(Carbon Black) Conti uses a large number of independent threads to perform encryption, allowing up to 32 simultaneous encryption efforts, resulting in faster encryption compared to many other families. Conti also utilizes command line options to allow for control over how it scans for data, suggesting that the malware may commonly be spread and directly controlled by an adversary. This control introduces the novel ability of skipping the encryption of local files and only targeting networked SMB shares, including those from IP addresses specifically provided by the adversary. This is a very rare ability that’s previously been seen with the Sodinokibi ransomware family. Another new technique, documented in very few ransomware families, is the use of the Windows Restart Manager to ensure that all files can be encrypted. Just as Windows will attempt to cleanly shut down open applications when the operating system is rebooted, the ransomware will utilize the same functionality to cleanly close the application that has a file locked. By doing so, the file is freed up for encryption.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|---|
| https://contirecovery.info | 2023-04-25 |
| http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion | 2023-04-25 |
2023-10-03 by Luca Mella from
2023-09-12 by ANSSI from ANSSI
2023-09-07 by Office of Public Affairs from Department of Justice
2023-07-26 by Steven Campbell from Arctic Wolf
2023-06-27 by Charlotte Hammond from SecurityIntelligence
2023-06-17 by EmissarySpider from Github (EmissarySpider)
2023-06-08 by Patrick Staubmann from VMRay
2023-03-10 by Jason Reaves from Medium walmartglobaltech
2023-02-10 by cocomelonc from cocomelonc
2023-02-01 by Pierluigi Paganini from Security Affairs
2023-01-04 by cocomelonc from
2022-11-21 by Kristopher Russo from Palo Alto Networks Unit 42
2022-09-28 by Giovanni Vigna from vmware
2022-09-20 by Dana Behling from vmware
2022-09-13 by Advanced Intelligence from AdvIntel
2022-09-07 by Intel 471 from Intel 471
2022-09-07 by Anuj Soni from Blackberry
2022-08-22 by Microsoft from Microsoft
2022-08-03 by Brad Duncan from Palo Alto Networks Unit 42
2022-08-02 by Insikt Group from Recorded Future
2022-07-20 by Marc Rivero López from Kaspersky
2022-06-23 by Nikita Nazarov from Kaspersky
2022-06-23 by Nikita Nazarov from Kaspersky
2022-06-23 by Christiaan Beek from Trellix
2022-06-15 by Jackson Wells from AttackIQ
2022-06-15 by Ofir Ashman from ThreatStop
2022-06-02 by Eclypsium from Eclypsium
2022-05-24 by Florian Goutin from The Hacker News
2022-05-23 by Trend Micro Research from Trend Micro
2022-05-23 by Matsugaya Shingo from Trend Micro
2022-05-20 by Yelisey Boguslavskiy from AdvIntel
2022-05-18 by PRODAFT from PRODAFT Threat Intelligence
2022-05-17 by Vitali Kremez from Advanced Intelligence
2022-05-12 by Intel 471 from Intel 471
2022-05-11 by GReAT from Kaspersky
2022-05-09 by Microsoft 365 Defender Threat Intelligence Team from Microsoft
2022-05-05 by Ryan Hallbeck from YouTube (The Vertex Project)
2022-05-03 by Kendall McKay from Cisco
2022-05-03 by JON MUNSHAW from Talos Intelligence
2022-05-02 by Kendall McKay from Cisco Talos
2022-04-29 by Mike Stokkel from NCC Group
2022-04-28 by PWC UK from PWC
2022-04-28 by Karthikeyan C Kasiviswanathan from Symantec
2022-04-26 by Intel 471 from Intel 471
2022-04-21 by Counter Threat Unit ResearchTeam from Secureworks
2022-04-20 by Bill Toulas from Bleeping Computer
2022-04-18 by Marc Elias from Trellix
2022-04-17 by BushidoToken from BushidoToken Blog
2022-04-15 by Ionut Ilascu from Bleeping Computer
2022-04-15 by Arctic Wolf from Arctic Wolf
2022-04-12 by ConnectWise CRU from ConnectWise
2022-04-11 by cocomelonc from
2022-04-09 by Lawrence Abrams from Bleeping Computer
2022-04-08 by Paul Roberts from ReversingLabs
2022-04-06 by TRM Labs from TRM Labs
2022-04-04 by @0xtornado from The DFIR Report
2022-04-02 by cocomelonc from Github (cocomelonc)
