Leaked Tools, TTPs, and IOCs Used by Conti Ransomware Group

Keep up to date with latest blog posts

While the Russian invasion of Ukraine continues, cybersecurity professionals and threats actors worldwide directly or indirectly show their support for either side. On February 27th, 2022, the Conti ransomware group, one of the most infamous ransomware operators, announced their support for Russia, causing conflict within the group. As a result, Ukrainian members of the Conti threat group leaked internal chats and log data. The leaked conversations in Conti leaks are dated between January 2021 and February 2022 and contain information and TTPs on the recent activities of the Conti group.

Figure 1: Conti Ransomware Group Pro-Russian Announcement [1]

In this blog post, we explained the TTPs and tools used by the Conti ransomware group in detail. 

TRY NOW: Simulate Conti Ransomware Group Attacks in minutes and gain a holistic view of your controls’ effectiveness against Conti Ransomware at all times

Conti Ransomware Group

Conti is a Ransomware-as-a-Service (RaaS) operator that sells or leases ransomware to their affiliate cyber threat actors. Conti ransomware group was first seen in October 2019; however, malware analysis and their TTPs indicate that they had been active since 2017 under different names such as Ryuk, Hermes, CryptoTech and Wizard Spider. For example, Ryuk and Conti ransomware uses the same bitcoin wallet address for ransom payments creating a direct link between two groups. The Conti RaaS group is also affiliated with other cyber-criminal groups such as TrickBot, Emotet and BazarLoader for distribution of their ransomware [2].

Recent leaks show that the Conti ransomware group has collected more than 2.7 Billion USD as ransom payment between April 2017 and February 2022 [3].

Tools Used By Conti RaaS Group

MITRE ATT&CK TA0004 - Privilege Escalation

  • dazzleUP: A scanner for privilege escalation vulnerabilities [4]
  • PEASS-ng: Multi-platform privilege escalation framework [5]
  • Watson: A scanner for missing updates that lists privilege escalation vulnerabilities [6]

MITRE ATT&CK TA0006 - Credential Access

  • Invoke-SMBAutoBrute: A PowerShell script for brute-forcing to acquire credentials [7]
  • Net-GPPPassword: Plaintext credential and data collector [8]
  • SharpChromium: Data extraction tool for Google Chrome and Microsoft Edge that collects cookies, history, and login credentials. [9]

MITRE ATT&CK TA0007 - Discovery

  • ADfind.exe: A command-line tool that queries Active Directory and collects information about users, networks, and systems in the network [10].
  • BloodHound: Active Directory mapping tool that gives possible attack paths [11]
  • Invoke-Kerberoast: A PowerShell script for MITRE ATT&CK T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting [12]
  • NtdsAudit: A tool that audits Active Directory databases [13]
  • PowerTools: A collection of offensive PowerShell scripts for network discovery and privilege escalation. [14]
    • ShareFinder: A PowerShell script in PowerTools that searches and lists shared files.
  • Rubeus: Open-source toolset for raw Kerberos interaction and abuses [15]. 
  • Seatbelt: A project that performs safety checks security posture of the host [16]
  • SharpView: .NET port of PowerView, a PowerShell script for AD [17]
  • WinPwn: A PowerShell script for automated penetration testing for Windows [18]

MITRE ATT&CK TA0011 - Command and Control

  • AnyDesk: A remote desktop tool [19]
  • ngrok: A tool that exposes local servers to public internet [20]

MITRE ATT&CK TA0010 - Exfiltration

  • Filezilla: A tool for data exfiltration using FTP services [21].
  • Mega: A cloud storage service that is abused for data exfiltration [22].
  • rclone: A command-line tool for data exfiltration using cloud storage services [23]

How Picus Helps Simulate Conti Ransomware Group Attacks?

Using the Picus Continuous Security Validation Platform, you can test your security controls against the Conti ransomware attacks. We advise you to simulate Conti attacks and determine whether your security controls can prevent them or not. Picus Threat Library includes the following threats to simulate attacks and malicious tools used by the Conti ransomware group.

