{
	"id": "d8f901eb-f54c-4b1c-b40b-8914033bd7ce",
	"created_at": "2026-04-06T00:13:20.100917Z",
	"updated_at": "2026-04-10T13:12:10.812174Z",
	"deleted_at": null,
	"sha1_hash": "3cbe1effcd1b44949291cccde3351fa9cd362e6d",
	"title": "Conti Ransomware Gang: An Overview",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67078,
	"plain_text": "Conti Ransomware Gang: An Overview\r\nBy Richard Hickman\r\nPublished: 2021-06-18 · Archived: 2026-04-05 14:08:12 UTC\r\nExecutive Summary\r\nConti ransomware stands out as one of the most ruthless of the dozens of ransomware gangs that we follow. The\r\ngroup has spent more than a year attacking organizations where IT outages can have life-threatening\r\nconsequences: hospitals, 911 dispatch carriers, emergency medical services and law enforcement agencies. Ireland\r\nhas yet to recover from an attack in mid-May that prompted the shutdown of the entire information technology\r\nnetwork of the nation's healthcare system – prompting cancellation of appointments, the shutdown of X-ray\r\nsystems and delays in COVID testing.\r\nConti also stands out as unreliable. We've seen the group stiff victims who pay ransoms, expecting to be able to\r\nrecover their data.\r\nThe FBI has connected Conti to more than 400 cyberattacks against organizations worldwide, three-quarters of\r\nwhich are based in the U.S., with demands as high as $25 million. This makes Conti one of the greediest groups\r\nout there.\r\nIf you think you may have been impacted, please email unit42-investigations@paloaltonetworks.com or call (866)\r\n4-UNIT42 to get in touch with the Unit 42 Incident Response team.\r\nConti Ransomware Overview\r\nWe’ve followed Conti for more than a year through our work helping organizations respond to ransomware\r\nattacks. It appears to be one of many private cybercrime groups that have set up their operations by leveraging the\r\nbooming ransomware-as-a-service (RaaS) ecosystem. Such gangs obtain their foothold in the networks of their\r\nvictims by purchasing access from other threat actors, who sell it as a commodity. They can also procure\r\ninfrastructure, malware, communications tools and money laundering from other RaaS providers. Most of these\r\nactors use the same methods of access found in many ransomware attacks, such as phishing emails and exploiting\r\nunprotected internet-facing applications, the lack of multi-factor authentication (MFA), as well as the typical\r\navenues used to preserve and enhance access once it’s achieved, such as through the use of Cobalt Strike or\r\nPowerShell.\r\nThese approaches are not particularly clever or sophisticated, but often they are effective. Conti’s methodology\r\noften follows the “double extortion” approach that many leading ransomware groups are presently using. When\r\nusing double extortion, attackers will not only lock up a victim’s files and demand ransom, but they will also steal\r\nfiles and threaten to publish them on a website or otherwise leak them if their initial ransom demand is not met.\r\nBut Conti’s methods do have atypical elements.\r\nhttps://unit42.paloaltonetworks.com/conti-ransomware-gang/\r\nPage 1 of 5\n\nUsually, the more successful ransomware operators put a lot of effort into establishing and maintaining some\r\nsemblance of “integrity” as a way of facilitating ransom payments from victims. They want to establish stellar\r\nreputations for “customer service” and for delivering on what they promise – that if you pay a ransom, your files\r\nwill be decrypted (and they will not appear on a leak website). Yet in our experience helping clients remediate\r\nattacks, Conti has not demonstrated any signs that it cares about its reputation with would-be victims.\r\nIn one recent case, Conti did not return a client’s files who had paid the ransom. This client got only a small\r\nfraction of the file restorations that were promised before the Conti ransomware representatives disappeared back\r\ninto the dark web. In another case, our client needed an inventory of all files accessed, so that they could notify\r\nparties whose data was affected. Conti agreed to share that information if a payment was made, then changed their\r\nminds, saying, “We do not own that data anymore. It was deleted and there is no chance to restore it.” Like many\r\nransomware gangs, Conti is constantly adapting to changes, including recent heightened scrutiny by law\r\nenforcement and policy makers following high-profile disruptive attacks on the Colonial pipeline and healthcare\r\norganizations. When Ireland's healthcare system refused to pay any ransom, Conti provided the agency with what\r\nit said was a free decryption key. But there was a twist: The group maintained that it would still make good on its\r\n\"double extortion\" threat to publish stolen data on its leak site.\r\nConclusion\r\nUnfortunately, keeping Conti out of your network often isn’t simple. A primary means of infection appears to be\r\nthrough phishing scams, and attackers are constantly upping their game in this area. While phishing emails used to\r\nbe pretty easy for almost anyone to spot, particularly after some awareness training, we are seeing increasingly\r\nsophisticated attacks in which the threat actors have done plenty of homework on their intended victims.\r\nSometimes they’ll send a blitz of scam emails to employees throughout an organization, and it takes only one to\r\nopen the attachment and release the malware into the network.\r\nRansomware attacks are getting easier to unleash, and the rewards to the attackers are still growing by leaps and\r\nbounds. Accordingly, it continues to be a growth industry that will attract multitudes of new practitioners, and it is\r\nlikely that high-profile targets will continue to fall.