Conti (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.conti (Back to overview)

Conti

Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.

References

2023-10-03 ⋅ Luca Mella
Lighting the Exfiltration Infrastructure of a LockBit Affiliate (and more)
LockBit LockBit Conti LockBit

2023-09-12 ⋅ ANSSI ⋅ ANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC

2023-09-07 ⋅ Department of Justice ⋅ Office of Public Affairs
Multiple Foreign Nationals Charged in Connection with Trickbot Malware and Conti Ransomware Conspiracies
Conti Conti TrickBot

2023-07-26 ⋅ Arctic Wolf ⋅ Steven Campbell, Akshay Suthar, Connor Belfiore
Conti and Akira: Chained Together
Akira Conti

2023-06-27 ⋅ SecurityIntelligence ⋅ Charlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot

2023-06-17 ⋅ Github (EmissarySpider) ⋅ EmissarySpider
ransomware-descendants
Babuk Conti LockBit

2023-06-08 ⋅ VMRay ⋅ Patrick Staubmann
Busy Bees - The Transformation of BumbleBee
BumbleBee Cobalt Strike Conti Meterpreter Sliver

2023-03-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
From Royal With Love
Cobalt Strike Conti PLAY Royal Ransom Somnia

2023-02-10 ⋅ cocomelonc ⋅ cocomelonc
Malware analysis: part 8. Yara rule example for MurmurHash2. MurmurHash2 in Conti ransomware
Conti

2023-02-01 ⋅ Security Affairs ⋅ Pierluigi Paganini
New LockBit Green ransomware variant borrows code from Conti ransomware
Conti LockBit

2023-01-04 ⋅ cocomelonc
Malware development tricks: part 26. Mutex. C++ example.
AsyncRAT Conti HelloKitty

2022-12-06 ⋅ EuRepoC ⋅ Kerstin Zettl-Schabath, Lena Rottinger, Camille Borrett
Conti/Wizard Spider
BazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER

2022-11-21 ⋅ Palo Alto Networks Unit 42 ⋅ Kristopher Russo
Threat Assessment: Luna Moth Callback Phishing Campaign
BazarBackdoor Conti

2022-09-20 ⋅ vmware ⋅ Dana Behling
Threat Report: Illuminating Volume Shadow Deletion
Conti HelloKitty

2022-09-07 ⋅ Intel 471 ⋅ Intel 471
Conti vs. Monti: A Reinvention or Just a Simple Rebranding?
Conti

2022-09-07 ⋅ Blackberry ⋅ Anuj Soni, Ryan Chapman
The Curious Case of “Monti” Ransomware: A Real-World Doppelganger
Conti MimiKatz Veeam Dumper

2022-08-22 ⋅ Microsoft ⋅ Microsoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk

2022-08-03 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
BazarBackdoor BumbleBee Cobalt Strike Conti

2022-08-02 ⋅ Recorded Future ⋅ Insikt Group
Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar

2022-07-20 ⋅ Kaspersky ⋅ Marc Rivero López, Jornt van der Wiel, Dmitry Galov, Sergey Lozhkin
Luna and Black Basta — new ransomware for Windows, Linux and ESXi
Black Basta Conti

2022-06-23 ⋅ Kaspersky ⋅ Nikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker

2022-06-23 ⋅ Trellix ⋅ Christiaan Beek
The Sound of Malware
Conti VHD Ransomware

2022-06-15 ⋅ ThreatStop ⋅ Ofir Ashman
First Conti, then Hive: Costa Rica gets hit with ransomware again
Conti Hive Conti Hive

2022-06-15 ⋅ AttackIQ ⋅ Jackson Wells, AttackIQ Adversary Research Team
Attack Graph Emulating the Conti Ransomware Team’s Behaviors
BazarBackdoor Conti TrickBot

2022-06-02 ⋅ Eclypsium ⋅ Eclypsium
Conti Targets Critical Firmware
Conti HermeticWiper TrickBot WhisperGate

2022-05-24 ⋅ The Hacker News ⋅ Florian Goutin
Malware Analysis: Trickbot
Cobalt Strike Conti Ryuk TrickBot

2022-05-23 ⋅ Trend Micro ⋅ Matsugaya Shingo
LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022
BlackCat Conti LockBit

2022-05-23 ⋅ Trend Micro ⋅ Trend Micro Research
LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022 (PDF)
BlackCat Conti LockBit

2022-05-20 ⋅ AdvIntel ⋅ Yelisey Boguslavskiy, Vitali Kremez, Marley Smith
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive

2022-05-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
Wizard Spider In-Depth Analysis
Cobalt Strike Conti WIZARD SPIDER

2022-05-17 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups
BlackByte Conti

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-05 ⋅ YouTube (The Vertex Project) ⋅ Ryan Hallbeck
Contileaks: Identifying, Extracting, & Modeling Bitcoin Addresses
Conti

