{
	"id": "9664ebb1-15fd-435e-b31e-17ca3de4bbd0",
	"created_at": "2026-04-06T00:19:39.364937Z",
	"updated_at": "2026-04-10T03:24:39.585576Z",
	"deleted_at": null,
	"sha1_hash": "c3f5070b1ded532f554ec0ca809c81e702417e99",
	"title": "Conti Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1920676,
	"plain_text": "Conti Ransomware\r\nBy Ghanshyam More\r\nPublished: 2021-11-18 · Archived: 2026-04-05 19:49:20 UTC\r\nConti is a sophisticated Ransomware-as-a-Service (RaaS) model first detected in December 2019. Since its inception, its use\r\nhas grown rapidly and has even displaced the use of other RaaS tools like Ryuk. The Cybersecurity and Infrastructure\r\nSecurity Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a warning about Conti in Sept 2021, noting\r\nthat they had observed it being used in more than 400 cyberattacks globally, though concentrated in North America and\r\nEurope.\r\nThe most common initial infection vectors used are spear phishing and RDP (Remote Desktop Protocol) services. Phishing\r\nemails work either through malicious attachments, such as Word documents with an embedded macro that can be used to\r\ndrop/download BazarLoader, Trickbot, IceID trojans, or via social engineering tactics employed to get the victim to provide\r\nadditional information or access credentials. Following initial access, attackers download and execute a Cobalt Strike\r\nbeacon DLL to gather information about domain admin accounts. Additionally, threat actors use Kerberos attacks to attempt\r\nto get admin hash in order to conduct brute force attacks.\r\nA Conti affiliate recently leaked what has been dubbed the Conti playbook. The playbook revealed that Conti actors also\r\nexploit vulnerabilities in unpatched assets to escalate privileges and move laterally across a victim’s network. They check\r\nfor the “PrintNightmare” vulnerability (CVE-2021-34527) in Windows Print spooler service, EternalBlue vulnerability\r\n(CVE-2017-0144) in Microsoft Windows Server Message Block, and the “Zerologon” vulnerability (CVE-2020-1472) in\r\nMicrosoft Active Directory Domain Controller. The playbook has been translated from Russian to English by security\r\nresearchers and has provided other useful Indicators of Compromise (IoC).\r\nConti actors also use the RouterScan tool to identify router devices in a provided range of IPs and attempt to find\r\nlogins/passwords from a standard list available with the RouterScan tool. They then install AnyDesk or Atera on the target\r\nmachine to maintain an open communication channel. Like other ransomware attacks, Conti actors exfiltrate data from\r\nvictims’ networks to cloud storage services like MEGA and then deploy Conti ransomware. To upload data on cloud storage\r\nConti uses open-source Rclone command-line software. They use a double extortion approach in which they demand a\r\nransom to release the encrypted data or threaten to publicly release it if a ransom is not paid. They may also sell the data to\r\nthe highest bidder.\r\nTechnical Details:\r\nConti ransomware uses obfuscation. The most notable use is to hide various Windows API calls used by the malware. It is\r\ncommon for some malware to lookup API calls during execution. Initially, it brings import module names then decrypts the\r\nAPI names and gets their addresses.\r\nFig. 1 De-obfuscation of Windows API\r\nConti uses a unique String Decryption Routine that is applied to almost every string text or API name used by the malware\r\nas shown in Fig. 2:\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware\r\nPage 1 of 9\n\nFig. 2 String Decryption Routine\r\nAfter getting API addresses, it calls for CreateMutexA API with the Mutex Value of “CONTI” as shown below in Fig. 3:\r\nFig. 3 Create Mutex\r\nIt deletes Windows Volume Shadow Copies and also resizes shadow storage for drives C to H:\r\nFig. 4 Deletes Windows Volume Shadow Copy\r\nNext, Conti executes commands for stopping potential Windows Services related to antivirus, security, backup, database,\r\nand email solutions:\r\nFig. 5 Stop Potential Windows Services\r\nThe table below contains the names of the Windows Services that Conti stopped by calling the code in Fig. 5 in the loop.