SYMBOLCOMMON_NAMEaka. SYNONYMS
win.conti (Back to overview)

Conti Ransomware


There is no description at this point.

References
2021-04-07ANALYST1Jon DiMaggio
@techreport{dimaggio:20210407:ransom:a543eac, author = {Jon DiMaggio}, title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf}, language = {English}, urldate = {2021-04-09} } Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Ransomware Egregor LockBit Maze RagnarLocker Ryuk SunCrypt
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{RANSOMWARE UNCOVERED 2020—2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-04-16} } RANSOMWARE UNCOVERED 2020—2021
RansomEXX BazarBackdoor Buer Clop Conti Ransomware DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-25ANSSICERT-FR
@techreport{certfr:20210225:ryuk:7895e12, author = {CERT-FR}, title = {{Ryuk Ransomware}}, date = {2021-02-25}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf}, language = {English}, urldate = {2021-03-02} } Ryuk Ransomware
BazarBackdoor Buer Conti Ransomware Emotet Ryuk TrickBot
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2021-02-16SophosLabs UncutAndrew Brandt, Anand Ajjan
@online{brandt:20210216:conti:24c2333, author = {Andrew Brandt and Anand Ajjan}, title = {{Conti ransomware: Evasive by nature}}, date = {2021-02-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/}, language = {English}, urldate = {2021-02-20} } Conti ransomware: Evasive by nature
Conti Ransomware
2021-02-16SophosLabs UncutMichael Heller
@online{heller:20210216:conti:9090709, author = {Michael Heller}, title = {{A Conti ransomware attack day-by-day}}, date = {2021-02-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/}, language = {English}, urldate = {2021-02-20} } A Conti ransomware attack day-by-day
Conti Ransomware
2021-02-16SophosLabs UncutPeter Mackenzie, Tilly Travers
@online{mackenzie:20210216:what:9c9f413, author = {Peter Mackenzie and Tilly Travers}, title = {{What to expect when you’ve been hit with Conti ransomware}}, date = {2021-02-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/}, language = {English}, urldate = {2021-02-20} } What to expect when you’ve been hit with Conti ransomware
Conti Ransomware
2021-02-11CTI LEAGUECTI LEAGUE
@techreport{league:20210211:ctil:69c2ab8, author = {CTI LEAGUE}, title = {{CTIL Darknet Report – 2021}}, date = {2021-02-11}, institution = {CTI LEAGUE}, url = {https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf}, language = {English}, urldate = {2021-02-20} } CTIL Darknet Report – 2021
Conti Ransomware Mailto Maze REvil Ryuk
2021-02-04ClearSkyClearSky Research Team
@techreport{team:20210204:conti:27cb3a2, author = {ClearSky Research Team}, title = {{CONTI Modus Operandi and Bitcoin Tracking}}, date = {2021-02-04}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf}, language = {English}, urldate = {2021-02-06} } CONTI Modus Operandi and Bitcoin Tracking
Conti Ransomware Ryuk
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-17Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210117:conti:db7f1cb, author = {Peter Mackenzie}, title = {{Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders}}, date = {2021-01-17}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1350755169965924352}, language = {English}, urldate = {2021-01-21} } Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders
Cobalt Strike Conti Ransomware
2021-01-12CybereasonLior Rochberger
@online{rochberger:20210112:cybereason:5707e14, author = {Lior Rochberger}, title = {{Cybereason vs. Conti Ransomware}}, date = {2021-01-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware}, language = {English}, urldate = {2021-01-18} } Cybereason vs. Conti Ransomware
BazarBackdoor Conti Ransomware
2020-12-15Chuongdong blogChuong Dong
@online{dong:20201215:conti:afb68fe, author = {Chuong Dong}, title = {{Conti Ransomware v2}}, date = {2020-12-15}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/}, language = {English}, urldate = {2020-12-23} } Conti Ransomware v2
Conti Ransomware
2020-12-15Medium 0xthreatintel0xthreatintel
@online{0xthreatintel:20201215:reversing:eddc936, author = {0xthreatintel}, title = {{Reversing Conti Ransomware}}, date = {2020-12-15}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74}, language = {English}, urldate = {2020-12-15} } Reversing Conti Ransomware
Conti Ransomware
2020-12-12Github (cdong1012)Chuong Dong
@online{dong:20201212:contiunpacker:05a9897, author = {Chuong Dong}, title = {{ContiUnpacker: An automatic unpacker for Conti rasnomware}}, date = {2020-12-12}, organization = {Github (cdong1012)}, url = {https://github.com/cdong1012/ContiUnpacker}, language = {English}, urldate = {2020-12-14} } ContiUnpacker: An automatic unpacker for Conti rasnomware
Conti Ransomware
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-18KELAVictoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } Zooming into Darknet Threats Targeting Japanese Organizations
Conti Ransomware DoppelPaymer Egregor LockBit Maze REvil Snake Ransomware
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Ransomware Clop Conti Ransomware DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX Ransomware
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Ransomware Clop Conti Ransomware DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim Ransomware RagnarLocker REvil Sekhmet Ransomware SunCrypt
2020-10-16CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201016:wizard:12b648a, author = {The Crowdstrike Intel Team}, title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}}, date = {2020-10-16}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/}, language = {English}, urldate = {2020-10-21} } WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ransomware Ryuk TrickBot
2020-08-25BleepingComputerLawrence Abrams
@online{abrams:20200825:ryuk:fbd5d99, author = {Lawrence Abrams}, title = {{Ryuk successor Conti Ransomware releases data leak site}}, date = {2020-08-25}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/}, language = {English}, urldate = {2020-08-26} } Ryuk successor Conti Ransomware releases data leak site
Conti Ransomware
2020-08-18AreteArete Incident Response
@techreport{response:20200818:is:72e08da, author = {Arete Incident Response}, title = {{Is Conti the New Ryuk?}}, date = {2020-08-18}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf}, language = {English}, urldate = {2020-08-25} } Is Conti the New Ryuk?
Conti Ransomware Ryuk
2020-07-08VMWare Carbon BlackBrian Baskin
@online{baskin:20200708:tau:4b05a00, author = {Brian Baskin}, title = {{TAU Threat Discovery: Conti Ransomware}}, date = {2020-07-08}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/}, language = {English}, urldate = {2020-07-08} } TAU Threat Discovery: Conti Ransomware
Conti Ransomware
Yara Rules
[TLP:WHITE] win_conti_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_conti_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 750f c705????????0a000000 e9???????? }
            // n = 4, score = 400
            //   85c0                 | test                eax, eax
            //   750f                 | jne                 0x11
            //   c705????????0a000000     |     
            //   e9????????           |                     