2022-05-03 ⋅ Talos Intelligence ⋅ JON MUNSHAW
Conti and Hive ransomware operations: What we learned from these groups' victim chats
Conti Hive

2022-05-03 ⋅ Cisco ⋅ Kendall McKay, Paul Eubanks., JAIME FILSON
Conti and Hive ransomware operations: Leveraging victim chats for insights
Conti Hive

2022-05-02 ⋅ Cisco Talos ⋅ Kendall McKay, Paul Eubanks, JAIME FILSON
Conti and Hive ransomware operations: Leveraging victim chats for insights
Cobalt Strike Conti Hive

2022-04-29 ⋅ NCC Group ⋅ Mike Stokkel, Nikolaos Totosis, Nikolaos Pantazopoulos
Adventures in the land of BumbleBee – a new malicious loader
BazarBackdoor BumbleBee Conti

2022-04-28 ⋅ Symantec ⋅ Karthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot

2022-04-28 ⋅ PWC ⋅ PWC UK
Cyber Threats 2021: A Year in Retrospect (Annex)
Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen

2022-04-26 ⋅ Intel 471 ⋅ Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot

2022-04-21 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
GOLD ULRICK Continues Conti Operations Despite Public Disclosures
Conti Conti

2022-04-20 ⋅ Bleeping Computer ⋅ Bill Toulas
Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile

2022-04-18 ⋅ Trellix ⋅ Marc Elias, Jambul Tologonov, Alexandre Mundo
Conti Group Targets ESXi Hypervisors With its Linux Variant
Conti Conti

2022-04-17 ⋅ BushidoToken Blog ⋅ BushidoToken
Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot

2022-04-15 ⋅ Arctic Wolf ⋅ Arctic Wolf
The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model
Conti Diavol Ryuk TrickBot

2022-04-15 ⋅ Bleeping Computer ⋅ Ionut Ilascu
Karakurt revealed as data extortion arm of Conti cybercrime syndicate
Anchor BazarBackdoor Conti TrickBot

2022-04-12 ⋅ ConnectWise ⋅ ConnectWise CRU
Threat Profile: Conti
Conti

2022-04-11 ⋅ cocomelonc
Conti ransomware source code investigation - part 2
Conti

2022-04-09 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Hackers use Conti's leaked ransomware to attack Russian companies
Conti

2022-04-08 ⋅ ReversingLabs ⋅ Paul Roberts
ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles
Conti Emotet TrickBot

2022-04-06 ⋅ TRM Labs ⋅ TRM Labs
TRM Analysis Corroborates Suspected Ties Between Conti and Ryuk Ransomware Groups and Wizard Spider
Conti Ryuk

2022-04-04 ⋅ The DFIR Report ⋅ @0xtornado, @yatinwad, @MettalicHack, @_pete_0
Stolen Images Campaign Ends in Conti Ransomware
Conti IcedID

2022-04-02 ⋅ Github (cocomelonc) ⋅ cocomelonc
Malware development tricks. Find kernel32.dll base: asm style. C++ example.
Conti

2022-03-31 ⋅ Trellix ⋅ John Fokker, Jambul Tologonov
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot

2022-03-31 ⋅ nccgroup ⋅ Nikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team
Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot

2022-03-27 ⋅ cocomelonc
Conti ransomware source code investigation - part 1
Conti

2022-03-25 ⋅ Zscaler ⋅ Brett Stone-Gross
Conti Ransomware Attacks Persist With an Updated Version Despite Leaks
Conti

2022-03-23 ⋅ Intel 471 ⋅ Intel 471
Conti puts the ‘organized’ in organized crime
Conti

2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Threat Intelligence Executive Report Volume 2022, Number 2
Conti Emotet IcedID TrickBot

2022-03-23 ⋅ splunk ⋅ Shannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
Conti Emotet IcedID TrickBot

2022-03-22 ⋅ ThreatStop ⋅ Ofir Ashman
Conti ransomware leaks - what happens when hackers support Russia
Conti

2022-03-21 ⋅ Threat Post ⋅ Lisa Vaas
Conti Ransomware V. 3, Including Decryptor, Leaked
Cobalt Strike Conti TrickBot

2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID

2022-03-18 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Analysis of Leaked Conti Intrusion Procedures by eSentire’s Threat Response Unit (TRU)
Conti Conti

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2022-03-17 ⋅ Google ⋅ Vladislav Stolyarov, Benoit Sevens, Google Threat Analysis Group
Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Cobalt Strike Conti

2022-03-17 ⋅ Google ⋅ Vladislav Stolyarov, Benoit Sevens
Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Conti EXOTIC LILY

2022-03-16 ⋅ Dragos ⋅ Josh Hanrahan
Suspected Conti Ransomware Activity in the Auto Manufacturing Sector
Conti Emotet

