mega-menu-burger mega-menu-close

Conti Ransomware Group

By Huseyin Can YUCEEL & Picus Labs   August 22, 2022   Ransomware

Conti, the successor to Ryuk, is currently one of the most infamous ransomware threat groups. Conti is distributed via the ransomware-as-a-service (RaaS) model in high-profile attacks in 2022, such as those against Panasonic, Indonesia Central Bank, and Meyer. Conti ransomware gangs leverage a triple extortion method; they threaten to sell access to victim organizations and publish exfiltrated data in addition to demanding ransom in exchange for access to encrypted data

Metadata

Associated Groups

Successor of the Ryuk Ransomware Group Aliases - Grim Spider, Wizard Spider

Associated Country

Russia

First Seen

July 2020

Target Sectors

Healthcare, Insurance, Manufacturing, Technology, Telecommunications, Retail

Target Countries

United States, Ireland, Netherlands, New Zealand, Taiwan

Modus Operandi

Business Models

Ransomware-as-a-Service (RaaS)

Multiple Extortion

Extortion Tactics

File Encryption

Data Leakage

Selling Access

Initial Access Methods

Exploit Public-Facing Application

Phishing

External Remote Services

Impact Methods

Data Encryption

Data Exfiltration

Exploited Applications and Vulnerabilities by Conti

Application

Vulnerability

CVE

CVSS

Microsoft Exchange

ProxyShell RCE

CVE-2021-34473

9.8 Critical

Microsoft Exchange

ProxyShell Privilege Escalation

CVE-2021-34523

9.8 Critical

Microsoft Exchange

ProxyShell Security Feature Bypass

CVE-2021-31207

7.2 High

Fortinet FortiGate SSL VPN

Path Travelsal

CVE-2018-13379

9.8 Critical

Fortinet FortiOS

Improper Access Control

CVE-2018-13374

8.8 High

Microsoft Windows Netlogon

Zerologon Privilege Escalation Vulnerability

CVE-2020-1472

10 Critical

Microsoft Windows

EternalBlue RCE

CVE-2017-0143

8.1 High

Microsoft Windows

EternalBlue RCE

CVE-2017-0144

8.1 High

Microsoft Windows

EternalBlue RCE

CVE-2017-0145

8.1 High

Microsoft Windows

EternalBlue RCE

CVE-2017-0146

8.1 High

Microsoft Windows

EternalBlue Information Disclosure

CVE-2017-0147

5.9 Medium

Microsoft Windows

EternalBlue

CVE-2017-0148

8.1 High

Microsoft Windows Print Spooler Service

Print Nightmare RCE Vulnerability

CVE-2021-1675

8.8 High

Utilized Tools and Malware by Conti

MITRE ATT&CK Tactic

Tools

Initial Access Execution

BazarLoader 

Cobalt Strike 

Persistence

BazarBackdoor 

Cobeacon Backdoor 

Privilege Execution

dazzleUP 

PEASS-ng 

PowerUpSQL 

Watson 

Defence Evasion

GMER 

GPEdit.msc 

KillAV 

Credential Access

Comsvcs.dll Minidump 

Invoke-SMBAutoBrute 

Mimikatz 

Net-GPPPassword 

NTDSUtil 

PowerShell Empire Invoke-Kerberoast 

Powertools Mass-Mimikatz 

ProcDump 

reg.exe 

Router Scan 

SharpChrome 

VSSAdmin.exe 

Windows Task Manager 

Lateral Movement

Atera 

BITSAdmin 

PSExec 

Command and Control

AnyDesk 

Cobalt Strike 

Go Simple Tunnel - gost 

Ngrok 

Exflitration

Filezilla 

Mega 

Rclone 

WinSCP 

Impact

Conti Locker 

  • [1]       F. Fkie, “BazarBackdoor (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor (accessed Jul. 06, 2022).

  • [2]       K. Arhart, “Cobalt Strike,” Cobalt Strike Research and Development, Aug. 19, 2021. https://www.cobaltstrike.com/ (accessed Jul. 06, 2022).

  • [3]     “Backdoor.Win32.COBEACON.A.” [Online]. Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/backdoor.win32.cobeacon.a. [Accessed: Jul. 07, 2022]

  • [4]       “GitHub - hlldz/dazzleUP: A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems,” GitHub. https://github.com/hlldz/dazzleUP (accessed Jul. 06, 2022).

  • [5]       “GitHub - carlospolop/PEASS-ng: PEASS - Privilege Escalation Awesome Scripts SUITE (with colors),” GitHub. https://github.com/carlospolop/PEASS-ng (accessed Jul. 06, 2022).

  • [6]       “NetSPI/PowerUpSQL,” GitHub. https://github.com/NetSPI/PowerUpSQL (accessed Jul. 06, 2022).

  • [7]       “GitHub - rasta-mouse/Watson: Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities,” GitHub. https://github.com/rasta-mouse/Watson (accessed Jul. 06, 2022).

  • [8]       “GMER - Rootkit Detector and Remover.” http://www.gmer.net (accessed Jul. 06, 2022).

