{"id":3301,"date":"2021-10-11T13:47:35","date_gmt":"2021-10-11T13:47:35","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3301"},"modified":"2026-06-08T22:42:08","modified_gmt":"2026-06-08T22:42:08","slug":"conti-ransomware-attack-anatomy","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/conti-ransomware-attack-anatomy\/","title":{"rendered":"Anatomy of an attack \u2014 Conti Ransomware"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Ransomware attack methodologies vary significantly across threat actors. This article shares technical details observed during the compromise phase conducted by the Conti Ransomware Gang, a particularly active and mature operator in the threat landscape (<a href=\"https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa21-265a\">reference<\/a>).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span>During compromise phases, these operators characteristically exploit specific vulnerabilities, including:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>2017 SMB vulnerability (<a href=\"https:\/\/docs.microsoft.com\/en-us\/security-updates\/securitybulletins\/2017\/ms17-010\" class=\"ek-link\">info<\/a>);<\/li>\n\n\n\n<li>PrintNightmare (CVE-2021-34527);<\/li>\n\n\n\n<li>Zerologon (CVE-2020-1472)<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/11\/ransomware-1024x576-1.gif\" alt=\"\" class=\"wp-image-3873\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Technical details of attack phases<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Conti typically obtains <strong>initial access<\/strong> to victim infrastructure through one of the following techniques:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Spearphishing campaigns<\/strong> with personalized emails containing malicious attachments <a class=\"ek-link ek-link\" href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1566\/001\/\">T1566.001<\/a> or malicious links <a class=\"ek-link\" href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1566\/002\/\">T1566.002<\/a>. These techniques frequently result in downloads of additional malware and tools that facilitate <strong><em>lateral movement<\/em><\/strong> and other criminal activities;<\/li>\n\n\n\n<li>Theft of <strong>RDP credentials<\/strong> <a class=\"ek-link\" href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1078\/\">T1078<\/a>;<\/li>\n\n\n\n<li>Trojans masquerading as system performance optimizers.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">After obtaining access to victim infrastructure, attackers <strong>execute<\/strong> Windows Shell commands <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1059\/003\/\" class=\"ek-link\">T1059.003<\/a> and leverage native Windows APIs <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1106\/\" class=\"ek-link\">T1106<\/a>. CISA and FBI have observed that criminals employ tools to scan and conduct brute force attacks against routers, cameras, and storage devices connected to the network via web interfaces.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To establish <strong>persistence<\/strong> within infrastructure, criminals exploit valid credentials for remote monitoring and remote desktop management software <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1078\/\" class=\"ek-link\">T1078<\/a>. Additionally, they may leverage VPN, Citrix, and other software access that permits external connectivity to internal infrastructure resources.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For <strong>privilege escalation<\/strong>, Conti performs Process Injection by loading and executing an encrypted dynamic-link library (DLL) in memory <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1055\/001\/\" class=\"ek-link\">T1055.001<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As <strong>defense evasion<\/strong> techniques, the group executes obfuscated code <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1027\/\" class=\"ek-link\">T1027<\/a>, enabling concealment of Windows API calls, alongside Process Injection and payload decryption through AES-256 key usage <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1140\/\" class=\"ek-link\">T1140<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To <strong>obtain access credentials<\/strong>, Conti operators employ multiple techniques, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Brute Force <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1110\/\" class=\"ek-link\">T1110<\/a><\/li>\n\n\n\n<li>Kerberos ticket theft or forging <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1558\/003\/\" class=\"ek-link\">T1558.003<\/a><\/li>\n\n\n\n<li>System Network Configuration Discovery <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1016\/\" class=\"ek-link\">T1016<\/a><\/li>\n\n\n\n<li>System Network Connections Discovery <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1049\/\" class=\"ek-link\">T1049<\/a><\/li>\n\n\n\n<li>Process Discovery <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1057\/\" class=\"ek-link\">T1057<\/a><\/li>\n\n\n\n<li>File and Directory Discovery <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1083\/\" class=\"ek-link\">T1083<\/a><\/li>\n\n\n\n<li>Network Share Discovery <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1135\/\" class=\"ek-link\">T1135<\/a><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">During the <strong>lateral movement<\/strong> phase, operators typically exploit the SMB protocol <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1021\/002\/\" class=\"ek-link\">T1021.002<\/a> and compromise shared files across multiple users and machines <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1080\/\" class=\"ek-link\">T1080<\/a>. Detection of this activity requires continuous network monitoring, which <a href=\"https:\/\/fortgale.com\/en\/managed-detection-and-response\/\">Managed Detection and Response<\/a> capabilities can provide through behavioral analysis and threat correlation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Finally, Conti executes the <strong>impact<\/strong> phase by encrypting data <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1486\/\" class=\"ek-link\">T1486<\/a> using the functions <code>CreateIoCompletionPort()<\/code>, <code>PostQueuedCompletionStatus()<\/code>, and <code>GetQueuedCompletionPort()<\/code>. Encryption employs a unique AES-256 key per file, derived from a unique RSA-4096 public key per victim. Files with extensions &#8220;exe&#8221;, &#8220;dll&#8221;, and &#8220;lnk&#8221; are typically excluded from encryption. Additionally, Shadow Copies deletion <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1490\/\" class=\"ek-link\">T1490<\/a> and termination of multiple Windows services <a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1489\/\" class=\"ek-link\">T1489<\/a> critical to security, backup, and database operations are frequently observed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">IOC<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The following Cobalt Strike addresses recently attributed to Conti operations have been identified:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>162.244.80[.]235<\/code><\/li>\n\n\n\n<li><code>85.93.88[.]165<\/code><\/li>\n\n\n\n<li><code>185.141.63[.]120<\/code><\/li>\n\n\n\n<li><code>82.118.21[.]1<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Conti&#8217;s operational methodology demonstrates the necessity of comprehensive defense-in-depth strategies encompassing credential hygiene, network segmentation, and continuous endpoint monitoring to detect and disrupt attack chains at multiple stages.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Conti ransomware operations: initial access patterns, Cobalt Strike pivoting, domain-controller compromise, exfiltration tooling and double-extortion mechanics.<\/p>\n","protected":false},"author":1,"featured_media":4077,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1619,3182,1595,1491,1621,3184,3183,1623,3185],"class_list":["post-3301","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-attck-it","tag-cobalt-strike","tag-conti-it","tag-cve-it","tag-defence-it","tag-domain-compromise","tag-double-extortion","tag-mitre-it","tag-ransomware-operations"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3301","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3301"}],"version-history":[{"count":4,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3301\/revisions"}],"predecessor-version":[{"id":9862,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3301\/revisions\/9862"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/4077"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3301"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3301"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}