2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin

2022-03-15 ⋅ Prevailion ⋅ Matt Stafford, Sherman Smith
What Wicked Webs We Un-weave
Cobalt Strike Conti

2022-03-10 ⋅ Check Point Research
Leaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up… Sort Of
Conti

2022-03-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu
CISA updates Conti ransomware alert with nearly 100 domain names
BazarBackdoor Cobalt Strike Conti TrickBot

2022-03-08 ⋅ Github (whichbuffer) ⋅ Arda Büyükkaya
Conti-Ransomware-IOC
Conti

2022-03-08 ⋅ Yoroi ⋅ Luigi Martire, Carmelo Ragusa, Luca Mella
Conti Ransomware source code: a well-designed COTS ransomware
Conti

2022-03-08 ⋅ MBSD ⋅ MBSD
ContiLeaks
Conti

2022-03-08 ⋅ The Record ⋅ Dina Temple-Raston
Inside Conti leaks: The Panama Papers of ransomware
Conti

2022-03-07 ⋅ CyberScoop ⋅ Suzanne Smalley
Ransomware gang Conti has already bounced back from damage caused by chat leaks, experts say
Conti

2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research
IOC Resource for Russia-Ukraine Conflict-Related Cyberattacks
ClipBanker Conti HermeticWiper PartyTicket WhisperGate

2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research
Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate

2022-03-02 ⋅ elDiario ⋅ Carlos del Castillo
Cybercrime bosses warn that they will "fight back" if Russia is hacked
Conti Ryuk

2022-03-02 ⋅ CyberArk ⋅ CyberArk Labs
Conti Group Leaked!
TeamTNT Conti TrickBot

2022-03-02 ⋅ Cluster25 ⋅ Cluster25
Conti's Source Code: Deep-Dive Into
Conti

2022-03-02 ⋅ Youtube (OALabs) ⋅ Sergei Frankoff, Sean Wilson
Botleggers Exposed - Analysis of The Conti Leaks Malware
Conti

2022-03-02 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Conti Ransomware Group Diaries, Part II: The Office
Conti Emotet Ryuk TrickBot

2022-03-02 ⋅ Threatpost ⋅ Lisa Vaas
Conti Ransomware Decryptor, TrickBot Source Code Leaked
Conti TrickBot

2022-03-01 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
Twitter thread with highlights from conti leaks
Conti

2022-03 ⋅ Arctic Wolf ⋅ Arctic Wolf
Conti Ransomware: An Analysis of Key Findings
Conti

2022-03-01 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Conti Ransomware source code leaked by Ukrainian researcher
Conti

2022-03-01 ⋅ Medium whickey000 ⋅ Wade Hickey
How I Cracked CONTI Ransomware Group’s Leaked Source Code ZIP File
Conti

2022-03-01 ⋅ VX-Underground
Leaks: Conti / Trickbot
Conti TrickBot

2022-02-28 ⋅ Medium arnozobec ⋅ Arnaud Zobec
Analyzing conti-leaks without speaking russian — only methodology
Conti

2022-02-28 ⋅ Github (TheParmak) ⋅ TheParmak
conti-leaks-englished
Conti

2022-02-28 ⋅ Sophos ⋅ Sean Gallagher
Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits
Conti Karma

2022-02-27 ⋅ The Record ⋅ Catalin Cimpanu
Conti ransomware gang chats leaked by pro-Ukraine member
Conti LockBit

2022-02-27 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Conti ransomware's internal chats leaked after siding with Russia
Conti

2022-02-25 ⋅ Red Hot Cyber ⋅ Red Hot Cyber
Il ransomware Conti si schiera a favore della Russia.
Conti

2022-02-23 ⋅ splunk ⋅ Shannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-02-23 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy
24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)
Cobalt Strike Conti

2022-02-22 ⋅ Bankinfo Security ⋅ Matthew J. Schwartz
Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware
Conti TrickBot

2022-02-22 ⋅ Sophos ⋅ Chester Wisniewski
Cyberthreats during Russian-Ukrainian tensions: what can we learn from history to be prepared?
Conti

2022-02-20 ⋅ Security Affairs ⋅ Pierluigi Paganini
The Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor malware.
Conti TrickBot

2022-02-18 ⋅ Bleeping Computer ⋅ Ionut Ilascu
Conti ransomware gang takes over TrickBot malware operation
Conti TrickBot

2022-02-14 ⋅ Cyware
Ransomware Becomes Deadlier, Conti Makes the Most Money
Conti

2022-02-09 ⋅ Dragos ⋅ Anna Skelton
Dragos ICS/OT Ransomware Analysis: Q4 2021
LockBit Conti LockBit

2022-02-04 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
HHS: Conti ransomware encrypted 80% of Ireland's HSE IT systems
Conti

