{
	"id": "99a8ff39-cb79-4113-b894-583aa8c848a5",
	"created_at": "2026-04-06T00:18:53.100446Z",
	"updated_at": "2026-04-10T03:33:29.977713Z",
	"deleted_at": null,
	"sha1_hash": "d8780f063cc3ef14cf0f5277a944cc62e01e7a22",
	"title": "Conti Ransomware in Taiwan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 13927805,
	"plain_text": "Conti Ransomware in Taiwan\r\nBy CyCraft Technology Corp\r\nPublished: 2021-06-24 · Archived: 2026-04-05 17:52:31 UTC\r\nConti Ransomware Background\r\nConti Ransomware was first observed in December 2019 and has been primarily targeting corporate networks\r\nsince.\r\nConti is reported to have targeted the following industries:\r\nFinancial Institutions\r\nEducation\r\nPrivate Organizations\r\nGovernment Agencies\r\nHealthcare\r\nSmall-Sized Enterprises\r\nMedium-Sized Enterprises\r\nSome of the more interesting aspects of Conti ransomware include:\r\nIts numerous features and functions not typically seen in other ransomware families\r\nIts ability to scan and encrypt files from a separate system\r\nSimultaneously using 32 threads to encrypt files quickly\r\nIts ability to stop over 140 Windows processes, including processes related to SQL databases\r\nhttps://cycrafttechnology.medium.com/conti-ransomware-in-taiwan-45b44f1ab0d8\r\nPage 1 of 6\n\nIts ability to abuse Windows Restart Manager to cleanly close applications to ensure targeted files for\r\nencryption aren’t locked by said applications\r\nDeploying up to 277 different algorithms to encrypt different strings, using a unique symmetric encryption\r\nkey per file, which is then itself encrypted using AES-256 with a bundled RSA-4096 public encryption key.\r\nHowever, perhaps Conti’s most interesting aspect is its similar code snippets, Trickbot distribution, and\r\noverlapped infrastructure with Ryuk ransomware, which has some analysts regarding Conti as the successor for\r\nRyuk. Indeed, the number of similarities, combined with the decrease in the use of Ryuk while the use of Conti\r\nincreases, has some analysts speculating that both Ryuk and Conti share members of the same\r\ndevelopment/distribution team.\r\nConti Ransomware in Taiwan\r\nLast year, during a post-breach Incident Response (DFIR) investigation, CyCraft observed and analyzed the\r\neffects of a Conti ransomware attack.\r\nPress enter or click to view image in full size\r\nCyCraft Research utilized both manual and automatic tools, as well as open-source tools, to perform semi-autonomous analyses of the encountered Conti Ransomware and its obfuscation techniques.\r\nWhile our MDR systems can automatically collect behavior activities, manual reverse engineering is sometimes\r\nnecessary to complement or to verify the monitored behavior activities. In order to improve the performance of\r\nmanual reverse engineering, several semi-auto mechanisms were implemented.\r\nIn our report, we go through each of the more intriguing obfuscation techniques we observed in more granular\r\ndetail, including:\r\nhttps://cycrafttechnology.medium.com/conti-ransomware-in-taiwan-45b44f1ab0d8\r\nPage 2 of 6\n\nInstrumentation\r\nAPI Unhooking\r\nJunk Code Inserted\r\nAPI Resolving By Name Hash\r\nStrings Obfuscation\r\nPress enter or click to view image in full size\r\nConti first created a MainThread in DllMain.\r\nOther Observed Tactics \u0026 Techniques\r\nOne of the trends we have seen with Conti ransomware attacks is the use of double extortion. The threat actor\r\nbehind this Conti-focused attack not only used encryption for extortion but also threatened to release the victims’\r\ndata via a data leak site as part of their extortion strategy — most likely to coerce the victims into paying the\r\nransom faster.