Simulate Conti Ransomware Group Attacks in minutes Now

Threat ID

Action Name

Attack Module

99469

Conti Ransomware Email Threat

Email Infiltration (Phishing)

93900

Conti Ransomware Download Threat

Network Infiltration

75084

Bazarcall Dropping Conti Ransomware Campaign 2021

Endpoint

39619

Ryuk Ransomware Email Threat

Email Infiltration (Phishing)

55678

Ryuk Ransomware Download Threat

Network Infiltration

28380

Ryuk Ransomware Campaign 2020

Endpoint

51963

Hermes Ransomware Email Threat



Email Infiltration (Phishing)

41632

Hermes Ransomware Download Threat

Network Infiltration

55963

Hermes 2.1 Ransomware Email Threat



Email Infiltration (Phishing)

43894

Hermes 2.1 Ransomware Download Threat

Network Infiltration

MITRE ATT&CK TTPs used by Conti Ransomware Group

T1016 System Network Configuration Discovery

T1018 Remote System Discovery

T1021.002 Remote Services: SMB/Windows Admin Shares

T1027 Obfuscated Files or Information

T1049 System Network Connections Discovery 

T1055.001 Process Injection: Dynamic-link Library Injection 

T1057 Process Discovery 

T1059.003 Command and Scripting Interpreter: Windows Command Shell

T1078 Valid Accounts

T1080 Taint Shared Content 

T1083 File and Directory Discovery 

T1106 Native API

T1110 Brute Force 

T1133 External Remote Services

T1135 Network Share Discovery 

T1140 Deobfuscate/Decode Files or Information

T1190 Exploit Public Facing Application

T1486 Data Encrypted for Impact 

T1489 Service Stop 

T1490 Inhibit System Recovery 

T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 

T1566.001 Phishing: Spearphishing Attachment

T1566.002 Phishing: Spearphishing Link 

T1567 Exfiltration over Web Service

Indicators of Compromise (IOCs)