2022-01-27 ⋅ CoveWare
Ransomware as a Service Innovation Curve
Conti LockBit

2022-01-27 ⋅ BleepingComputer ⋅ Sergiu Gatlan
Taiwanese Apple and Tesla contractor hit by Conti ransomware
Conti

2022-01-24 ⋅ CyCraft ⋅ CyCraft AI
The Road to Ransomware Resilience, Part 2: Behavior Analysis
Conti Prometheus WastedLocker

2022 ⋅ Symposium on Electronic Crime Research ⋅ Ian W. Gray, Jack Cable, Benjamin Brown, Vlad Cuiujuclu, Damon McCoy
Money Over Morals: A Business Analysis of Conti Ransomware
Conti Conti

2022 ⋅ Silent Push ⋅ Silent Push
Consequences- The Conti Leaks and future problems
Cobalt Strike Conti

2021-12-23 ⋅ Symantec ⋅ Siddhesh Chandrayan
Log4j Vulnerabilities: Attack Insights
Tsunami Conti Dridex Khonsari Orcus RAT TellYouThePass

2021-12-17 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
Ransomware Advisory: Log4Shell Exploitation for Initial Access & Lateral Movement
Conti

2021-12-13 ⋅ The DFIR Report ⋅ The DFIR Report
Diavol Ransomware
BazarBackdoor Conti Diavol

2021-12-08 ⋅ Darktrace ⋅ Justin Fier
The double extortion business: Conti Ransomware Gang finds new avenues of negotiation
Conti

2021-12-03 ⋅ HSE ⋅ HSE
Conti cyber attack on the HSE
Conti

2021-12-01 ⋅ Trend Micro ⋅ Trend Micro
Ransomware Spotlight: Conti
Conti

2021-11-29 ⋅ The DFIR Report ⋅ The DFIR Report
CONTInuing the Bazar Ransomware Story
BazarBackdoor Cobalt Strike Conti

2021-11-18 ⋅ Elliptic ⋅ Elliptic Intel
Conti Ransomware Nets at Least $25.5 Million in Four Months
Conti

2021-11-18 ⋅ Red Canary ⋅ The Red Canary Team
Intelligence Insights: November 2021
Andromeda Conti LockBit QakBot Squirrelwaffle

2021-11-18 ⋅ Qualys ⋅ Ghanshyam More
Conti Ransomware
Conti

2021-11-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
Conti Ransomware Group In-Depth Analysis
Conti

2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil

2021-11-15 ⋅ TRUESEC ⋅ Fabio Viggiani
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot

2021-11-10 ⋅ AT&T ⋅ Josh Gomez
Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!
Cobalt Strike Conti

2021-11-09 ⋅ Cybereason ⋅ Aleksandar Milenkoski, Eli Salem
THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware
Cobalt Strike Conti

2021-11-07 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
CONTI Ransomware: Cheat Sheet
Conti

2021-11-02 ⋅ Intel 471 ⋅ Intel 471
Cybercrime underground flush with shipping companies’ credentials
Cobalt Strike Conti

2021-11-02 ⋅ unh4ck ⋅ Cyb3rSn0rlax
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
Cobalt Strike Conti

2021-10-26 ⋅ unh4ck ⋅ Hamza OUADIA
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
Cobalt Strike Conti

2021-10-25 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Conti Ransom Gang Starts Selling Access to Victims
Conti

2021-10-22 ⋅ HUNT & HACKETT ⋅ Krijn de Mik
Advanced IP Scanner: the preferred scanner in the A(P)T toolbox
Conti DarkSide Dharma Egregor Hades REvil Ryuk

2021-10-05 ⋅ Trend Micro ⋅ Fyodor Yarochkin, Janus Agcaoili, Byron Gelera, Nikko Tamana
Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk

2021-10-04 ⋅ The DFIR Report ⋅ The DFIR Report
BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti

2021-09-29 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
Backup “Removal” Solutions - From Conti Ransomware With Love
Cobalt Strike Conti

2021-09-22 ⋅ CISA ⋅ US-CERT
Alert (AA21-265A) Conti Ransomware
Cobalt Strike Conti

2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil

2021-09-13 ⋅ The DFIR Report ⋅ The DFIR Report
BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti

2021-09-03 ⋅ Sophos ⋅ Sean Gallagher, Peter Mackenzie, Anand Ajjan, Andrew Ludgate, Gabor Szappanos, Sergio Bestulic, Syed Zaidi
Conti affiliates use ProxyShell Exchange exploit in ransomware attacks
Cobalt Strike Conti

2021-09-02 ⋅ Talos ⋅ Caitlin Huey, David Liebenberg, Azim Khodjibaev, Dmytro Korzhevin
Translated: Talos' insights from the recently leaked Conti ransomware playbook
Conti

2021-08-19 ⋅ Sekoia ⋅ sekoia
An insider insights into Conti operations – Part two
Cobalt Strike Conti

2021-08-17 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration
Cobalt Strike Conti