\r\nConti ransomware also provided its handler backdoor utility for manual operation — a key feature of Conti and\r\noften suggests a highly sophisticated, targeted operation, which not only closely resembles an APT attack but also\r\nsuggests that the attackers at the helm spent the due diligence on performing detailed reconnaissance prior to\r\nlaunching the attack.\r\nGet CyCraft Technology Corp’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nManual operation of ransomware allows for the attackers to configure the ransomware according to the situation\r\nand launch when the largest number of endpoints could be compromised.\r\nBasic File Information\r\nIn this incident, basic information about the malware we observed in the wild is listed below.\r\nfilename: wwarc64.dll\r\nmd5: eb3fbab995fe3d4c57d4859f1268876c\r\nsha1: 68fe03eb79f5813dccb006699dd1f468b32a4d9esha256: 5c278c04bb19196dc8559d45b9728b3ba0c1bc5cdd20a76\r\npdb_path: A:\\source\\conti_v3\\x64\\Release\\cryptor_dll.pdb\r\nhttps://cycrafttechnology.medium.com/conti-ransomware-in-taiwan-45b44f1ab0d8\r\nPage 3 of 6\n\nExtension List 1\r\n.4dd, .4dl, .accdb, .accdc, .accde, .accdr, .accdt, .accft, .adb, .ade, .adf, .adp, .arc, .ora, .alf\r\n.db-shm, .db-wal, .db3, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .ddl, .dlis, .dp1, .dqy\r\nExtension List 2 (VM / disk image)\r\nFiles with the following extensions will use different encryption algorithms.\r\n.vdi, .vhd, .vmdk, .pvm, .vmem, .vmsn, .vmsd, .nvram, .vmx, .raw,\r\n.qcow2, .subvol, .bin, .vsv, .avhd, .vmrs, .vhdx, .avdx, .vmcx, .iso\r\nSkip Path List\r\nIf the path contains the following string (ignorecase), it will be ignored.\r\ntmp, winnt, temp, thumb, $Recycle.Bin, $RECYCLE.BIN,\r\nSystem Volume Information, Boot, Windows, Trend Micro\r\nSkip Name List\r\n.exe, .dll, .lnk, .sys, .msi, readme.txt, CONTI_LOG.txt\r\nDifferences With Carbon Black Case\r\nShadowcopy Deletion. The Conti ransomware we observed had an extremely busy and loud methodology for\r\nstopping services and inhibiting recovery on the local system. While many ransomware families will simply delete\r\nthe Windows Volume Shadow Copies using vssadmin, the Conti we observed used vssadmin in unique ways to\r\nensure their deletion, as shown below.\r\nvssadmin Delete Shadows /all /quiet\r\nvssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded\r\nThis newer version of Conti used WMIC to enumerate and delete shadow copy.\r\nRecommended Mitigations\r\nIncrease and maintain your capability of threat hunting and threat intelligence. While compromised\r\nendpoints cannot be avoided, threat hunting with up-to-date intelligence can expose attackers lurking in\r\nhttps://cycrafttechnology.medium.com/conti-ransomware-in-taiwan-45b44f1ab0d8\r\nPage 4 of 6\n\nyour environment before they launch a ransomware attack. Targeted ransomware attacks typically spend\r\nmore time on recon, penetration, and persistence. Regular threat hunting increases your chances of\r\ndisrupting the attack before the attackers initiate actions on their final objectives.\r\nDefine and ready your strategy and playbook against ransomware. There is a strong likelihood that\r\nRansomware will eventually land on some of your endpoints. Many response options to ransomware exist\r\nfor defenders: routine backups, shutting down devices, hibernation, network isolation. Each one has\r\nbenefits; one solution on its own is not enough. Lastly, estimate the impact on your business with\r\nleadership, ensure that you have consistent messaging across all departments, and perform red, blue, and\r\npurple team exercises as needed.\r\nEstablish and maintain routine AD security. In our observations, ransomware families typically do not\r\nlaunch the ransomware in the early stages of the attack. Attackers tend to lurk and hunt in your\r\nenvironment. Upon harvesting the AD admin, they immediately start spreading ransomware to every\r\ndevice in your domain at once. Maintaining effective AD security is complicated and hard to manage. The\r\nearlier defenders establish playbooks, the earlier they can identify risks and holes in their defenses — both\r\ntechnological and operational.