1. Home
  2. Software
  3. Conti

Conti

Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been deployed via TrickBot and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.[1][2][3]

ID: S0575
Type: MALWARE
Platforms: Windows
Contributors: Daniyal Naeem, BT Security
Version: 2.2
Created: 17 February 2021
Last Modified: 09 August 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 反混淆/解码文件或信息

Conti has decrypted its payload using a hardcoded AES-256 key.[1][2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Conti can utilize command line options to allow an attacker control over how it scans and encrypts files.[2][4]
Enterprise T1486 数据加密以实现影响

Conti can use CreateIoCompletionPort(), PostQueuedCompletionStatus(), and GetQueuedCompletionPort() to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti can use "Windows Restart Manager" to ensure files are unlocked and open for encryption.[1][2][3][5][4]
Enterprise T1083 文件和目录发现

Conti can discover files on a local system.[2]
Enterprise T1489 服务停止

Conti can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of net stop.[2]
Enterprise T1106 本机API

Conti has used API calls during execution.[1][2]

Enterprise T1080 污染共享内容

Conti can spread itself by infecting other remote machines via network shared drives.[1][2]

Enterprise T1027 混淆文件或信息

Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls.[2][1][5]
Enterprise T1490 系统恢复抑制

Conti can delete Windows Volume Shadow Copies using vssadmin.[2]
Enterprise T1049 系统网络连接发现

Conti can enumerate routine network connections from a compromised host.[2]
Enterprise T1016 系统网络配置发现

Conti can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-Internet, systems.[2]

Enterprise T1135 网络共享发现

Conti can enumerate remote open SMB network shares using NetShareEnum().[2][5]
Enterprise T1057 进程发现

Conti can enumerate through all open processes to search for any that have the string "sql" in their process name.[2]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

Conti has loaded an encrypted DLL into memory and then executes it.[1][2]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

Conti can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.[1][2]
Enterprise T1018 远程系统发现

Conti has the ability to discover hosts on a target network.[5]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[5][6][7]

Campaigns

ID Name Description
C0015 C0015

[4]

References

  1. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.
  2. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  3. Cybleinc. (2021, January 21). Conti Ransomware Resurfaces, Targeting Government & Large Organizations. Retrieved April 13, 2021.
  4. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  1. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  2. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  3. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.