        $sequence_1 = { 6a01 ff15???????? 6aff 8d45fc }
            // n = 4, score = 400
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   6aff                 | push                -1
            //   8d45fc               | lea                 eax, [ebp - 4]

        $sequence_2 = { 6aff ff15???????? 8b0d???????? 894104 }
            // n = 4, score = 400
            //   6aff                 | push                -1
            //   ff15????????         |                     
            //   8b0d????????         |                     
            //   894104               | mov                 dword ptr [ecx + 4], eax

        $sequence_3 = { a1???????? 52 6a01 ff7004 ff15???????? }
            // n = 5, score = 400
            //   a1????????           |                     
            //   52                   | push                edx
            //   6a01                 | push                1
            //   ff7004               | push                dword ptr [eax + 4]
            //   ff15????????         |                     

        $sequence_4 = { 741d 6aff ff75f0 ff15???????? ff75f4 ff15???????? ff75f0 }
            // n = 7, score = 400
            //   741d                 | je                  0x1f
            //   6aff                 | push                -1
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   ff15????????         |                     
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     
            //   ff75f0               | push                dword ptr [ebp - 0x10]

        $sequence_5 = { 780e 7f07 3d00005000 7605 }
            // n = 4, score = 400
            //   780e                 | js                  0x10
            //   7f07                 | jg                  9
            //   3d00005000           | cmp                 eax, 0x500000
            //   7605                 | jbe                 7