2022-03-31 by John Fokker from Trellix
2022-03-31 by Nikolaos Pantazopoulos from nccgroup
2022-03-27 by cocomelonc from
2022-03-25 by Brett Stone-Gross from Zscaler
2022-03-23 by Shannon Davis from splunk
2022-03-23 by Counter Threat Unit ResearchTeam from Secureworks
2022-03-23 by Counter Threat Unit ResearchTeam from Secureworks
2022-03-23 by Intel 471 from Intel 471
2022-03-22 by Ofir Ashman from ThreatStop
2022-03-21 by eSentire Threat Response Unit (TRU) from eSentire
2022-03-21 by Lisa Vaas from Threat Post
2022-03-18 by eSentire Threat Response Unit (TRU) from eSentire
2022-03-17 by Tilly Travers from Sophos
2022-03-17 by Vladislav Stolyarov from Google
2022-03-17 by Vladislav Stolyarov from Google
2022-03-16 by Josh Hanrahan from Dragos
2022-03-16 by Symantec Threat Hunter Team from Symantec
2022-03-15 by Matt Stafford from Prevailion
2022-03-10 by Check Point Research from
2022-03-09 by Ionut Ilascu from Bleeping Computer
2022-03-08 by Luigi Martire from Yoroi
2022-03-08 by MBSD from MBSD
2022-03-08 by Dina Temple-Raston from The Record
2022-03-08 by Arda Büyükkaya from Github (whichbuffer)
2022-03-07 by Suzanne Smalley from CyberScoop
2022-03-03 by Trend Micro Research from Trend Micro
2022-03-03 by Trend Micro Research from Trend Micro
2022-03-02 by Cluster25 from Cluster25
2022-03-02 by Carlos del Castillo from elDiario
2022-03-02 by Sergei Frankoff from Youtube (OALabs)
2022-03-02 by Lisa Vaas from Threatpost
2022-03-02 by CyberArk Labs from CyberArk
2022-03-02 by Brian Krebs from KrebsOnSecurity
2022-03 by Arctic Wolf from Arctic Wolf
2022-03-01 by Lawrence Abrams from Bleeping Computer
2022-03-01 by The DFIR Report from Twitter (@TheDFIRReport)
2022-03-01 by VX-Underground from
2022-03-01 by Wade Hickey from Medium whickey000
2022-02-28 by Sean Gallagher from Sophos
2022-02-28 by TheParmak from Github (TheParmak)
2022-02-28 by Arnaud Zobec from Medium arnozobec
2022-02-27 by Lawrence Abrams from Bleeping Computer
2022-02-27 by Catalin Cimpanu from The Record
2022-02-25 by Red Hot Cyber from Red Hot Cyber
2022-02-23 by Shannon Davis from splunk
2022-02-23 by Vitali Kremez from AdvIntel
2022-02-22 by Chester Wisniewski from Sophos
2022-02-22 by Matthew J. Schwartz from Bankinfo Security
2022-02-20 by Pierluigi Paganini from Security Affairs
2022-02-18 by Ionut Ilascu from Bleeping Computer
2022-02-14 by Cyware from
2022-02-09 by Anna Skelton from Dragos
2022-02-04 by Sergiu Gatlan from Bleeping Computer
2022-01-27 by CoveWare from
2022-01-27 by Sergiu Gatlan from BleepingComputer
2022-01-24 by CyCraft AI from CyCraft
2022 by Ian W. Gray from Symposium on Electronic Crime Research
2022 by Silent Push from Silent Push
2021-12-23 by Siddhesh Chandrayan from Symantec
2021-12-17 by Vitali Kremez from Advanced Intelligence
2021-12-13 by The DFIR Report from The DFIR Report
2021-12-08 by Justin Fier from Darktrace
2021-12-03 by HSE from HSE
2021-12-01 by Trend Micro from Trend Micro
2021-11-29 by The DFIR Report from The DFIR Report
2021-11-18 by The Red Canary Team from Red Canary
2021-11-18 by Ghanshyam More from Qualys
2021-11-18 by PRODAFT from PRODAFT Threat Intelligence
2021-11-18 by Elliptic Intel from Elliptic
2021-11-16 by IronNet Threat Research from IronNet
2021-11-15 by Fabio Viggiani from TRUESEC
2021-11-10 by Josh Gomez from AT&T
2021-11-09 by Aleksandar Milenkoski from Cybereason
2021-11-07 by Marco Ramilli from Marco Ramilli's Blog
2021-11-02 by Cyb3rSn0rlax from unh4ck
2021-11-02 by Intel 471 from Intel 471
2021-10-26 by Hamza OUADIA from unh4ck
2021-10-25 by Brian Krebs from KrebsOnSecurity
2021-10-22 by Krijn de Mik from HUNT & HACKETT
2021-10-05 by Fyodor Yarochkin from Trend Micro
2021-10-04 by The DFIR Report from The DFIR Report
2021-09-29 by Vitali Kremez from Advanced Intelligence
2021-09-22 by US-CERT from CISA
2021-09-14 by CrowdStrike Intelligence Team from CrowdStrike
2021-09-13 by The DFIR Report from The DFIR Report