\r\nMSSQL$BKUPEXEC MSSQL$SQLEXPRESS MSSQLFDLauncher$SHAREPOINT\r\nMSSQL$ECWDB2 MSSQL$SYSTEM_BGC MSSQLFDLauncher$SQL_2008\r\nMSSQL$PRACTICEMGT MSSQL$TPS MSSQLFDLauncher$SYSTEM_BGC\r\nMSSQL$PRACTTICEBGC MSSQL$TPSAMA MSSQLFDLauncher$TPS\r\nMSSQL$PROD MSSQL$VEEAMSQL2008R2 MSSQLFDLauncher$TPSAMA\r\nMSSQL$PROFXENGAGEMENT MSSQL$VEEAMSQL2008R2 MSSQLSERVER\r\nMSSQL$SBSMONITORING MSSQL$VEEAMSQL2012 MSSQLServerADHelper\r\nMSSQL$SHAREPOINT MSSQLFDLauncher MSSQLServerADHelper100\r\nMSSQL$SOPHOS MSSQLFDLauncher$PROFXENGAGEMENT MSSQLServerOLAPService\r\nMSSQL$SQL_2008 MSSQLFDLauncher$SBSMONITORING MySQL57\r\nAcronis VSS Provider Mfemms DCAgent\r\nAcronisAgent Mfevtp EhttpSrv\r\nAcrSch2Svc MMS Ekrn\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware\r\nPage 2 of 9\n\nAntivirus Mozyprobackup Enterprise Client Service\r\nARSM MsDtsServer EPSecurityService\r\nAVP MsDtsServer100 EPUpdateService\r\nBackupExecAgentAccelerator MsDtsServer110 EraserSvc11710\r\nBackupExecAgentBrowser MSExchangeES EsgShKernel\r\nBackupExecDeviceMediaService MSExchangeIS ESHASRV\r\nBackupExecJobEngine MSExchangeMGMT FA_Scheduler\r\nBackupExecManagementService MSExchangeMTA MSOLAP$TPSAMA\r\nBackupExecRPCService MSExchangeSA McShield\r\nBackupExecVSSProvider MSExchangeSRS McTaskManager\r\nBedbg msftesql$PROD Mfefire\r\nIISAdmin MSOLAP$SQL_2008 Klnagent\r\nIMAP4Svc MSOLAP$SYSTEM_BGC MSOLAP$TPS\r\nConti also leverages the Windows Restart Manager to close applications and services that are running in order to make them\r\navailable for encryption and to maximize the damage:\r\nFig. 6 Unlock files with Windows Restart Manager\r\nIt collects information about drives and drive types present on compromised systems:\r\nFig. 7 Collect Drives Information\r\nAs shown in Fig. 8, Conti uses multi-threaded tactics. It calls CreateIoCompletionPort API to create multiple instances of\r\nworker threads into memory to wait for data. Once the file listing is completed, it is passed to the worker threads. Utilizing\r\nthe computing power of multi-core CPUs, the data is quickly encrypted:\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware\r\nPage 3 of 9\n\nFig. 8 Implementation of Multi-threaded Processing\r\nFig. 9 Multiple Threads Perform File Encryption\r\nConti then iterates files on the local system and those on remote SMB network shares to determine what data to encrypt. It\r\nlooks for folders and drives shared on remote systems using NetShareEnum API. If the remote share is accessible, it\r\nencrypts the files present in that share:\r\nFig. 10 Getting Info of Remote Shares\r\nIt collects ARP cache information from the local system using the GetIpNetTable API. ARP cache information is a list of\r\nall the systems with which the computer recently communicated. It checks for “172.”, “192.168.” etc., on the collected IP\r\nlist. If an IP address is in a different range it skips that system from encryption:\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware\r\nPage 4 of 9\n\nFig. 11 Collect ARP Cache Information\r\nIt uses an AES-256 encryption key per file with a hard-codedRAS-4096 public encryption key. As shown in Fig. 12, the\r\n0x6610 parameter is used while calling the CryptGenKey API. 0x6610 is the value of the CALG_AES_256 identifier and is\r\nonly alg_id:\r\nFig. 12 Create CALG_AES_256 Key\r\nConti has a unique feature that allows attackers to perform file encryption in command line mode:\r\nFig. 13 Command Line Mode of Operation\r\nModes of Operation\r\nConti allows 2 command line modes --encrypt-mode and - h :\r\nFig. 14 Command Line --encrypt-mode Mode\r\n--encrypt-mod marks which files are encrypted. There are 3 options for its value: all , local , and network . By\r\ndefault, ransomware runs with the all parameter:\r\nFig. 15 Command Line --encrypt-mode with Value all\r\nIn all , encryption carried out for – local and network. network means that shared resources on the local network will be\r\nencrypted:\r\nFig. 16 Command Line --encrypt-mode Mode with Value local\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware\r\nPage 5 of 9\n\nFig. 17 Command Line --encrypt-mode Mode with Value network\r\nIn command line -h mode, the parameter may contain the name of a file that lists the DNS and NetBIOS addresses of\r\nremote servers. The malware will then build a list of folders to ignore