Home » Security Bloggers Network » CONTI

CONTI

by Josh Campbell on March 14, 2022

OVERVIEW

CONTI is a prolific human-operated ransomware. Its actors routinely engage in doxing in order to coerce victims to pay the ransom. It is capable of encrypting files on both the local system, as well as SMB, it appends .CONTI as a file extension, and it employs AES-256 for file encryptions.

TARGETING

Since CONTI Ransomware is considered a Ransomware as a Service, targeting will depend on the actor utilizing the variant – however, it has been seen abused against healthcare and first responder infrastructure, law enforcement, and manufacturing. Since the actor is financially motivated, other organizations and companies could be targeted.

DELIVERY

Initial access has been observed to be achieved via social engineering (such as spear phishing emails), exploitation of vulnerabilities, as well as abuse of stolen credentials. Then first-stage malware is then installed onto the host systems, utilizing malware such as Trickbot, BazarLoader or Cobalt Strike.

INSTALLATION

Conti has been observed to run reconnaissance scans and laterally move within an environment utilizing Kereberos attacks (with tools like Mimikatz), as well as exploitation of vulnerabilities on unpatched machines. Privilege escalation is sought after during this process.

Before execution/deployment of the ransomware, Conti stops windows services in order to render the machine more vulnerable and deletes backup options. There is also the exfiltration of proprietary data via the Rclone program.

After deployment, Files are encrypted using AES-256.