2021-08-17 ⋅ Sekoia ⋅ sekoia
An insider insights into Conti operations – Part one
Cobalt Strike Conti

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-08-11 ⋅ Advanced Intelligence ⋅ Vitali Kremez
Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent
Cobalt Strike Conti

2021-08-10 ⋅ LIFARS ⋅ Vlad Pasca
A Detailed Analysis of The Last Version of Conti Ransomware
Conti

2021-08-10 ⋅ Youtube (OALabs) ⋅ OALabs
Leaked Conti Ransomware Playbook - Red Team Reacts
Conti

2021-08-06 ⋅ Threat Post ⋅ Elizabeth Montalbano
Angry Affiliate Leaks Conti Ransomware Gang Playbook
Conti

2021-08-06 ⋅ Sophos Naked Security ⋅ Paul Ducklin
Conti ransomware affiliate goes rogue, leaks “gang data”
Conti

2021-08-05 ⋅ The Record ⋅ Catalin Cimpanu
Disgruntled ransomware affiliate leaks the Conti gang’s technical manuals
Conti

2021-08-05 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Angry Conti ransomware affiliate leaks gang's attack playbook
Conti

2021-08-05 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
Tweet on Conti ransomware affiliates using AnyDesk, Atera, Splashtop, Remote Utilities and ScreenConnect to maintain network access
Conti

2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet

2021-08-01 ⋅ The DFIR Report ⋅ The DFIR Report
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot

2021-07-21 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
Tweet on Conti ransomware actor installing AnyDesk for remote access in victim environment
Conti

2021-07-08 ⋅ SentinelOne ⋅ Idan Weizman, Antonio Pirozzi
Conti Unpacked: Understanding Ransomware Development as a Response to Detection - A Detailed Technical Analysis
Conti

2021-07-01 ⋅ Fortinet ⋅ Dor Neemani, Asaf Rubinfeld
Diavol - A New Ransomware Used By Wizard Spider?
Conti Diavol

2021-07-01 ⋅ DomainTools ⋅ Chad Anderson
The Most Prolific Ransomware Families: A Defenders Guide
REvil Conti Egregor Maze REvil

2021-06-30 ⋅ Cynet ⋅ Max Malyutin
Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration
Conti IcedID

2021-06-18 ⋅ Palo Alto Networks Unit 42 ⋅ Richard Hickman
Conti Ransomware Gang: An Overview
Conti

2021-06-15 ⋅ Trend Micro ⋅ Janus Agcaoili, Miguel Ang, Earle Earnshaw, Byron Gelera, Nikko Tamana
Ransomware Double Extortion and Beyond: REvil, Clop, and Conti
Clop Conti REvil

2021-06-02 ⋅ CrowdStrike ⋅ Josh Dalman, Heather Smith
Under Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware
DarkSide Conti DarkSide REvil

2021-05-20 ⋅ FBI ⋅ FBI
Alert Number CP-000147-MW: Conti Ransomware Attacks Impact Healthcare and First Responder Networks
Conti

2021-05-16 ⋅ NCSC Ireland ⋅ NCSC Ireland
Ransomware Attack on Health Sector - UPDATE 2021-05-16
Cobalt Strike Conti

2021-05-12 ⋅ The DFIR Report
Conti Ransomware
Cobalt Strike Conti IcedID

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX

2021-04-29 ⋅ The Institute for Security and Technology ⋅ The Institute for Security and Technology
Combating Ransomware A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force
Conti EternalPetya

2021-04-26 ⋅ CoveWare ⋅ CoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt

2021-04-25 ⋅ Vulnerability.ch Blog ⋅ Corsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil

2021-04-13 ⋅ MBSD ⋅ Takashi Yoshikawa, Kei Sugawara
Unraveling the internal structure of the Conti Ransomware
Conti

2021-04-07 ⋅ ANALYST1 ⋅ Jon DiMaggio
Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER

2021-04-07 ⋅ ANALYST1 ⋅ Jon DiMaggio
Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER

2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team

2021-02-25 ⋅ ANSSI ⋅ CERT-FR
Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-16 ⋅ SophosLabs Uncut ⋅ Michael Heller
A Conti ransomware attack day-by-day
Conti

2021-02-16 ⋅ SophosLabs Uncut ⋅ Andrew Brandt, Anand Ajjan
Conti ransomware: Evasive by nature
Conti

2021-02-16 ⋅ SophosLabs Uncut ⋅ Peter Mackenzie, Tilly Travers
What to expect when you’ve been hit with Conti ransomware
Conti

2021-02-11 ⋅ CTI LEAGUE ⋅ CTI LEAGUE
CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk

2021-02-04 ⋅ ClearSky ⋅ ClearSky Research Team
CONTI Modus Operandi and Bitcoin Tracking
Conti Ryuk

