Defenders Must Pay Attention to the Conti Ransomware Operations
Attivo Networks Blogs

Defenders Must Pay Attention to the Conti Ransomware Operations

Defenders Must Pay Attention to the Conti Ransomware Operations

Written by: Vikram Navali, Senior Technical Product Manager - Cyberattacks are playing a critical role in the Russia-Ukraine conflict. With the recent incidents of HermeticWiper malware and a series of distributed denial-of-service (DDoS) attacks, it appears groups from both Russia and Ukraine are targeting their security systems. A Ukrainian cyber security researcher recently leaked sensitive data of the Conti ransomware gang. Soon after, the group behind the Conti ransomware gang posted a warning on a website.

The gang has publicly announced its full support for the Russian government, though the leak may not stop the Conti gang’s intended operations. Still, it is worth understanding Conti’s playbook to prepare an active defense strategy.

About Conti

Conti is a Ransomware-as-a-Service (RaaS) malware, first observed in December 2019 and distributed via TrickBot. Last September, CISA and the FBI released an alert that threat actors used Conti in more than 400 attacks on U.S. and international organizations. Like the ransomware Ryuk, threat actors use Conti ransomware to steal sensitive data and threaten to publish if the victims do not meet their demands. Conti can traverse the network, laterally moving until it gains domain and admin credentials for admin privileges. Conti can use techniques and command-line arguments to encrypt the local hard drive or network shares.

Conti’s Tactics and Techniques

Conti actors launched spearphishing and exploited the vulnerability on public-facing web servers during the initial access stage to gain entry. It is also evident that the Conti ransomware gang has leveraged the Log4j vulnerability to move laterally on the victim’s network.

Once they gained initial access, the Conti gang used tools and command-line programs to escalate privileges and move laterally across a victim’s network. The following table shows tools they used by the MITRE ATT&CK phases. It also summarizes Attivo Networks products and features that help defenders detect and disrupt Conti gangs intended operations.

For example, in the discovery phase, threat actors may use ADFind, a free command-line query tool for gathering information from Active Directory (AD).

Similarly, threat actors may use SeatBelt to collect system data like Operating System versions and user folders.

How Do Attivo Networks Solutions Detect and Disrupt Conti Ransomware Operations?

Conti ransomware uses MITRE ATT&CK techniques and sub-techniques that are summarized below. We will see how Attivo Networks solutions help defenders disrupt Conti ransomware gang operations.

  1. Execution:  Command and Scripting Interpreter (T1059), Native API (T1106) – The Endpoint Detection Net (EDN) suite’s Anti-Ransomware feature monitors for IoCs. For example, ransomware gangs may attempt to modify, rename, delete, or encrypt files using APIs on a compromised endpoint. The solution triggers high-fidelity alerts and reports on potential malicious events. It also helps defenders collect TTPs and learn behaviors to mitigate ransomware operations.
  2. Persistence:  Valid Accounts (T1078), Default Accounts, Domain Accounts, Local Accounts, External Remote Services (T1133) –The BOTsink server decoys host externally-facing remote services such as VPNs, WinRM, etc., to mimic production infrastructure, and seeds decoy artifacts on endpoints and in AD, leading any attempts to use these artifacts to the decoys for engagement. The EDN suite’s Anti-Ransomware feature learns ransomware behaviors and terminates any unknown running process. As a result, the solution disrupts the ransomware gang’s intended operation.
  3. Credential Access:  Brute Force (T1110), Steal or Forge Kerberos Tickets:  Kerberoasting (T1558.003) – The ADAssessor solution performs a continuous Active Directory assessment and detects indicators of attack for brute force or password spray attacks. Any brute force attempt using deceptive credentials generates an alert as a stolen credentials attack. The EDN suite’s ThreatStrike solution deploys lures that alert against Kerberoasting attacks and redirects them to decoys systems for engagement.
  4. Discovery:  File and Directory Discovery (T1083), Network Share Discovery (T1135), System Network Configuration Discovery (T1016), System Network Connections Discovery (T1049) –The EDN ThreatStrike solution deploys decoy artifacts such as deceptive credentials, accounts, files, network shares, and others. The EDN suite’s Anti-Ransomware feature helps defenders create various file extensions and several decoy files. The solution triggers alerts and reports ransomware operations using these deceptive artifacts. The EDN DataCloak function hides critical files, production credentials, or network shares to restrict access from untrusted processes.
  5. Lateral Movement:  Remote Services: SMB/Windows Admin Shares (T1021.002 ), Taint Shared Content (T1080) –The BOTsink server decoys can host production applications such as SSH Servers, VNC, RDP servers, and others. The EDN suite’s ThreatStrike solution distributes deceptive SSH keys, credentials, and similar lures and maps decoy network shares on endpoints to decoy servers. The EDN suite’s Anti-Ransomware capability can prevent compromise of production network shares and detect attempts to corrupt their contents.
  6. Impact:  Data Encrypted for Impact (T1486) –The EDN Anti-Ransomware feature monitors IoCs and learns ransomware behaviors, such as attempts to encrypt files, folders, decoys documents, and such. The solution also triggers high-fidelity alerts based on the strange behaviors detected and prevents data destruction on local storage, removable media, cloud, and network storage.


Conti ransomware operations can spill over to other country infrastructures during the cyberwar between Russia and Ukraine. Organizations must pay greater attention to their cybersecurity to prevent themselves from becoming collateral victims.

For more information, please visit Also, sign up for free trial offers on Active Directory security assessments and continuous visibility to AD vulnerabilities.


Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Ready to find out what’s lurking in your network?

Scroll to Top