        $sequence_6 = { 85c0 750f c705????????0b000000 e9???????? }
            // n = 4, score = 400
            //   85c0                 | test                eax, eax
            //   750f                 | jne                 0x11
            //   c705????????0b000000     |     
            //   e9????????           |                     

        $sequence_7 = { 50 ff75fc ff15???????? 3dea000000 }
            // n = 4, score = 400
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   3dea000000           | cmp                 eax, 0xea

        $sequence_8 = { ff7004 ff15???????? 85c0 7508 6a01 ff15???????? }
            // n = 6, score = 400
            //   ff7004               | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [ebp + 0x940], eax
            //   7508                 | mov                 edx, 0x18
            //   6a01                 | inc                 ecx
            //   ff15????????         |                     

        $sequence_9 = { 8b4d08 e8???????? 6a00 ff15???????? 33c0 }
            // n = 5, score = 400
            //   8b4d08               | jne                 0x1a2
            //   e8????????           |                     
            //   6a00                 | dec                 eax
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, esp

        $sequence_10 = { 4883fb3e 72ac 488d4dc1 e8???????? }
            // n = 4, score = 100
            //   4883fb3e             | imul                eax, ecx, 7
            //   72ac                 | mov                 dword ptr [esp + 0x20], 0xf0000008
            //   488d4dc1             | dec                 esp
            //   e8????????           |                     

        $sequence_11 = { 83e90f 446bc11f 41f7e8 4103d0 c1fa06 8bc2 c1e81f }
            // n = 7, score = 100
            //   83e90f               | sub                 ecx, 0xf
            //   446bc11f             | inc                 esp
            //   41f7e8               | imul                eax, ecx, 0x1f
            //   4103d0               | inc                 ecx
            //   c1fa06               | imul                eax
            //   8bc2                 | inc                 ecx
            //   c1e81f               | add                 edx, eax

        $sequence_12 = { 7564 4c8bcb 660f1f440000 420fb68c0de1000000 b809040281 83e947 446bc107 }
            // n = 7, score = 100
            //   7564                 | sar                 edx, 6
            //   4c8bcb               | mov                 eax, edx
            //   660f1f440000         | shr                 eax, 0x1f
            //   420fb68c0de1000000     | jne    0x66
            //   b809040281           | dec                 esp
            //   83e947               | mov                 ecx, ebx
            //   446bc107             | nop                 word ptr [eax + eax]

        $sequence_13 = { c7442420080000f0 4c8d45f1 33d2 488bcf ffd0 }
            // n = 5, score = 100
            //   c7442420080000f0     | inc                 edx
            //   4c8d45f1             | movzx               ecx, byte ptr [ebp + ecx + 0xe1]
            //   33d2                 | mov                 eax, 0x81020409
            //   488bcf               | sub                 ecx, 0x47
            //   ffd0                 | inc                 esp

        $sequence_14 = { 4833c4 48898540090000 ba18000000 41b84edfdb2b 448d4a2f e8???????? }
            // n = 6, score = 100
            //   4833c4               | jb                  0xffffffb2
            //   48898540090000       | dec                 eax
            //   ba18000000           | lea                 ecx, [ebp - 0x3f]
            //   41b84edfdb2b         | and                 eax, 0x80000003
            //   448d4a2f             | jge                 0xe
            //   e8????????           |                     

        $sequence_15 = { 2503000080 7d07 ffc8 83c8fc ffc0 85c0 0f8593010000 }
            // n = 7, score = 100
            //   2503000080           | lea                 eax, [ebp - 0xf]
            //   7d07                 | xor                 edx, edx
            //   ffc8                 | dec                 eax
            //   83c8fc               | mov                 ecx, edi
            //   ffc0                 | call                eax
            //   85c0                 | dec                 eax
            //   0f8593010000         | cmp                 ebx, 0x3e

    condition:
        7 of them and filesize < 520192
}
Download all Yara Rules