2021-02-02 ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-01-17 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders
Cobalt Strike Conti

2021-01-12 ⋅ Cybereason ⋅ Lior Rochberger
Cybereason vs. Conti Ransomware
BazarBackdoor Conti

2020-12-15 ⋅ Medium 0xthreatintel ⋅ 0xthreatintel
Reversing Conti Ransomware
Conti

2020-12-15 ⋅ Chuongdong blog ⋅ Chuong Dong
Conti Ransomware v2
Conti

2020-12-12 ⋅ Github (cdong1012) ⋅ Chuong Dong
ContiUnpacker: An automatic unpacker for Conti rasnomware
Conti

2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader

2020-11-18 ⋅ KELA ⋅ Victoria Kivilevich
Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake

2020-11-16 ⋅ Intel 471 ⋅ Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX

2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt

2020-10-16 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ryuk TrickBot

2020-10-01 ⋅ KELA ⋅ Victoria Kivilevich
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt

2020-09-29 ⋅ PWC UK ⋅ Andy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker

2020-08-25 ⋅ BleepingComputer ⋅ Lawrence Abrams
Ryuk successor Conti Ransomware releases data leak site
Conti

2020-08-18 ⋅ Arete ⋅ Arete Incident Response
Is Conti the New Ryuk?
Conti Ryuk

2020-07-08 ⋅ VMWare Carbon Black ⋅ Brian Baskin
TAU Threat Discovery: Conti Ransomware
Conti

Yara Rules

[TLP:WHITE] win_conti_auto (20230808 | Detects win.conti.)

rule win_conti_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.conti."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 57 bf0e000000 8d7101 }
            // n = 4, score = 600
            //   56                   | push                esi
            //   57                   | push                edi
            //   bf0e000000           | mov                 edi, 0xe
            //   8d7101               | lea                 esi, [ecx + 1]

        $sequence_1 = { 8d7f01 0fb6c0 b978000000 2bc8 }
            // n = 4, score = 600
            //   8d7f01               | lea                 edi, [edi + 1]
            //   0fb6c0               | movzx               eax, al
            //   b978000000           | mov                 ecx, 0x78
            //   2bc8                 | sub                 ecx, eax

        $sequence_2 = { 57 bf0a000000 8d7101 8d5f75 8a06 8d7601 0fb6c0 }
            // n = 7, score = 600
            //   57                   | push                edi
            //   bf0a000000           | mov                 edi, 0xa
            //   8d7101               | lea                 esi, [ecx + 1]
            //   8d5f75               | lea                 ebx, [edi + 0x75]
            //   8a06                 | mov                 al, byte ptr [esi]
            //   8d7601               | lea                 esi, [esi + 1]
            //   0fb6c0               | movzx               eax, al

        $sequence_3 = { 8d7f01 0fb6c0 b96c000000 2bc8 }
            // n = 4, score = 600
            //   8d7f01               | lea                 edi, [edi + 1]
            //   0fb6c0               | movzx               eax, al
            //   b96c000000           | mov                 ecx, 0x6c
            //   2bc8                 | sub                 ecx, eax

        $sequence_4 = { 0f1f4000 8a07 8d7f01 0fb6c0 b948000000 }
            // n = 5, score = 600
            //   0f1f4000             | nop                 dword ptr [eax]
            //   8a07                 | mov                 al, byte ptr [edi]
            //   8d7f01               | lea                 edi, [edi + 1]
            //   0fb6c0               | movzx               eax, al
            //   b948000000           | mov                 ecx, 0x48

        $sequence_5 = { 8975fc 803e00 7541 53 bb0a000000 }
            // n = 5, score = 600
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7541                 | jne                 0x43
            //   53                   | push                ebx
            //   bb0a000000           | mov                 ebx, 0xa

        $sequence_6 = { 8975fc 803e00 7542 53 bb0e000000 }
            // n = 5, score = 600
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7542                 | jne                 0x44
            //   53                   | push                ebx
            //   bb0e000000           | mov                 ebx, 0xe

        $sequence_7 = { 8d7f01 0fb6c0 b909000000 2bc8 }
            // n = 4, score = 600
            //   8d7f01               | lea                 edi, [edi + 1]
            //   0fb6c0               | movzx               eax, al
            //   b909000000           | mov                 ecx, 9
            //   2bc8                 | sub                 ecx, eax

        $sequence_8 = { e8???????? 8bb6007d0000 85f6 75ef 6aff }
            // n = 5, score = 400
            //   e8????????           |                     
            //   8bb6007d0000         | mov                 esi, dword ptr [esi + 0x7d00]
            //   85f6                 | test                esi, esi
            //   75ef                 | jne                 0xfffffff1
            //   6aff                 | push                -1

        $sequence_9 = { 50 6a20 ff15???????? 68???????? ff15???????? 68???????? }
            // n = 6, score = 400
            //   50                   | push                eax
            //   6a20                 | push                0x20
            //   ff15????????         |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   68????????           |                     