\r\nPress enter or click to view image in full size\r\nGenerated Key Encryption\r\nEverything Starts From Security\r\nCyCraft Customers can prevent cyber intrusions from escalating into business-altering incidents. From endpoint to\r\nnetwork, from investigation to blocking, from in-house to cloud, CyCraft AIR covers all aspects required to\r\nprovide small, medium, and large organizations with the proactive, intelligent, and adaptable security solutions\r\nneeded to defend from all manner of modern security threats with real-time protection and visibility across the\r\norganization.\r\nEngage with CyCraft\r\nBlog | LinkedIn | Twitter | Facebook | CyCraft\r\nPress enter or click to view image in full size\r\nhttps://cycrafttechnology.medium.com/conti-ransomware-in-taiwan-45b44f1ab0d8\r\nPage 5 of 6\n\nCyCraft secures government agencies, police and defense organizations, Fortune Global 500 firms, top banks and\r\nfinancial institutions, critical infrastructure, airlines, telecommunications, hi-tech firms, SMEs, and more by being\r\nFast / Accurate / Simple / Thorough.\r\nCyCraft powers SOCs using innovative AI-driven technology to automate information security protection with\r\nbuilt-in advanced managed detection and response (MDR), global cyber threat intelligence (CTI), smart threat\r\nintelligence gateway (TIG) and network detection and response (NDR), security operations center (SOC)\r\noperations software, auto-generated incident response (IR) reports, enterprise-wide Health Check (Compromise\r\nAssessment, CA), and Secure From Home services. Everything Starts From Security.\r\nMeet your cyber defense needs in the 2020s by engaging with CyCraft at engage@cycraft.com\r\nAdditional Resources\r\nRead our latest white paper to learn what threat actors target Taiwan, their motivations \u0026 how Taiwan\r\norganizations retain resilience against some of the most sophisticated and aggressive cyber attacks in the\r\nworld.\r\nIs your SOC prepared for the next decade of cyber attacks? Read our latest report on building effective\r\nSOCs in the 2020s, the challenges to overcome, and the stressors to avoid — includes research from\r\nGartner, Inc. on why Midsize enterprises are embracing MDR providers.\r\nNew to the MITRE Engenuity ATT\u0026CK Evaluations? START HERE for a fast, accurate, simple, thorough\r\nintroductory guide to understanding the results.\r\nOur CyCraft AIR security platform achieved 96.15% Signal-to-Noise Ratio with zero configuration\r\nchanges and zero delayed detections straight out-of-the-box.\r\nSource: https://cycrafttechnology.medium.com/conti-ransomware-in-taiwan-45b44f1ab0d8\r\nhttps://cycrafttechnology.medium.com/conti-ransomware-in-taiwan-45b44f1ab0d8\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://cycrafttechnology.medium.com/conti-ransomware-in-taiwan-45b44f1ab0d8"
	],
	"report_names": [
		"conti-ransomware-in-taiwan-45b44f1ab0d8"
	],
	"threat_actors": [
		{
			"id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1",
			"created_at": "2022-10-25T16:07:23.816991Z",
			"updated_at": "2026-04-10T02:00:04.758143Z",
			"deleted_at": null,
			"main_name": "Lurk",
			"aliases": [],
			"source_name": "ETDA:Lurk",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434733,
	"ts_updated_at": 1775792009,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8780f063cc3ef14cf0f5277a944cc62e01e7a22.pdf",
		"text": "https://archive.orkl.eu/d8780f063cc3ef14cf0f5277a944cc62e01e7a22.txt",
		"img": "https://archive.orkl.eu/d8780f063cc3ef14cf0f5277a944cc62e01e7a22.jpg"
	}
}