MD5

SHA-1

SHA-256

215e0accdf538d48a8a7bf79009e8f9b

4ff45fb8003ab1075bdbbc9d044b7c31374f3cdb

24f692b4ee982a145abf12c5c99079cfbc39e40bd64a3c07defaf36c7f75c7a9

136bd70f7aa98f52861879d7dca03cf2

fadd8d7c13a18c251ded1f645ffea18a37f1c2de

501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe

083a7886ffd1a916a3991ec80c5e056b

ac30ef599ba025908f5a971abf8ba640d5bd5368

1e9962a003e423c0bd217ea674754e4d683df8749575302156f9f3e28f3fe6da

259867ec1a01713f644689c3582f9110

7ae788775375844e9239517754b011197452e320

12017410b5fc6c921f932c4a355b78773060d49ec31d94640dfc29f74a470a3e

6c500ff41b6680d5eb77961a8ddcba81

e1ba106e4217e76f98cd1ac8c30072c2a6846dbc

b421d126e1d510d757d4e3a0c0358951f020ca79bfacc4d531ef46e4ca45680f

7253637a098e7532216e59e8d82c0858

bcb9b1abb121f515e34c987d3587b32887aa59d5

b860741a19e9e5e67bc61a31c4a47d567e80f5c1a6e4958f870c1db491fd922e

2f9f2935c04de61146751ab478ae7401

e9a22644122ffc92cbb5577af397a9b99738e332

9c3f2a3170535d3a9532fabc0089fc7c010304ed9e880b78d18fbe908f6c1fa5

0dedfa96043208167f8deb5cc652909a

fc0efd612ad528795472e99cae5944b68b8e26dc

73d1283221b18ac00cdd1929d75aefe1275757cac85115a1b2b4bedd9b6d633f

e92f45e8639d751bfd6053dd9419d0b9

794eb3a9ce8b7e5092bb1b93341a54097f5b78a9

9067fa96c3f7249241d50425f1198a36c6c23578f14bf501a1664a501f088d69

41db0c2202d64e967fd6789f00c576fa

9dfce70fded4f3bc2aa50ca772b0f9094b7b1fb2

92796e61f7a47521210edfc5e7e2004975ede13b836787b07dde85f80750b0ff

ab64b81540af03005987307b784da30b

24d4bbc982a6a561f0426a683b9617de1a96a74a

5de47f786534c1fbe8173ac71ab48602fe3462baed77eea70f2b59231ffa69c0

197e526a91e1a978dbdac0abc3bfea97

32baad03bbcf6c42250a723ab78961fea1fbe8b8

87e6f7b20ea2bd35d947d9100fe6291dfe186cfedea5d451be14bab5d2518e89

c59fc0a33f3d6528a351dd80461f2388

18a0142bca40a750f3c58cb59a4c885369b93f70

7d486d00294e5967c92a0e5fe92d8ac17942e9471b818364f318afd273c28d4f

a39aed88ea19af29a6876e74422e6e05

bd4aa42ae861ff6ecd93c6698b3f4226000bc854

5fe77db174a5206b5387e2b86255bd008966b44632925351d9b3983438004eb1

811c6de9ce787c8d540a09795a5673c1

604eb2e2d9573143730210fd57bda01c59447080

73bd8c2aa71f5dcd9d2ddd79e53656c6ae3db2535e08cf9dab1cd13bdd6d5ea3

237eee069c1df7b69cee2cc63dee24e6

d957385b6a8581da7962ef501e9e95773ab28341

bcb96251c3e747c0deabadfecc4e0ca4f56ca30f8985cae807ca2ff29099d818

254caeddba73aa4d1bb425c5274176d2

728711076a9e04b5e1e0010045e477d3515356b5

a5a0964b1308fdb0aeb8bd5b2a0f306c99997c7c076d66eb3ebcdd68405b1da2

f84435880c4477d3a552fb5e95f141e1

6f65b37b19313e97d927d6dfa62ec6abeb481de7

8217e5503b34f55edfa9266236c1d88885cbc06276f97b4c1374d679e289d206

65bd3d860aaf8874ab76a1ecc852a570

f860ba320172c9e67abd3cee880bab911a7a1ef8

b78682d960385bdd0fe5db9c631f0f38607a3d09a08ddd4024e4922c01cc0533

61075faba222f97d3367866793f0907b

cc033c3bf41550563a180444b6166515faa53c3a

059aab1a6ac0764ff8024c8be37981d0506337909664c7b3862fc056d8c405b0

62217af0299d6e241778adb849fd2823

4172d4a5444100018c23f8708c947344bd28174d

851032eb03bc8ee05c381f7614a0cbf13b9a13293dfe5e4d4b7cd230970105e3

0dd7da89b7d1fe97e669f8b4156067c8

6b3147f45c9c2bd5072548121a263060112f3d0f

8dcca8c720fdb9833455427cd9b2146e2e9581e3bc595e8d97e562854133542b

b27881f59c8d8cc529fa80a58709db36

d08573c5e825b7beeb9629d03e0f8ff3cb7d1716

e08fc761cc22953de7fcc1684b7424755fa52f361dd5c6605b1469a80cb858bb

29f99f63c076a29db46ada694a2201d3

26600a8c25b03602f4c4cf47e83c988638b4908a

5e2c9ec5a108af92f177cabe23451d20e592ae54bb84265d1f972fcbd4f6a409

dc83bab1982a5418b9ee448415317500

3cae79a79f225897ce306c9574b1444255b82317

ac648d11f695cf98993fa519803fa26cd43ec32a7a8713bfa34eb618659aff77

ebcadf583bfc61ebb3dd8a119527d829

259be1414a0ac7892dddea0259b41094150b8d3d

66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe

547f87db796b69e28453b142e9da9ed4

019faca2d3d5675a6d6bbcd00629c8fe33d54705

9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd

e8c26344b4adb62a9a42cf6480c88d05

41f926e43e9686382f8c84da42880c47999645fb

88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5

b2a8e087a58b7ae25ac3c85f8d468ebb

d3d39b86f3fafde2c21f4d304a04ad579965f19e

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c

6a3b792208bd433a2ceff4f8321561a0

e022378afd69b873d30f69046d2a3172db67cbda

56dfa8ada6f56b7db91b22f14682edc49f9eada2d4cd0b0273dd0365028adab2

c130eba9ff855403a69ec4adc6ae5db0

71c0f3213e23fc9f1c0c5d14c0095c6b59aa7446

90334ecb93afa6abb9d5739738b4b03437b0ee1829253bb3c4b966a1bf9f3882

29340643ca2e6677c19e1d3bf351d654

1581fe76e3c96dc33182daafd09c8cf5c17004e0

113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec

cb0c1248d3899358a375888bb4e8f3fe

b72e75e9e901a44b655a5cf89cf0eadcaff46037

1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56

d348f536e214a47655af387408b4fca5