        $sequence_10 = { 780e 7f07 3d00005000 7605 }
            // n = 4, score = 400
            //   780e                 | js                  0x10
            //   7f07                 | jg                  9
            //   3d00005000           | cmp                 eax, 0x500000
            //   7605                 | jbe                 7

        $sequence_11 = { 8bec 8b4d08 e8???????? 6a00 ff15???????? }
            // n = 5, score = 400
            //   8bec                 | mov                 ebp, esp
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_12 = { 50 8b4508 ff7004 ff15???????? 85c0 7508 6a01 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   ff7004               | push                dword ptr [eax + 4]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   6a01                 | push                1

        $sequence_13 = { 6810660000 ff7508 ff15???????? 85c0 }
            // n = 4, score = 400
            //   6810660000           | push                0x6610
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_14 = { 85ff 7408 57 56 ff15???????? ff75f8 56 }
            // n = 7, score = 400
            //   85ff                 | test                edi, edi
            //   7408                 | je                  0xa
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff15????????         |                     
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   56                   | push                esi

        $sequence_15 = { 7411 a801 740d 83f001 50 ff7608 }
            // n = 6, score = 400
            //   7411                 | je                  0x13
            //   a801                 | test                al, 1
            //   740d                 | je                  0xf
            //   83f001               | xor                 eax, 1
            //   50                   | push                eax
            //   ff7608               | push                dword ptr [esi + 8]

        $sequence_16 = { 48894c2430 4c8d45ff 488d4d0f 418bd6 48894c2428 488d4d07 48894c2420 }
            // n = 7, score = 300
            //   48894c2430           | dec                 eax
            //   4c8d45ff             | mov                 dword ptr [esp + 0x30], ecx
            //   488d4d0f             | dec                 esp
            //   418bd6               | lea                 eax, [ebp - 1]
            //   48894c2428           | dec                 eax
            //   488d4d07             | lea                 ecx, [ebp + 0xf]
            //   48894c2420           | inc                 ecx

        $sequence_17 = { 42884c0500 49ffc0 4983f80d 72af 44884d0f }
            // n = 5, score = 300
            //   42884c0500           | xor                 eax, eax
            //   49ffc0               | dec                 eax
            //   4983f80d             | mov                 dword ptr [esp + 0x40], ecx
            //   72af                 | dec                 eax
            //   44884d0f             | mov                 dword ptr [esp + 0x48], ecx

        $sequence_18 = { 33d2 ffd0 897c2450 b856555555 }
            // n = 4, score = 300
            //   33d2                 | dec                 eax
            //   ffd0                 | mov                 dword ptr [esp + 0x48], ecx
            //   897c2450             | dec                 eax
            //   b856555555           | lea                 edx, [ebp - 0x20]

        $sequence_19 = { 0fb64500 0fb645ff 84c0 755c }
            // n = 4, score = 300
            //   0fb64500             | xor                 eax, eax
            //   0fb645ff             | dec                 eax
            //   84c0                 | mov                 dword ptr [esp + 0x40], ecx
            //   755c                 | xor                 ecx, ecx

        $sequence_20 = { 488b4f30 488b4738 4885c9 7406 }
            // n = 4, score = 300
            //   488b4f30             | dec                 eax
            //   488b4738             | lea                 ecx, [esp + 0x70]
            //   4885c9               | inc                 ebp
            //   7406                 | xor                 eax, eax

        $sequence_21 = { 48894c2448 488d55e0 488d4c2470 4533c0 }
            // n = 4, score = 300
            //   48894c2448           | mov                 edx, esi
            //   488d55e0             | dec                 eax
            //   488d4c2470           | mov                 dword ptr [esp + 0x28], ecx
            //   4533c0               | dec                 eax

        $sequence_22 = { 42884c0501 49ffc0 4983f80c 72af }
            // n = 4, score = 300
            //   42884c0501           | test                ecx, ecx
            //   49ffc0               | je                  0x13
            //   4983f80c             | dec                 eax
            //   72af                 | mov                 ecx, dword ptr [edi + 0x30]