2021-09-03 by Sean Gallagher from Sophos
2021-09-02 by Caitlin Huey from Talos
2021-08-19 by sekoia from Sekoia
2021-08-17 by Vitali Kremez from Advanced Intelligence
2021-08-17 by sekoia from Sekoia
2021-08-15 by Threat Hunter Team from Symantec
2021-08-11 by Vitali Kremez from Advanced Intelligence
2021-08-10 by OALabs from Youtube (OALabs)
2021-08-10 by Vlad Pasca from LIFARS
2021-08-06 by Elizabeth Montalbano from Threat Post
2021-08-06 by Paul Ducklin from Sophos Naked Security
2021-08-05 by Catalin Cimpanu from The Record
2021-08-05 by Peter Mackenzie from Twitter (@AltShiftPrtScn)
2021-08-05 by Lawrence Abrams from Bleeping Computer
2021-08-05 by Brian Krebs from KrebsOnSecurity
2021-08-01 by The DFIR Report from The DFIR Report
2021-07-21 by Peter Mackenzie from Twitter (@AltShiftPrtScn)
2021-07-08 by Idan Weizman from SentinelOne
2021-07-01 by Dor Neemani from Fortinet
2021-07-01 by Chad Anderson from DomainTools
2021-06-30 by Max Malyutin from Cynet
2021-06-18 by Richard Hickman from Palo Alto Networks Unit 42
2021-06-15 by Janus Agcaoili from Trend Micro
2021-06-02 by Josh Dalman from CrowdStrike
2021-05-20 by FBI from FBI
2021-05-16 by NCSC Ireland from NCSC Ireland
2021-05-12 by The DFIR Report from
2021-05-10 by DarkTracer from DarkTracer
2021-05-06 by Brandon Denker from Cyborg Security
2021-04-29 by The Institute for Security and Technology from The Institute for Security and Technology
2021-04-26 by CoveWare from CoveWare
2021-04-25 by Corsin Camichel from Vulnerability.ch Blog
2021-04-13 by Takashi Yoshikawa from MBSD
2021-04-07 by Jon DiMaggio from ANALYST1
2021-04-07 by Jon DiMaggio from ANALYST1
2021-03 by Oleg Skulkin from Group-IB
2021-02-28 by PWC UK from PWC UK
2021-02-25 by CERT-FR from ANSSI
2021-02-23 by CrowdStrike from CrowdStrike
2021-02-16 by Andrew Brandt from SophosLabs Uncut
2021-02-16 by Michael Heller from SophosLabs Uncut
2021-02-16 by Peter Mackenzie from SophosLabs Uncut
2021-02-11 by CTI LEAGUE from CTI LEAGUE
2021-02-04 by ClearSky Research Team from ClearSky
2021-02-02 by Germán Fernández from CRONUP
2021-01-17 by Peter Mackenzie from Twitter (@AltShiftPrtScn)
2021-01-12 by Lior Rochberger from Cybereason
2020-12-15 by Chuong Dong from Chuongdong blog
2020-12-15 by 0xthreatintel from Medium 0xthreatintel
2020-12-12 by Chuong Dong from Github (cdong1012)
2020-11-20 by Catalin Cimpanu from ZDNet
2020-11-18 by Victoria Kivilevich from KELA
2020-11-16 by Intel 471 from Intel 471
2020-10-23 by Hornetsecurity Security Lab from Hornetsecurity
2020-10-16 by The Crowdstrike Intel Team from CrowdStrike
2020-10-01 by Victoria Kivilevich from KELA
2020-09-29 by Andy Auld from PWC UK
2020-08-25 by Lawrence Abrams from BleepingComputer
2020-08-18 by Arete Incident Response from Arete
2020-07-08 by Brian Baskin from VMWare Carbon Black
Tool: Conti
Names: Conti
Description: (Carbon Black) Conti uses a large number of independent threads to perform encryption, allowing up to 32 simultaneous encryption efforts, resulting in faster encryption compared to many other families. Conti also utilizes command line options to allow for control over how it scans for data, suggesting that the malware may commonly be spread and directly controlled by an adversary. This control introduces the novel ability of skipping the encryption of local files and only targeting networked SMB shares, including those from IP addresses specifically provided by the adversary. This is a very rare ability that’s previously been seen with the Sodinokibi ransomware family. Another new technique, documented in very few ransomware families, is the use of the Windows Restart Manager to ensure that all files can be encrypted. Just as Windows will attempt to cleanly shut down open applications when the operating system is rebooted, the ransomware will utilize the same functionality to cleanly close the application that has a file locked. By doing so, the file is freed up for encryption.