13f11e273f9a4a56557f03821c3bfd591cca6ebc

3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4

86c314bc2dc37ba84f7364acd5108c2b

ad20c6fac565f901c82a21b70f9739037eb54818

9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2

958c594909933d4c82e93c22850194aa

d7c5fa9df1c79a7d0c178d0b7a2fe6d104d35278

b8e463789a076b16a90d1aae73cea9d3880ac0ead1fd16587b8cd79e37a1a3d8

c0d6a263181a04e9039df3372afb8016

50bf85255e28e42548d46b60f085c17f3675a208

0b1008d91459937c9d103a900d8e134461db27c602a6db5e082ab9139670ccb6

d13d77d69cc8bf65e65ed132fc110bd2

dd091733f3fea3b433906396948ca31b003b8305

b895399bdd8b07b14e1e613329b76911ebe37ab038e4b760f41e237f863b4964

52a2853357e1f5fffaccfe3807a10593

6daaabe57e551e792179d2374059e3cab18fcd12

fe55650d8b1b78d5cdb4ad94c0d7ba7052351630be9e8c273cc135ad3fa81a75

90f3cafc5a6eb0ec426155e66998c45f

20db9501e55a4c8d645e707a8d534c5dbcfa94e1

85e5aff9b169657ba912f4edc019e2d38dd3c3fb2be187309dd65d4ae8732529

Reference

[1] C. Cimpanu, “Conti ransomware gang chats leaked by pro-Ukraine member,” The Record by Recorded Future, Feb. 28, 2022. [Online]. Available: https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/.

[2] “[Conti] Ransomware Group In-Depth Analysis.” [Online]. Available: https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis.

[3] “[No title],” Twitter. [Online]. Available: https://twitter.com/vxunderground/status/1498394338027610124?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1498394338027610124%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.techtarget.com%2Fsearchsecurity%2Fnews%2F252514047%2FConti-ransomware-source-code-documentation-leaked.

[4] hlldz, “GitHub - hlldz/dazzleUP: A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems,” GitHub. [Online]. Available: https://github.com/hlldz/dazzleUP

[5] carlospolop, “GitHub - carlospolop/PEASS-ng: PEASS - Privilege Escalation Awesome Scripts SUITE (with colors),” GitHub. [Online]. Available: https://github.com/carlospolop/PEASS-ng

[6] rasta-mouse, “GitHub - rasta-mouse/Watson: Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities,” GitHub. [Online]. Available: https://github.com/rasta-mouse/Watson.

[7] Shellntel, “scripts/Invoke-SMBAutoBrute.ps1 at master · Shellntel/scripts,” GitHub. [Online]. Available: https://github.com/Shellntel/scripts.

[8] outflanknl, “GitHub - outflanknl/Net-GPPPassword: .NET implementation of Get-GPPPassword. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences,” GitHub. [Online]. Available: https://github.com/outflanknl/Net-GPPPassword.

[9] djhohnstein, “GitHub - djhohnstein/SharpChromium: .NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins,” GitHub. [Online]. Available: https://github.com/djhohnstein/SharpChromium

[10] “AdFind.” [Online]. Available: http://www.joeware.net/freetools/tools/adfind/index.htm

[11] BloodHoundAD, “GitHub - BloodHoundAD/BloodHound: Six Degrees of Domain Admin,” GitHub. [Online]. Available: https://github.com/BloodHoundAD/BloodHound

[12] EmpireProject, “Empire/Invoke-Kerberoast.ps1 at master · EmpireProject/Empire,” GitHub. [Online]. Available: https://github.com/EmpireProject/Empire

[13] Dionach, “GitHub - Dionach/NtdsAudit: An Active Directory audit utility,” GitHub. [Online]. Available: https://github.com/Dionach/NtdsAudit.

[14] darkoperator, “GitHub - darkoperator/Veil-PowerView: Veil-PowerView is a powershell tool to gain network situational awareness on Windows domains,” GitHub. [Online]. Available: https://github.com/darkoperator/Veil-PowerView

[15] GhostPack, “GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog,” GitHub. [Online]. Available: https://github.com/GhostPack/Rubeus.

[16] GhostPack, “GitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey ‘safety checks’ relevant from both offensive and defensive security perspectives,” GitHub. [Online]. Available: https://github.com/GhostPack/Seatbelt

[17] tevora-threat, “GitHub - tevora-threat/SharpView: C# implementation of harmj0y’s PowerView,” GitHub. [Online]. Available: https://github.com/tevora-threat/SharpView

[18] S3cur3Th1sSh1t, “GitHub - S3cur3Th1sSh1t/WinPwn: Automation for internal Windows Penetrationtest / AD-Security,” GitHub. [Online]. Available: https://github.com/S3cur3Th1sSh1t/WinPwn

[19] “The Fast Remote Desktop Application –,” AnyDesk. [Online]. Available: https://anydesk.com/en

[20] inconshreveable, “ngrok - secure introspectable tunnels to localhost.” [Online]. Available: https://ngrok.com/

[21] “FileZilla - The free FTP solution.” [Online]. Available: https://filezilla-project.org.

[22] “MEGA.” [Online]. Available: https://mega.io/

[23] N. Craig-Wood, “Rclone.” [Online]. Available: https://rclone.org.

Subscribe

Keep up to date with latest blog posts