Skip to content

S0575 Conti

Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been deployed via TrickBot and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.312

Item Value
ID S0575
Associated Names
Type MALWARE
Version 2.1
Created 17 February 2021
Last Modified 29 September 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Conti can utilize command line options to allow an attacker control over how it scans and encrypts files.15
enterprise T1486 Data Encrypted for Impact Conti can use CreateIoCompletionPort(), PostQueuedCompletionStatus(), and GetQueuedCompletionPort() to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti can use “Windows Restart Manager” to ensure files are unlocked and open for encryption.31245
enterprise T1140 Deobfuscate/Decode Files or Information Conti has decrypted its payload using a hardcoded AES-256 key.31
enterprise T1083 File and Directory Discovery Conti can discover files on a local system.1
enterprise T1490 Inhibit System Recovery Conti can delete Windows Volume Shadow Copies using vssadmin.1
enterprise T1106 Native API Conti has used API calls during execution.31
enterprise T1135 Network Share Discovery Conti can enumerate remote open SMB network shares using NetShareEnum().14
enterprise T1027 Obfuscated Files or Information Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls.134
enterprise T1057 Process Discovery Conti can enumerate through all open processes to search for any that have the string “sql” in their process name.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Conti has loaded an encrypted DLL into memory and then executes it.31
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Conti can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.31
enterprise T1018 Remote System Discovery
Conti has the ability to discover hosts on a target network.4
enterprise T1489 Service Stop Conti can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of net stop.1
enterprise T1016 System Network Configuration Discovery Conti can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-Internet, systems.1
enterprise T1049 System Network Connections Discovery Conti can enumerate routine network connections from a compromised host.1
enterprise T1080 Taint Shared Content Conti can spread itself by infecting other remote machines via network shared drives.31

Groups That Use This Software

ID Name References
G0102 Wizard Spider 4

References

  1. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. 

  2. Cybleinc. (2021, January 21). Conti Ransomware Resurfaces, Targeting Government & Large Organizations. Retrieved April 13, 2021. 

  3. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021. 

  4. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. 

  5. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.