\r\nPalo Alto Networks detects and prevents Conti ransomware in the following ways:\r\nWildFire: All known samples are identified as malware.\r\nCortex XDR with:\r\nIndicators for Conti ransomware.\r\nAnti-Ransomware Module to detect Conti ransomware encryption behaviors.\r\nLocal Analysis detection for Conti binaries.\r\nNext-Generation Firewalls: DNS Signatures detect the known Conti ransomware command and control\r\n(C2) domains, which are also categorized as malware in Advanced URL Filtering.\r\nAutoFocus: Tracking related activity using the Conti tag.\r\nUnit 42 Security Consulting: The Ransomware Readiness Assessment detects any hidden threats, tests for\r\npreparedness and provides remediation recommendations.\r\nhttps://unit42.paloaltonetworks.com/conti-ransomware-gang/\r\nPage 2 of 5\n\nAdditionally, Indicators of Compromise (IoCs) associated with Conti are available on GitHub, and have been\r\npublished to the Unit 42 TAXII feed.\r\nCourses of Action\r\nProduct /\r\nService\r\nCourse of Action\r\nInitial Access\r\nThe below courses of action mitigate the following techniques:\r\nExploit Public-Facing Application [T1190], Spearphishing Attachment [T1566.001]\r\nThreat\r\nPrevention†\r\nEnsure a secure Vulnerability Protection Profile is applied to all security rules allowing\r\ntraffic\r\nEnsure a Vulnerability Protection Profile is set to block attacks against critical and high\r\nvulnerabilities, and set to default on medium, low and informational vulnerabilities\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nWildfire†\r\nEnsure forwarding is enabled for all applications and file types in WildFire file blocking\r\nprofiles\r\nEnsure that WildFire file size upload limits are maximized\r\nEnsure a WildFire Analysis profile is enabled for all security policies\r\nEnsure forwarding of decrypted content to WildFire is enabled\r\nEnsure all WildFire session information settings are enabled\r\nEnsure alerts are enabled for malicious files detected by WildFire\r\nEnsure 'WildFire Update Schedule' is set to download and install updates every minute\r\nCortex XSOAR\r\nDeploy XSOAR Playbook Cortex XDR - Isolate Endpoint\r\nDeploy XSOAR Playbook - Endpoint Malware Investigation\r\nDeploy XSOAR Playbook - Phishing Investigation - Generic V2\r\nExecution\r\nhttps://unit42.paloaltonetworks.com/conti-ransomware-gang/\r\nPage 3 of 5\n\nThe below courses of action mitigate the following techniques:\r\nWindows Command Shell [T1059.003], Native API [T1106]\r\nCortex XDR\r\nEnable Anti-Exploit Protection\r\nEnable Anti-Malware Protection\r\nPrivilege Escalation, Defense Evasion\r\nThe below courses of action mitigate the following techniques:\r\nDeobfuscate/Decode Files or Information [T1140], Obfuscated Files or Information [T1027], Dynamic-link\r\nLibrary Injection [T1055.001]\r\nWildfire †\r\nEnsure forwarding is enabled for all applications and file types in WildFire file blocking\r\nprofiles\r\nEnsure alerts are enabled for malicious files detected by WildFire\r\nEnsure forwarding of decrypted content to WildFire is enabled\r\nEnsure all WildFire session information settings are enabled\r\nEnsure a WildFire Analysis profile is enabled for all security policies\r\nEnsure that WildFire file size upload limits are maximized\r\nEnsure 'WildFire Update Schedule' is set to download and install updates every minute\r\nCortex XDR\r\nEnable Anti-Malware Protection\r\nEnable Anti-Exploit Protection\r\nDiscovery\r\nThe below courses of action mitigate the following techniques:\r\nFile and Directory Discovery [T1083], Network Share Discovery [T1135], Process Discovery [T1057],\r\nSystem Network Configuration Discovery [T1016], System Network Connections Discovery [T1049]\r\nCortex XDR\r\nXDR monitors for behavioral events via BIOCs along a causality chain to identify\r\ndiscovery behaviors*\r\nLateral Movement\r\nhttps://unit42.paloaltonetworks.com/conti-ransomware-gang/\r\nPage 4 of 5\n\nThe below courses of action mitigate the following techniques:\r\nSMB/Windows Admin Shares [T1021.002], Taint Shared Content [T1080]\r\nThreat\r\nPrevention †\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nCortex XDR\r\nEnable Anti-Malware Protection\r\nEnable Anti-Exploit Protection\r\nImpact\r\nThe below courses of action mitigate the following techniques:\r\nData Encrypted for Impact [T1486], Inhibit System Recovery [T1490], Service Stop [T1489]\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - Ransomware Manual for incident response.\r\nDeploy XSOAR Playbook - Palo Alto Networks Endpoint Malware Investigation\r\nCortex XDR\r\nEnable Anti-Malware Protection\r\nLook for the following BIOCs alerts to detect activity*: Manipulation of Volume Shadow\r\nCopy configuration\r\nTable 1. Courses of Action for Conti ransomware.\r\n†These capabilities are part of the NGFW security subscriptions service.\r\n* These analytic detectors will trigger automatically for Cortex XDR Pro customers.\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/conti-ransomware-gang/\r\nhttps://unit42.paloaltonetworks.com/conti-ransomware-gang/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/conti-ransomware-gang/"
	],
	"report_names": [
		"conti-ransomware-gang"
	],
	"threat_actors": [],
	"ts_created_at": 1775434400,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3cbe1effcd1b44949291cccde3351fa9cd362e6d.pdf",
		"text": "https://archive.orkl.eu/3cbe1effcd1b44949291cccde3351fa9cd362e6d.txt",
		"img": "https://archive.orkl.eu/3cbe1effcd1b44949291cccde3351fa9cd362e6d.jpg"
	}
}