during encryption:\r\nFig. 18 Folders Ignored in Encryption\r\nIt skips the following extensions during encryption: .exe, .dll, .sys, .lnk, and .CONTI. It appends the file extension .CONTI\r\nand creates a ransom note named CONTI_README.txt in every folder to notify users about the infection:\r\nFig. 19 __CONTI” Extension Appended to Files\r\nThe Ransom Note:\r\nThe ransom note and the note’s file information are present in the resource of malware files:\r\nFig. 20 Ransom Note Content\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware\r\nPage 6 of 9\n\nFig. 21 Ransom Note Name\r\nIt calls the LoadResource API to get ransom note-related information:\r\nFig. 22 Code to Collect Data Related to the Ransom Note\r\nThe ransom note contains 2 email addresses to get in touch with the attackers. The addresses are unique for each victim:\r\nFig. 23 Ransom Note\r\nIoC:\r\neae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe\r\nTTP Map:\r\nInitial Access Execution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nValid\r\nAccounts\r\n(T1078)\r\nCommand and\r\nScripting\r\nInterpreter:\r\nWindows\r\nValid\r\nAccounts\r\n(T1078)\r\nProcess\r\nInjection:\r\nDynamic-link Library\r\nObfuscated Files or\r\nInformation (T1027)\r\nBrute Force\r\n(T1110)\r\nSystem\r\nNetwork\r\nConfiguration\r\nRemote\r\nServices:\r\nSMB/Window\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware\r\nPage 7 of 9\n\nInitial Access Execution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nCommand\r\nShell\r\n(T1059.003)\r\nInjection\r\n(T1055.001)\r\nDiscovery\r\n(T1016)\r\nAdmin Shares\r\n(T1021.002)\r\nPhishing:\r\nSpearphishing\r\nAttachment\r\n(T1566.001)\r\nNative\r\nApplication\r\nProgramming\r\nInterface (API)\r\n(T1106)\r\nExternal\r\nRemote\r\nServices\r\n(T1133)\r\nValid\r\naccounts:\r\ndomain\r\naccounts\r\n(T1078.002)\r\nProcess Injection:\r\nDynamic-link\r\nLibrary Injection\r\n(T1055.001)\r\nSteal or Forge\r\nKerberos\r\nTickets:\r\nKerberoasting\r\n(T1558.003)\r\nSystem\r\nNetwork\r\nConnections\r\nDiscovery\r\n(T1049)\r\nTaint Shared\r\nContent\r\n(T1080)\r\nPhishing:\r\nSpearphishing\r\nLink\r\n(T1566.002)\r\nWindows\r\nManagement\r\nInstrumentation\r\n(T1047)\r\nScheduled\r\ntask/job:\r\nscheduled\r\ntask\r\n(T1053.005)\r\nDeobfuscate/Decode\r\nFiles or Information\r\n(T1140)\r\nOS credential\r\ndumping\r\n(T1003)\r\nProcess\r\nDiscovery\r\n(T1057)\r\nExploitation o\r\nRemote\r\nServices\r\n(T1210)\r\nExploit\r\npublic-facing\r\napplication\r\n(T1190)\r\nUser execution\r\n(T1204)\r\nStartup item\r\n(T1165)\r\nImpair defenses:\r\ndisable or modify\r\ntools (T1562.001)\r\nCredentials\r\nfrom\r\npassword\r\nstores\r\n(T1555)\r\nFile and\r\nDirectory\r\nDiscovery\r\n(T1083)\r\nLateral tool\r\ntransfer\r\n(T1570)\r\nScheduled\r\ntask/job:\r\nscheduled task\r\n(T1053.005)\r\nBoot or\r\nlogon\r\nautostart\r\nexecution:\r\nWinlogon\r\nHelper DLL\r\n(T1547.004)\r\nNetwork\r\nShare\r\nDiscovery\r\n(T1135)\r\nCommand and\r\nScripting\r\nInterpreter:\r\nPowerShell\r\n(T1059.001)\r\nRemote\r\nSystem\r\nDiscovery\r\n(T1018)\r\nNetwork\r\nService\r\nScanning\r\n(T1046)\r\nPermission\r\ngroups\r\ndiscovery:\r\ndomain\r\ngroups\r\n(T1069.002)\r\nSystem\r\ninformation\r\ndiscovery\r\n(T1082)\r\nSystem\r\nowner/user\r\ndiscovery\r\n(T1033)\r\nSecurity\r\nsoftware\r\ndiscovery\r\n(T1063)\r\nAccount\r\nDiscovery:\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware\r\nPage 8 of 9\n\nInitial Access Execution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nLocal\r\nAccount\r\n(T1087.001)\r\nPermissions\r\nGroup\r\nDiscovery:\r\nLocal Groups\r\n(T1069.001)\r\nSummary\r\nTo defend against threats, Qualys recommends good cyber hygiene practices, and moving to a preventative approach by\r\nkeeping network configurations, backup, application access, and patching up-to-date.\r\nSource: https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware"
	],
	"report_names": [
		"conti-ransomware"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434779,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c3f5070b1ded532f554ec0ca809c81e702417e99.pdf",
		"text": "https://archive.orkl.eu/c3f5070b1ded532f554ec0ca809c81e702417e99.txt",
		"img": "https://archive.orkl.eu/c3f5070b1ded532f554ec0ca809c81e702417e99.jpg"
	}
}