        $sequence_23 = { 41b801000000 488bd3 8bcf ffd0 4d85f6 }
            // n = 5, score = 300
            //   41b801000000         | dec                 eax
            //   488bd3               | lea                 edx, [ebp - 0x20]
            //   8bcf                 | dec                 eax
            //   ffd0                 | lea                 ecx, [esp + 0x70]
            //   4d85f6               | inc                 ebp

    condition:
        7 of them and filesize < 520192
}

[TLP:WHITE] win_conti_w0 (20220318 | Detect the Conti ransomware (x64))

rule win_conti_w0 {
   meta:
        author = "Arkbird_SOLG"
        description = "Detect the Conti ransomware (x64)"
        reference = "Internal Research"
        date = "2022-02-25"
        hash1 = "930ec6d08e9d29fa23805ff9784cb0d78b1dc4cc4d58daa0e653dfe478c45d3a"
        hash2 = "ea524e8b0dd046561b59a8d4da5a122aeff02036c87bb03056437a1d0f584039"
        hash3 = "ed4afa874e75b7bac665b9bcbf1d8e1324d4f9263c862755101cd79bb087ad45"
        hash4 = "1dea453e5344898c9a66309bd6d1cf6e21c56eb1427c026aac84b14a6b23f7fc"
        tlp = "White"
        adversary = "RAAS"
        source = "https://github.com/StrangerealIntel/Orion/blob/main/Ransomware/RAN_Conti_Feb_2022_1.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
        malpedia_version = "20220318"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
   strings:
        $s1 = { f7 e9 03 d1 c1 fa 06 8b c2 c1 e8 1f 03 d0 6b c2 7f 2b c8 b8 09 04 02 81 83 c1 7f f7 e9 03 d1 c1 fa 06 8b c2 c1 e8 1f 03 d0 6b c2 7f 2b c8 88 4c 3c 39 48 ff c7 48 83 ff 24 72 ?? 0f b7 44 24 7c 48 8d 54 24 39 44 0f b7 4c 24 7a 48 8d 4d 80 44 0f b7 44 24 78 89 44 24 20 ff 15 [2] 01 00 8b d8 85 c0 74 32 48 8b 3d [2] 01 00 ba 0f 00 00 00 41 b8 14 b4 02 e8 44 8d 4a 50 e8 [2] fe ff 44 8d 04 1b 4c 89 74 24 20 4c 8d 4c 24 68 48 8b cf 48 8d 55 80 ff d0 48 8b 3d [2] 01 00 ba 0f 00 00 00 41 b8 14 b4 02 e8 44 8d 4a 50 e8 [2] fe ff 4c 8d 4c 24 68 4c 89 74 24 20 44 8b c6 48 8d 95 80 00 00 00 48 8b cf ff d0 48 8b 3d [2] 01 00 ba 0f 00 00 00 41 b8 14 b4 02 e8 44 8d 4a 50 e8 [2] fe ff 4c 8d 4c 24 68 4c 89 74 24 20 41 b8 04 }
        $s2 = { 48 89 5c 24 08 48 89 74 24 18 57 48 83 ec 20 40 8a f1 8b 05 [2] 01 00 33 db 85 c0 7f 12 33 c0 48 8b 5c 24 30 48 8b 74 24 40 48 83 c4 20 5f c3 ff c8 89 05 [2] 01 00 e8 73 fa ff ff 40 8a f8 88 44 24 38 83 3d [2] 01 00 02 75 35 e8 86 fb ff ff e8 25 06 00 00 e8 9c 06 00 00 89 1d [2] 01 00 e8 a1 fb ff ff 40 8a cf e8 6d fd ff ff 33 d2 40 8a ce e8 87 fd ff ff 84 c0 0f 95 c3 8b c3 eb }
        $s3 = { 48 8b 0d [2] 01 00 4c 8b c3 33 d2 ff 15 [2] 00 00 48 85 c0 74 d4 eb 0d e8 60 08 00 00 c7 00 0c 00 00 00 33 c0 48 83 c4 20 5b c3 cc cc 48 85 c9 74 37 53 48 83 ec 20 4c 8b c1 33 d2 48 8b 0d [2] 01 00 ff 15 [2] 00 00 85 c0 75 17 e8 2b 08 00 00 48 8b d8 ff 15 [2] 00 00 8b c8 e8 63 07 00 00 89 03 48 83 c4 20 5b c3 cc cc cc 48 89 5c 24 08 4c 89 4c 24 20 57 48 83 ec 20 49 8b d9 49 }
        $s4 = { 48 83 c0 27 48 83 e0 e0 48 89 48 f8 eb 11 48 85 d2 74 0a 48 8b ca e8 [2] 00 00 eb 02 33 c0 4c 8d 04 5d 02 00 00 00 48 89 45 c0 48 8b d6 48 8b c8 e8 [2] 00 00 48 89 7d d8 48 c7 c7 ff ff ff ff 4c 8d 45 40 48 89 5d d0 48 8d 55 c0 48 8d 8d 20 04 00 00 e8 ?? dd ff ff 48 81 bd 30 04 00 00 04 01 00 00 0f 87 b2 00 00 00 48 83 bd 38 04 00 00 08 48 8d 8d 20 04 00 00 48 0f 43 8d 20 04 00 00 ff 15 [2] 01 00 85 c0 0f 84 8d 00 00 00 48 8d 8d ec 04 00 00 e8 ?? e0 ff ff }
    condition:
        uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 
}

Download all Yara Rules

Conti Propose Change

References

Yara Rules

Conti