Category: Malware
Type: Ransomware, Big Game Hunting
Information: https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/
Information: https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf
Information: https://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/
Information: https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware
Information: https://www.coveware.com/conti-ransomware
Information: https://thedfirreport.com/2021/05/12/conti-ransomware/
Information: https://www.bleepingcomputer.com/news/security/fbi-conti-ransomware-attacked-16-us-healthcare-first-responder-orgs/
Information: https://unit42.paloaltonetworks.com/conti-ransomware-gang/
Information: https://cycrafttechnology.medium.com/conti-ransomware-in-taiwan-45b44f1ab0d8
Information: https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/
Information: https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html
Information: https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
Information: https://www.bleepingcomputer.com/news/security/australian-govt-raises-alarm-over-conti-ransomware-attacks/
Information: https://www.cisa.gov/uscert/ncas/alerts/aa21-265a
Information: https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html
Information: https://www.malvuln.com/advisory/9eb9197cd58f4417a27621c4e1b25a71.txt
Information: https://www.trendmicro.com/en_us/research/22/f/conti-vs-lockbit-a-comparative-analysis-of-ransomware-groups.html
Information: https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/
Mitre-attack: https://attack.mitre.org/software/S0575/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.conti
Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:conti
Playbook: https://pan-unit42.github.io/playbook_viewer/?pb=conti-ransomware
Last-card-change: 2023-09-05
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL conti can utilize command line options to allow an attacker control over how it scans and encrypts files. | T1055.001 PROCESS INJECTION : DYNAMIC-LINK LIBRARY INJECTION conti has loaded an encrypted dll into memory and then executes it. | T1140 DEOBFUSCATE/DECODE FILES OR INFORMATION conti has decrypted its payload using a hardcoded aes-256 key. T1027 OBFUSCATED FILES OR INFORMATION conti can use compiler-based obfuscation for its code, encrypt dlls, and hide windows api calls. T1055.001 PROCESS INJECTION : DYNAMIC-LINK LIBRARY INJECTION conti has loaded an encrypted dll into memory and then executes it. | T1135 NETWORK SHARE DISCOVERY conti can enumerate remote open smb network shares using netshareenum(). T1057 PROCESS DISCOVERY conti can enumerate through all open processes to search for any that have the string "sql" in their process name. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY conti can retrieve the arp cache from the local system by using the getipnettable() api call and check to ensure ip addresses it connects to are for local, non-internet, systems. T1049 SYSTEM NETWORK CONNECTIONS DISCOVERY conti can enumerate routine network connections from a compromised host. | T1021.002 REMOTE SERVICES : SMB/WINDOWS ADMIN SHARES conti can spread via smb and encrypts files on different hosts, potentially compromising an entire network. T1080 TAINT SHARED CONTENT conti can spread itself by infecting other remote machines via network shared drives. | T1486 DATA ENCRYPTED FOR IMPACT conti can use createiocompletionport(), postqueuedcompletionstatus(), and getqueuedcompletionport() to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. it has used a different aes-256 encryption key per file with a bundled ras-4096 public encryption key that is unique for each victim. conti can use "windows restart manager" to ensure files are unlocked and open for encryption. T1489 SERVICE STOP conti can stop up to 146 windows services related to security, backup, database, and email solutions through the use of net stop. |