022 following internal chat leaks and increased law enforcement pressure, but security researchers believe former members splintered into other ransomware groups including BlackCat, Black Basta, Hive, and Quantum.

Why Conti Worked: Two File Operations Nobody Blocked

Every Conti attack — and every ransomware attack — depends on two file system operations that happen in sequence.

First, the ransomware payload has to land on disk. It arrives via phishing email, compromised remote access, or a software vulnerability. Regardless of delivery method, the executable file must be written to the Windows file system before it can run.

Second, once executed, the ransomware encrypts victim files by reading the original file, encrypting it in memory, and writing the encrypted version back to disk. That write operation is how encryption happens. There’s no way around it.

Signature-based security tools try to recognize Conti by its code patterns. But ransomware groups release new variants constantly — every few hours in some cases. The window between a new variant’s release and when antivirus vendors can detect it is exactly when attacks happen.

Organizations running older Windows systems — medical equipment, industrial controllers, specialized software locked to legacy OS versions — often can’t run modern endpoint security tools at all. Those systems sit unprotected.

How FileSure Blocks Conti at the Kernel Level

FileSure Defend operates at the Windows kernel level via a filter driver that intercepts every file operation before it completes. It doesn’t try to recognize ransomware. It simply enforces which programs are allowed to perform which file operations.

Blocking Initial Payload Delivery

When Conti’s payload attempts to land on disk — whether delivered by email, browser download, or remote execution — FileSure intercepts the write operation. If the program attempting the write (Outlook, Chrome, a remote access tool) is not authorized to write executable files to that location, the operation is blocked. The payload never reaches the file system. It never executes.

A sample FileSure rule configuration:

  • File name filter: *.exe, *.dll, *.bat, *.ps1, *.vbs
  • Operations: Create, Write
  • Drive type: Hard drives, Network drives
  • Action: Block unauthorized programs

Normal business applications continue working. The ransomware payload is stopped before it can run.

Blocking File Encryption

Even if a ransomware variant somehow executes, FileSure blocks the encryption phase. Ransomware must write encrypted file versions back to disk. FileSure’s threshold detection identifies bulk file modification patterns — hundreds of write and rename operations within minutes — and blocks subsequent operations.

A sample threshold rule:

  • File name filter: * (all files)
  • Operations: Write, Rename/Move
  • Drive type: Hard drives, Network drives, Removable drives
  • Threshold: 20 matches within 60 minutes
  • Result: Block subsequent operations when threshold is crossed

Normal users save files well below this threshold. Ransomware crosses it within seconds. Damage is contained to the files modified before the threshold fired — typically a handful, not thousands.

This Works on Every Conti Victim — and Tomorrow’s Variant

FileSure runs on Windows Server 2003 through Server 2022, and all desktop Windows versions across the same span. The medical equipment, industrial systems, and legacy applications that modern security tools won’t touch are exactly where FileSure applies.

A ransomware variant released this morning is stopped the same way as Conti from 2021. No signature update required. No waiting for your vendor to catch up. The file operations are the same. The kernel-level controls are the same.

Conti’s 1,000 victims had security tools that tried to recognize the threat. FileSure doesn’t play that game. It just controls what’s allowed to happen to your files.

Start your free 21-day trial at bystorm.com and see it block our harmless ransomware simulator in real time. Install it, run the test file, watch the block happen. That’s the whole demo.

Source: Ukrainian national pleads guilty to role in Conti ransomware operation

Category: Ransomware

Tags: conti ransomware, kernel filter driver, file system security, ransomware prevention, windows security, payload blocking, encryption blocking, legacy system protection

Gene Allen

Written by

Gene Allen

Gene Allen is a Windows file security expert with over 20 years of experience developing kernel-level solutions that protect enterprise data from ransomware, unauthorized access, and data loss. As founder of ByStorm Software, he architected FileSure — a patented file auditing and security platform trusted by 200+ organizations across healthcare, financial services, and government. Gene holds two U.S. patents in file system security and access control.

Ready to protect your organization?

Start your free 21-day trial today. No credit card required.

Start Your Free 21-Day Trial