Conti
Conti is a ransomware-as-a-service (RaaS) operation known for targeting large, global organizations and government agencies.
The origin of Conti Ransomware
Conti started as malware first used by the Russia-based Wizard Spider group in 2019. It’s thought to be the successor of Ryuk ransomware, which targeted more than 100 U.S. and international businesses starting in August 2018. Over time, Conti transitioned to a full-fledged ransomware-as-a-service (RaaS) model used by numerous groups to launch attacks. It’s been used against global enterprises and government agencies, primarily in North America, to steal sensitive files and demand millions of dollars in ransoms from high-revenue organizations. Conti Ransomware Group was ultimately shut down in 2022 after splitting into smaller groups, but its methods persist today.
Source: OCD & MITRE ATT&CK
Targets
Conti's Targets
Countries targeted by Conti ransomware
Conti targeted hundreds of victims from Ireland to Costa Rica. However, its most successful attacks occurred in North America.
Sources: Ransomware.live
Industries targeted by Conti ransomware
Conti Ransomware is primarily used to target corporations and government agencies, particularly those in North America.
Image source: Sophos
Industries targeted by Conti ransomware
Conti Ransomware is primarily used to target corporations and government agencies, particularly those in North America.
Image source: Sophos
Conti Ransomware’s victims
To date, 351 victims have fallen prey to Conti Ransomware. Some high-profile victims include Ireland's Health Service Executive (HSE), local government offices, and several private firms. The HSE attack in 2021 caused widespread disruption in healthcare services, illustrating Conti's significant operational impact.
Source: Ransomware.live
Attack Method
Conti ransomware attack method
Conti uses various techniques such as phishing emails, exploit kits, compromised websites, and stolen remote desktop protocol (RDP) credentials to deliver ransomware. It also uses botnets like BazarLoader and TrickBot to infiltrate target systems.
Using tools like Cobalt Strike, Conti operators exploit vulnerabilities and use techniques like named pipe impersonation (GetSystem) to gain SYSTEM privileges.
Attackers disable Windows Defender via Group Policy changes and employ obfuscation techniques to hide malicious activity.
Conti utilizes tools like Mimikatz and Cobalt Strike to dump credentials and perform Kerberos ticket theft (overpass-the-hash).
Threat actors execute commands using tools like nltest, net.exe, and dsquery to map the network environment.
Lateral movement occurs using SMB, PsExec, and RDP connections, often proxied through the initial foothold.
The malware scans for sensitive files and directories, which are then exfiltrated to the attackers’ servers.
The ransomware is executed in-memory using tools like Cobalt Strike, encrypting files and rendering systems unusable.
Data is exfiltrated using Cobalt Strike’s beaconing capabilities or custom scripts over secure channels.
Conti encrypts critical files and leaves a ransom note, demanding payment to decrypt and avoid public exposure of stolen data.
Initial Access
Conti uses various techniques such as phishing emails, exploit kits, compromised websites, and stolen remote desktop protocol (RDP) credentials to deliver ransomware. It also uses botnets like BazarLoader and TrickBot to infiltrate target systems.
Privilege Escalation
Using tools like Cobalt Strike, Conti operators exploit vulnerabilities and use techniques like named pipe impersonation (GetSystem) to gain SYSTEM privileges.
Defense Evasion
Attackers disable Windows Defender via Group Policy changes and employ obfuscation techniques to hide malicious activity.
Credential Access
Conti utilizes tools like Mimikatz and Cobalt Strike to dump credentials and perform Kerberos ticket theft (overpass-the-hash).
Discovery
Threat actors execute commands using tools like nltest, net.exe, and dsquery to map the network environment.
Lateral Movement
Lateral movement occurs using SMB, PsExec, and RDP connections, often proxied through the initial foothold.
Collection
The malware scans for sensitive files and directories, which are then exfiltrated to the attackers’ servers.
Execution
The ransomware is executed in-memory using tools like Cobalt Strike, encrypting files and rendering systems unusable.
Exfiltration
Data is exfiltrated using Cobalt Strike’s beaconing capabilities or custom scripts over secure channels.
Impact
Conti encrypts critical files and leaves a ransom note, demanding payment to decrypt and avoid public exposure of stolen data.
MITRE ATT&CK Mapping
TTPs used by Conti Ransomware
TA0001: Initial Access
T1566
Phishing
TA0002: Execution
T1059
Command and Scripting Interpreter
TA0003: Persistence
No items found.
TA0004: Privilege Escalation
T1548
Abuse Elevation Control Mechanism
TA0005: Defense Evasion
T1548
Abuse Elevation Control Mechanism
T1112
Modify Registry
TA0006: Credential Access
T1003
OS Credential Dumping
TA0007: Discovery
T1087
Account Discovery
TA0008: Lateral Movement
T1021
Remote Services
TA0009: Collection
T1074
Data Staged
TA0011: Command and Control
T1071
Application Layer Protocol
TA0010: Exfiltration
No items found.
TA0040: Impact
T1486
Data Encrypted for Impact
Platform Detections
How to detect ransomware threats like Conti with Vectra AI
Thousands of enterprise organizations rely on powerful AI-driven detections to find and stop attacks — before getting hit by a ransom note.
FAQs
What is Conti ransomware?
Conti ransomware is a ransomware-as-a-service operation that came onto the cyber attack scene in 2019. It’s extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems.
Who’s behind Conti ransomware?
Conti was developed by the notorious Russian ransomware gang Wizard Spider in 2019, and was later used by numerous threat actors as ransomware-as-a-service (RaaS).
How does Conti ransomware work?
Conti ransomware is delivered by a variety of methods such as spear phishing and RDP attacks. Once inside the targeted system, it uses both data encryption and exfiltration for double extortion — the attacker can demand payment both for decryption and to avoid the release of stolen data.
Which industries are targeted by Conti ransomware attacks?
Conti is known for targeting critical infrastructure and systems of government agencies and large companies across industries including healthcare and manufacturing.
What countries are targeted by Conti ransomware attacks?
Most Conti ransomware victims are in Canada and the United States, although notable attacks have also occurred in the United Kingdom.
How many organizations have been impacted by Conti Ransomware?
More than 350 agencies and organizations fell prey to Conti Ransomware, collectively paying hundreds of millions in ransoms.
What are the implications of a Conti ransomware attack?
Conti ransomware victims have had to pay millions of dollars to not only get decryption keys but also to avoid the release of sensitive, stolen data.
How can organizations detect and stop Conti ransomware attacks?
In addition to preventative measures like multi-factor authentication and employee cyber security training, organizations can find and stop ransomware attacks early in their progression with AI-driven detections.
How does Conti ransomware spread?
RaaS attacks like Conti use malware to infiltrate systems, steal files, encrypt files servers, and demand ransom payments for both decryption keys and to prevent the release of stolen data.
What are the best ways to prevent a Conti ransomware attack?
The best way to prevent ransomware like Conti is with AI-driven detections to catch attacks early in their progression.