{
	"id": "31ef6cd7-9d09-4c14-86f1-15961899195b",
	"created_at": "2026-04-06T00:08:43.518128Z",
	"updated_at": "2026-04-10T13:11:54.947649Z",
	"deleted_at": null,
	"sha1_hash": "00ab63063aa15f66ef2146d3d5434eee8b42823e",
	"title": "Cybereason vs. Conti Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1666406,
	"plain_text": "Cybereason vs. Conti Ransomware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 18:23:42 UTC\r\nConti is a relatively new player in the ransomware field. Since first emerging in May 2020, the ransomware operators (aka.\r\nthe Conti Gang) claim more than 150 successful attacks, which equates to millions of dollars in extortion fees.\r\nLike other ransomware syndicates that have emerged recently, the Conti gang follows the growing trend of double extortion:\r\nthey steal sensitive files and information from their victims and later use it to extort their victims by threatening to publish\r\nthe data unless the ransom is paid.\r\nKey Details\r\nEmerging Threat: In a short amount of time, Conti ransomware has caused a great deal of damage and made headlines\r\nacross the world.\r\nHigh Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential of the\r\nattacks\r\nLow-and-Slow: Prior to the deployment of the ransomware, the attackers attempt to infiltrate and move laterally throughout\r\nthe organization, carrying out a fully-fledged hacking operation, or RansomOp.\r\nRapid Development Cycle: In just a few months, the Conti gang has released 3 new versions of the ransomware, improving\r\nthe malware in each version.\r\nThe Successor of Ryuk: The Conti Gang collaborated with the TrickBot Gang, which are now using Conti as their\r\nransomware of choice.\r\nSpreading across the network: Conti is not satisfied with causing damage to just the infected machines. Instead, it spreads\r\nin the network via SMB and encrypts files on remote machines as well.\r\nDetected and Prevented: The Cybereason Defense Platform fully detects and prevents the Conti ransomware.\r\nSimilar to ransomware such as Egregor (“Egregor News”) and Maze (“Maze News”), the Conti Gang has their own website,\r\n“Conti News,” which stores a list of their victims, and it is where they publish the stolen data:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-conti-ransomware\r\nPage 1 of 8\n\nConti News website\r\nConti is a very destructive threat. Besides the double extortion that puts information and reputation at risk, the Conti\r\noperators equip it with a spreading capability, which means that Conti not only encrypts the files on the infected host but\r\nalso spreads via SMB and encrypts files on different hosts, potentially compromising the entire network. The rapid\r\nencryption routine takes just a few seconds to minutes due to its use of multithreading, which also makes it very difficult to\r\nstop once the encryption routine starts.\r\nAnother major factor that contributes to the popularity of Conti is the collaboration with the TrickBot Gang. Conti is sold as\r\na Ransomware-as-a-Service in underground forums to exclusive buyers and partners such as the TrickBot gang, which\r\nreplaced Ryuk and adopted Conti as their new ransomware of choice.\r\nIn addition to the sophisticated capabilities and the collaboration with the TrickBot gang, the increased number of Conti\r\nattacks against big companies such as Advantech, which was extorted for $13.8M, and other attacks against big North\r\nAmerican based companies as listed in this article, contributed to Conti making its way into the news this year. With a rapid\r\ndevelopment cycle that keeps the malware up-to-date and equipped with advanced capabilities, along with the promotion\r\ndone by the TrickBot gang, it is no wonder why Conti is referred to as the successor of Ryuk.\r\nBreaking Down the Attack\r\nFrom Bazar Backdoor to Ransomware \r\nThe TrickBot Gang was known to use their infamous TrickBot malware to start interactive hacking operations and deploying\r\nsecondary payloads such as Ryuk and Anchor. Earlier this year, the group shifted to using the Bazar backdoor to launch an\r\ninteractive attack and deploy Ryuk, and since July 2020 their new ransomware of favor has been Conti.