Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been deployed via TrickBot and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.
|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell||
Conti can utilize command line options to allow an attacker control over how it scans and encrypts files.
|Enterprise||T1486||Data Encrypted for Impact||
Conti can use
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
Conti has decrypted its payload using a hardcoded AES-256 key.
|Enterprise||T1083||File and Directory Discovery|
|Enterprise||T1490||Inhibit System Recovery||
Conti can delete Windows Volume Shadow Copies using
|Enterprise||T1135||Network Share Discovery||
Conti can enumerate remote open SMB network shares using
|Enterprise||T1027||Obfuscated Files or Information||
Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls.
Conti can enumerate through all open processes to search for any that have the string "sql" in their process name.
|Enterprise||T1055||.001||Process Injection: Dynamic-link Library Injection||
Conti has loaded an encrypted DLL into memory and then executes it.
|Enterprise||T1021||.002||Remote Services: SMB/Windows Admin Shares||
Conti can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.
|Enterprise||T1018||Remote System Discovery||
Conti has the ability to discover hosts on a target network.
Conti can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of
|Enterprise||T1016||System Network Configuration Discovery||
Conti can retrieve the ARP cache from the local system by using the
|Enterprise||T1049||System Network Connections Discovery||
Conti can enumerate routine network connections from a compromised host.
|Enterprise||T1080||Taint Shared Content||
Conti can spread itself by infecting other remote machines via network shared drives.