{
	"id": "a68da3d8-484c-4f45-ab75-17ec92521b34",
	"created_at": "2026-04-10T03:21:53.255261Z",
	"updated_at": "2026-04-10T03:22:19.434868Z",
	"deleted_at": null,
	"sha1_hash": "07d2dbc4d99c0baab117719dd9fc3f3e0463370b",
	"title": "Despite Leaks, Conti Ransomware Attacks Persist | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 778181,
	"plain_text": "Despite Leaks, Conti Ransomware Attacks Persist | Zscaler\r\nBy Brett Stone-Gross\r\nPublished: 2022-03-25 · Archived: 2026-04-10 02:20:27 UTC\r\nIn late January 2022, ThreatLabz identified an updated version of Conti ransomware as part of the global\r\nransomware tracking efforts. This update was released prior to the massive leak of Conti source code and chat\r\nlogs on Februrary 27, 2022. The leaks were published by a Ukrainian researcher after the invasion of Ukraine.\r\nHowever, since these leaks were published, the Conti gang has continued to attack organizations and conduct\r\nbusiness as usual. While two versions of Conti source code have been leaked, the most recent ransomware code\r\nhas not yet been leaked. This blog will highlight the most recent changes to the ransomware and how Conti\r\nimproved file encryption, introduced techniques to better evade security software, and streamlined the ransom\r\npayment process.\r\nTechnical Analysis\r\nThe most recent Conti update introduced a number of new features and changes to the ransomware code. Some of\r\nthese modifications include new command-line arguments that are highlighted in bold in Table 1.\r\n \r\nCommand-Line\r\nArgument\r\nDescription\r\n-log\r\nPreviously used to log ransomware actions; this functionality has been removed, but\r\nthe command-line switch remains an artifact from the previous version\r\n-path Start encryption using the specified path as the root directory\r\n-size Size parameter for large file encryption\r\n-mode\r\nEncryption mode local (disks) or net (network shares); the all and backups options\r\nwere removed\r\n-user Log in to Windows Safe Mode as the specified user\r\nhttps://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks\r\nPage 1 of 9\n\n-pass Log in to Windows Safe Mode as the user with the corresponding password\r\n-safeboot Force reboot the system and launch Conti in Windows Safe Mode\r\n-disablesafeboot\r\nDisable Windows Safe Mode and reboot the system (used after file encryption\r\noccurs in Windows Safe Mode)\r\n-nomutex Previously used to prevent the creation of a mutex; currently unused\r\nTable 1. Conti command-line arguments updated in January 2022\r\nThe functionality for the command-line arguments -log and -nomutex was removed. The new command-line\r\nparameters that were added are related to features that enable Conti to reboot the system in Windows Safe Mode\r\nwith networking enabled and then start file encryption. By booting in Safe Mode, Conti can maximize the number\r\nof files that are encrypted, because business applications such as databases are likely not running. Therefore, those\r\napplications will not have open file handles that could prevent file encryption. In addition, many security software\r\napplications (e.g., antivirus programs) will not be loaded by default when the system is running in Safe Mode. The\r\nability to encrypt files in Windows Safe Mode is a feature that has been observed in other ransomware families\r\nincluding REvil and BlackMatter.\r\nIf the -safeboot command-line argument is provided together with the -user and -pass parameters, Conti will use\r\nthese values to automatically log in with the specified credentials when the system is rebooted into Safe Mode.\r\nThis is performed by setting the registry values under HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon to the following:\r\nAutoAdminLogon = 1\r\nDefaultUserName =\r\nDefaultDomainName =\r\nDefaultPassword =\r\nThe -user argument is expected to be in the format: \\.\r\nIf the -safeboot command-line argument is passed by itself (without the -user and -pass parameters), Conti will\r\nsearch for users that have administrator privileges by searching for the security identifier (SID) prefix S-1-5-21\r\nwith the relative identifier (RID) -500.\r\nIf Conti is able to locate an administrator account, Conti will execute the command cmd.exe /c net user\r\n/active:yes to make sure the account is enabled. Conti will then attempt to change the password for this account to\r\nan empty string by executing the command cmd.exe /c net user \"\". The corresponding registry values will then\r\nhttps://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks\r\nPage 2 of 9\n\nbe set to automatically log in as the administrator in Safe Mode when the system is rebooted. Figure 1 shows\r\nexample registry values set after an administrator account has been set up to automatically log in.\r\nFigure 1. Example Windows registry modifications made by Conti to automatically log in as an administrator\r\nIn order to execute Conti when the system is booted into Safe Mode, a registry value is created under\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce with the name *conti and\r\nthe value -disablesafeboot. \r\nConti then executes the command bcedit.exe /set {current} safeboot network and forces a system reboot by\r\ncalling the Windows API function ExitWindowsEx(). This will launch Windows in Safe Mode with networking\r\nenabled as shown in Figure 2. The network mode is enabled, so that Conti can still be used to encrypt files on\r\nnetwork shares.\r\nhttps://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks\r\nPage 3 of 9\n\nFigure 2. Conti booting Windows into Safe Mode with networking enabled to encrypt files\r\nAfter Conti has completed file encryption in Safe Mode, it executes the command bcedit.exe /deletevalue\r\n{current} safeboot and reboots the system. Conti's file encryption algorithms remain the same as previous\r\nversions with a per file random 256-bit ChaCha symmetric key. Each file's ChaCha key is protected by a\r\nhardcoded victim-specific 4,096-bit RSA public key.\r\nThe new Conti update also added the ability to change desktop wallpaper by writing an embedded PNG file to\r\nC:\\ProgramData\\conti.png. An example of the Conti wallpaper image is shown in Figure 3.