\r\nAlthough the payloads and tools of the TrickBot Gang have changed over time, the initial infection vector for the Bazar\r\nloader and backdoor has remained the same: a phishing email containing a link to Google Drive which stores the payload:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-conti-ransomware\r\nPage 2 of 8\n\nConti attack diagram - from Bazar to ransomware\r\nRapid Development Cycle \r\nSince Conti was first discovered in July 2020, three different versions have been observed. With each new version, the Conti\r\nGang added more capabilities which make the ransomware more dangerous and destructive. The following table\r\nsummarizes the main changes between the three versions:\r\n  Version 1 Version 2 Version 3\r\nEarliest to\r\noldest\r\ncreation\r\ntimes\r\n(Based on\r\nVT)\r\n2020-05-29\r\n2020-08-18\r\n2020-10-09\r\n2020-10-21\r\n2020-11-06\r\n2020-12-07\r\nRansom\r\nNote file\r\nname\r\nConti_readme.txt\r\nCONTI.txt\r\nR3adm3.txt\r\nreadme.txt\r\nreadme.txt\r\nExtension  .CONTI Changes per sample Changes per sa\r\nMutex _CONTI_ lslaif8aisuuugnzxbvmdjk\r\nKjkbmusop9iq\r\nojkxjfsu81209\r\nEmbedded\r\nemails /\r\nURLs\r\nflapalinta1950@protonmail.com\r\nxersami@protonmail.com\r\nKsarepont@protonmail.com\r\nhttp://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid[.]onion\r\nhttps://contirecovery[.]info\r\nhttp://m232fdx\r\nhttps://contirec\r\nhttps://contirec\r\nhttps://www.cybereason.com/blog/cybereason-vs.-conti-ransomware\r\nPage 3 of 8\n\ncokeremie@protonmail.com\r\nhawhunrocu1982@protonmail.com\r\nconsfronepun1983@protonmail.com\r\nviegesobou1977@protonmail.com\r\nhardsandspikab1971@protonmail.com\r\nstargoacompte1970@protonmail.com\r\nmuddkarhersmo1973@protonmail.com\r\nversmohubfast1972@protonmail.com\r\nceslingvafi1973@protonmail.com\r\nAndrea.Davis.1989@protonmail.com\r\nforrestdane79@protonmail.com\r\nheibeaufranin1\r\npolzarutu1982\r\nniggchiphoter1\r\nForm An independent executable\r\nAn independent executable\r\nLoader + DLL\r\nAn independen\r\nLoader + DLL\r\nSpreading\r\nvia SMB\r\nSpreading via SMB if instructed by\r\ncommand line arguments.\r\nSpreading via SMB even without command line arguments. Spreading via\r\nUnique Not using a website, just an email\r\nObserved the use of icons:\r\nPDB:\r\nA:\\source\\cont\r\nObserved the u\r\nRansom\r\nNote\r\nConti Ransomware Execution\r\nThis section focuses on version 2 and version 3. As mentioned in the table above, version 3 has two forms - one is an\r\nindependent executable, and the other is a loader that loads a DLL from the resources section and executes it. Even before\r\ndoing any static / dynamic analysis, we can use VirusTotal to determine that the resources section probably contains more\r\ndata, in this case an encrypted DLL that is loaded into memory:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-conti-ransomware\r\nPage 4 of 8\n\nScreenshot of VirusTotal file’s section information\r\nThe APIs for interacting with the resources are dynamically resolved using GetProcAddress:\r\nDynamically resolved API used to interact with the resources\r\nThe loader then decrypts the payload using an hardcoded key, and loads it into memory:\r\nDecryption key of the Conti payload\r\nOnce the DLL is loaded, Conti starts it’s encryption and spreading routines. The ransomware scans the network for SMB\r\n(port 445). If it finds any shared folders it can access, it will try to encrypt the files on the remote machines as well:\r\nWireshark pcap of Conti spreading via SMB\r\nhttps://www.cybereason.com/blog/cybereason-vs.-conti-ransomware\r\nPage 5 of 8\n\nConti uses a multithreading technique to fast encrypt all the files. This routine takes seconds to just a few minutes depending\r\non the number of files on the machine. Each sample has a unique extension that the malware adds to the encrypted files.