  • [9] “Website.” [Online]. Available: https://raw.githubusercontent.com/DISREL/Conti-Leaked-Playbook-TTPs/main/Conti-Leaked-Playbook-TTPs.pdf

  • [10]       F. Fkie, “KillAV (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.killav (accessed Jul. 06, 2022).

  • [11]       S. Özarslan, “MITRE ATT&CK T1003 Credential Dumping.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1003-credential-dumping (accessed Jul. 05, 2022).

  • [12]     “GitHub - Shellntel/scripts,” GitHub. https://github.com/Shellntel/scripts (accessed Jul. 06, 2022).

  • [13]     “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. https://github.com/gentilkiwi/mimikatz (accessed Jul. 06, 2022).

  • [14]     “GitHub - outflanknl/Net-GPPPassword: .NET implementation of Get-GPPPassword. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences,” GitHub. https://github.com/outflanknl/Net-GPPPassword (accessed Jul. 06, 2022).

  • [15]     “GitHub - EmpireProject/Empire: Empire is a PowerShell and Python post-exploitation agent,” GitHub. https://github.com/EmpireProject/Empire (accessed Jul. 06, 2022).

  • [16]     “PowerTools/Invoke-MassMimikatz.ps1 at master · PowerShellEmpire/PowerTools,” GitHub. https://github.com/PowerShellEmpire/PowerTools (accessed Jul. 06, 2022).

  • [17]     “Router Scan v2.60 Beta by Stas’M (nightly build) - Программы - Каталог файлов - Stas'M Corp.” http://stascorp.com/load/1-1-0-56 (accessed Jul. 06, 2022).

  • [18]     “GitHub - GhostPack/SharpDPAPI: SharpDPAPI is a C# port of some Mimikatz DPAPI functionality,” GitHub. https://github.com/GhostPack/SharpDPAPI (accessed Jul. 06, 2022).

  • [19]     “AdFind.” http://www.joeware.net/freetools/tools/adfind/index.htm (accessed Jul. 06, 2022).

  • [20]     “GitHub - BloodHoundAD/BloodHound: Six Degrees of Domain Admin,” GitHub. https://github.com/BloodHoundAD/BloodHound (accessed Jul. 06, 2022).

  • [21]     “Net.exe.” https://docs.microsoft.com/en-us/windows/win32/winsock/net-exe-2 (accessed Jul. 06, 2022).

  • [22]     Archiveddocs, “Nltest.” https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) (accessed Jul. 06, 2022).

  • [23]     “dionach/NtdsAudit,” GitHub. https://github.com/dionach/NtdsAudit (accessed Jul. 06, 2022).

  • [24]     “darkoperator/Veil-PowerView,” GitHub. https://github.com/darkoperator/Veil-PowerView (accessed Jul. 06, 2022).

  • [25]     “GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog,” GitHub. https://github.com/GhostPack/Rubeus (accessed Jul. 06, 2022).

  • [26]     “GitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey ‘safety checks’ relevant from both offensive and defensive security perspectives,” GitHub. https://github.com/GhostPack/Seatbelt (accessed Jul. 06, 2022).

  • [27]     “GitHub - tevora-threat/SharpView: C# implementation of harmj0y’s PowerView,” GitHub. https://github.com/tevora-threat/SharpView (accessed Jul. 06, 2022).

  • [28]     “GitHub - S3cur3Th1sSh1t/WinPwn: Automation for internal Windows Penetrationtest / AD-Security,” GitHub. https://github.com/S3cur3Th1sSh1t/WinPwn (accessed Jul. 06, 2022).

  • [29]     “Remote Monitoring & Management (RMM) Software Made for People,” Atera - RMM software | PSA & Remote Access for MSPs, Aug. 09, 2017. https://www.atera.com/ (accessed Jul. 06, 2022).

  • [30]     “bitsadmin | LOLBAS.” https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ (accessed Jul. 06, 2022).

  • [31]     “PsExec - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/psexec (accessed Jul. 06, 2022).

  • [32]     “The Fast Remote Desktop Application –,” AnyDesk. https://anydesk.com/en (accessed Jul. 06, 2022).

  • [33]     “GitHub - ginuerzh/gost: GO Simple Tunnel - a simple tunnel written in golang,” GitHub. https://github.com/ginuerzh/gost (accessed Jul. 06, 2022).

  • [34]     “ngrok - Online in One Line.” https://ngrok.com (accessed Jul. 06, 2022).

  • [35]     “FileZilla - The free FTP solution.” https://filezilla-project.org (accessed Jul. 06, 2022).

  • [36]     “MEGA.” https://mega.io/ (accessed Jul. 06, 2022).

  • [37]     N. Craig-Wood, “Rclone.” https://rclone.org/ (accessed Jul. 06, 2022).

  • [38]     “WinSCP,” WinSCP - Free SFTP and FTP client, Jun. 24, 2022. https://winscp.net/ (accessed Jul. 06, 2022).

  • [39]     F. Fkie, “Conti (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.conti (accessed Jul. 06, 2022).

Subscribe

Keep up to date with latest blog posts