\r\nhttps://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks\r\nPage 4 of 9\n\nFigure 3. Conti PNG image used to set the victim’s desktop wallpaper after file encryption\r\nThe feature to change the wallpaper after file encryption is very common among ransomware families to further\r\nattract the attention of victims.\r\nIn order to hinder malware analysis, Conti dynamically resolves most Windows API functions by using a hash\r\nalgorithm. In the previous version of Conti, the hash algorithm was Murmur2, while the latest version now uses\r\nMurmur3. This produces different hash values for all API functions that are used by Conti, which may evade\r\nsecurity software that searches for the corresponding hash values.\r\nConti also updated the encrypted file extensions to include uppercase and lowercase characters and numbers. The\r\nfollowing file extension examples have been observed in recent Conti samples:\r\n.ZG7Ak\r\n.wjzPe\r\n.LvOYK\r\n.C5eFx\r\n.fgM9X\r\nThis encrypted file extension modification may be designed to bypass endpoint security software that could\r\nidentify the previous Conti ransomware pattern that used five uppercase letters.\r\nConti also updated the ransom note and TOR hidden service URL. An example of a recent Conti ransom note is\r\nshown below:\r\nAll of your files are currently encrypted by CONTI strain. If you don't know who we are - just \"Googl\r\nAs you already know, all of your data has been encrypted by our software.\r\nhttps://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks\r\nPage 5 of 9\n\nIt cannot be recovered by any means without contacting our team directly.\r\nDON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage o\r\nif you want to try - we recommend choosing the data of the lowest value.\r\nDON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on\r\nSo it will be better for both sides if you contact us as soon as possible.\r\nDON'T TRY TO CONTACT feds or any recovery companies.\r\nWe have our informants in these structures, so any of your complaints will be immediately directed to\r\nSo if you will hire any recovery company for negotiations or send requests to the police/FBI/investig\r\nTo prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely\r\nYou can contact our team directly for further instructions through our website :\r\nTOR VERSION :\r\n(you should download and install TOR browser first https://torproject[.]org)\r\nhttp://contirec7nchr45rx6ympez5rj...vaeywhvoj3wad[.]onion/\r\nYOU SHOULD BE AWARE!\r\nWe will speak only with an authorized person. It can be the CEO, top management, etc.\r\nIn case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious\r\nInform your supervisors and stay calm!\r\nThe new Conti ransom note is streamlined with a direct link to a victim-specific chat portal. Prior versions\r\nrequired a victim to access the portal and then upload their ransom note, which contained a unique identifier. A\r\ncopy of this Conti ransom note can be found in the ThreatLabz ransom note GitHub repository here.\r\nThe latest Conti portal contains a landing page that instructs the user to follow the instructions in the\r\nREADME.txt file that is written to disk after file encryption. It no longer supports a victim uploading the ransom\r\nnote to authenticate as shown in Figure 4.\r\nhttps://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks\r\nPage 6 of 9\n\nFigure 4. Updated Conti ransom portal landing page\r\nConclusion\r\nIn January 2022, Conti introduced new features to bring feature parity with other ransomware families including\r\nthe ability to encrypt files in Windows Safe Mode and change the desktop wallpaper. Despite the group's source\r\ncode and chat logs being leaked online in February 2022, Conti continues to conduct ransomware attacks against\r\nlarge organizations. ThreatLabz expects the Conti gang to further update the malware and potentially rebrand as\r\nthe source code leaks have damaged their reputation and may lead to other criminal groups forking the code.\r\nZscaler Cloud Sandbox Detection\r\nhttps://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks\r\nPage 7 of 9\n\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to the\r\ncampaign at various levels with the following threat names:\r\nWin32.Ransom.Conti\r\nWin64.Ransom.Conti\r\nIndicators of Compromise\r\nSHA256 Description\r\nfca8d48afa7e5535fb71fd22225e86602d47dcfa5a4924fcbc33aecd9c945847 Conti ransomware\r\n16cc7519945bace49ef729e69db7d19e00252f2bd559903e1631c8878c2360f4 Conti ransomware\r\ne6818bf8c6d20501485fc0cc644d33fcea4bd9a3b45c5d61e98317bda5c080c4 Conti ransomware\r\n182f94d26de58b8b02ddf7223f95d153b5e907fa103c34ed76cae2c816f865f0 Conti ransomware\r\ne950c625a94ce9e609778fcc86325530774e45572ff58ebc6549e2627941b5cc Conti ransomware\r\nAbout ThreatLabz\r\nThreatLabz is the security research arm of Zscaler. This world-class team is responsible for hunting new threats\r\nhttps://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks\r\nPage 8 of 9\n\nand ensuring that the thousands of organizations using the global Zscaler platform are always protected. In\r\naddition to malware research and behavioral analysis, team members are involved in the research and\r\ndevelopment of new prototype modules for advanced threat protection on the Zscaler platform, and regularly\r\nconduct internal security audits to ensure that Zscaler products and infrastructure meet security compliance\r\nstandards. ThreatLabz regularly publishes in-depth analyses of new and emerging threats on its\r\nportal, research.zscaler.com.\r\nSource: https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks\r\nhttps://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks"
	],
	"report_names": [
		"conti-ransomware-attacks-persist-updated-version-despite-leaks"
	],
	"threat_actors": [],
	"ts_created_at": 1775791313,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/07d2dbc4d99c0baab117719dd9fc3f3e0463370b.pdf",
		"text": "https://archive.orkl.eu/07d2dbc4d99c0baab117719dd9fc3f3e0463370b.txt",
		"img": "https://archive.orkl.eu/07d2dbc4d99c0baab117719dd9fc3f3e0463370b.jpg"
	}
}