\r\nWhile using Cybereason with prevention mode off to allow investigation of the ransomware execution, it is possible to see\r\nthe encryption activity and the creation of new files: \r\nFile Events feature in the Cybereason Defense Platform shows the encryption of the files\r\nAfter the files are encrypted, the malware leaves the ransom note in every folder, making sure it is noticeable to the victim.\r\nThe Conti Gang usually sets a deadline for the victim to pay the ransom, and if the deadline passes without payment, they\r\nleak the victim data on their website “Conti News.”\r\nCybereason Detection and Prevention\r\nThe Cybereason Defense Platform is able to prevent the execution of Conti Ransomware using multi-layer protection  that\r\ndetects and blocks malware with threat intelligence, machine learning, and next-gen (NGAV) capabilities. Additionally,\r\nwhen the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are able to detect and prevent\r\nany attempt to encrypt files and generates a MalopTM for it:\r\nRansomware Malop triggered due to the malicious activity\r\nUsing the Anti-Malware feature with the right configurations (listed in the recommendations below), The Cybereason\r\nDefense Platform will also detect and prevent the execution of the ransomware and ensure that it cannot encrypt targeted\r\nfiles. The prevention is based on machine learning, which prevents both known and unknown hashes:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-conti-ransomware\r\nPage 6 of 8\n\nAnti-Malware alert - preventing Conti ransomware\r\nUser notification, blocking the execution of the ransomware in the endpoint\r\nSecurity Recommendations\r\n• Enable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware protection mode to\r\nPrevent - more information for customers can be found here\r\n• Enable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to Prevent and set the\r\ndetection mode to Moderate and above - more information can be found here\r\n• Keep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities\r\n• Regularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to regain access to\r\nyour data\r\n• Use Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering, and mail filtering\r\n• Indicator's of Compromise: Includes C2 Domains, IP addresses, Docx files SHA-1 hashes, and Msi files. Open the\r\nchatbot on the lower right-hand side of this blog to download your copy.\r\nMITRE ATT\u0026CK TECHNIQUES\r\nInitial\r\nAccess\r\nLateral\r\nMovement\r\nDefense Evasion Discovery\r\nCommand and\r\nControl\r\nImpact\r\nPhishing\r\nTaint Shared\r\nContent\r\nDeobfuscate / Decode\r\nFiles or Information\r\nAccount\r\nDiscovery\r\nCommonly Used Port\r\nData\r\nEncrypted for\r\nImpact\r\n  Masquerading\r\nApplication\r\nWindow\r\nDiscovery\r\nRemote File Copy  \r\nModify Registry\r\nFile and\r\nDirectory\r\nDiscovery\r\nStandard Application\r\nLayer Protocol\r\n \r\nObfuscated Files or\r\nInformation\r\nProcess\r\nDiscovery\r\nStandard\r\nCryptographic\r\nProtocol\r\n \r\n \r\nSystem\r\nInformation\r\nDiscovery\r\nStandard Non-Application Layer\r\nProtocol\r\n \r\nLior Rochberger\r\n \r\nhttps://www.cybereason.com/blog/cybereason-vs.-conti-ransomware\r\nPage 7 of 8\n\nLior is a senior threat researcher at Cybereason, focusing on threat hunting and malware research.\r\nLior began her career as a team leader in the security operations center in the Israeli Air Force, where she mostly focused on\r\nincident response and malware analysis.\r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and\r\nenterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies,\r\nreverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first\r\nto release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware\r\nhttps://www.cybereason.com/blog/cybereason-vs.-conti-ransomware\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware"
	],
	"report_names": [
		"cybereason-vs.-conti-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434123,
	"ts_updated_at": 1775826714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/00ab63063aa15f66ef2146d3d5434eee8b42823e.pdf",
		"text": "https://archive.orkl.eu/00ab63063aa15f66ef2146d3d5434eee8b42823e.txt",
		"img": "https://archive.orkl.eu/00ab63063aa15f66ef2146d3d5434eee8b42823e.jpg"
	}
}