SYMBOLCOMMON_NAMEaka. SYNONYMS
win.conti (Back to overview)

Conti


Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.

References
2022-09-20vmwareDana Behling
@online{behling:20220920:threat:099a73a, author = {Dana Behling}, title = {{Threat Report: Illuminating Volume Shadow Deletion}}, date = {2022-09-20}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html}, language = {English}, urldate = {2022-09-26} } Threat Report: Illuminating Volume Shadow Deletion
Conti HelloKitty
2022-09-07Intel 471Intel 471
@online{471:20220907:conti:594cb06, author = {Intel 471}, title = {{Conti vs. Monti: A Reinvention or Just a Simple Rebranding?}}, date = {2022-09-07}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding}, language = {English}, urldate = {2022-09-19} } Conti vs. Monti: A Reinvention or Just a Simple Rebranding?
Conti
2022-09-07BlackberryAnuj Soni, Ryan Chapman
@online{soni:20220907:curious:80138f0, author = {Anuj Soni and Ryan Chapman}, title = {{The Curious Case of “Monti” Ransomware: A Real-World Doppelganger}}, date = {2022-09-07}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger}, language = {English}, urldate = {2022-09-10} } The Curious Case of “Monti” Ransomware: A Real-World Doppelganger
Conti MimiKatz Veeam Dumper
2022-08-22MicrosoftMicrosoft
@online{microsoft:20220822:extortion:67c26d4, author = {Microsoft}, title = {{Extortion Economics - Ransomware’s new business model}}, date = {2022-08-22}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v}, language = {English}, urldate = {2022-08-31} } Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-08-03Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20220803:flight:a8efd82, author = {Brad Duncan}, title = {{Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware}}, date = {2022-08-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/}, language = {English}, urldate = {2022-08-08} } Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-08-02Recorded FutureInsikt Group
@techreport{group:20220802:initial:5caddb5, author = {Insikt Group}, title = {{Initial Access Brokers Are Key to Rise in Ransomware Attacks}}, date = {2022-08-02}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf}, language = {English}, urldate = {2022-08-05} } Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar
2022-07-20KasperskyMarc Rivero López, Jornt van der Wiel, Dmitry Galov, Sergey Lozhkin
@online{lpez:20220720:luna:176a613, author = {Marc Rivero López and Jornt van der Wiel and Dmitry Galov and Sergey Lozhkin}, title = {{Luna and Black Basta — new ransomware for Windows, Linux and ESXi}}, date = {2022-07-20}, organization = {Kaspersky}, url = {https://securelist.com/luna-black-basta-ransomware/106950}, language = {English}, urldate = {2022-07-25} } Luna and Black Basta — new ransomware for Windows, Linux and ESXi
Black Basta Conti
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@online{nazarov:20220623:hateful:9c6bf9a, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}}, date = {2022-06-23}, organization = {Kaspersky}, url = {https://securelist.com/modern-ransomware-groups-ttps/106824/}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-06-23TrellixChristiaan Beek
@online{beek:20220623:sound:31e77bd, author = {Christiaan Beek}, title = {{The Sound of Malware}}, date = {2022-06-23}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html}, language = {English}, urldate = {2022-06-27} } The Sound of Malware
Conti VHD Ransomware
2022-06-15ThreatStopOfir Ashman
@online{ashman:20220615:first:a157972, author = {Ofir Ashman}, title = {{First Conti, then Hive: Costa Rica gets hit with ransomware again}}, date = {2022-06-15}, organization = {ThreatStop}, url = {https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again}, language = {English}, urldate = {2022-06-27} } First Conti, then Hive: Costa Rica gets hit with ransomware again
Conti Hive Conti Hive
2022-06-15AttackIQJackson Wells, AttackIQ Adversary Research Team
@online{wells:20220615:attack:aa9fcfb, author = {Jackson Wells and AttackIQ Adversary Research Team}, title = {{Attack Graph Emulating the Conti Ransomware Team’s Behaviors}}, date = {2022-06-15}, organization = {AttackIQ}, url = {https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/}, language = {English}, urldate = {2022-07-01} } Attack Graph Emulating the Conti Ransomware Team’s Behaviors
BazarBackdoor Conti TrickBot
2022-06-02EclypsiumEclypsium
@online{eclypsium:20220602:conti:abb9754, author = {Eclypsium}, title = {{Conti Targets Critical Firmware}}, date = {2022-06-02}, organization = {Eclypsium}, url = {https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/}, language = {English}, urldate = {2022-06-04} } Conti Targets Critical Firmware
Conti HermeticWiper TrickBot WhisperGate
2022-05-24The Hacker NewsFlorian Goutin
@online{goutin:20220524:malware:e85b49b, author = {Florian Goutin}, title = {{Malware Analysis: Trickbot}}, date = {2022-05-24}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/05/malware-analysis-trickbot.html}, language = {English}, urldate = {2022-05-29} } Malware Analysis: Trickbot
Cobalt Strike Conti Ryuk TrickBot
2022-05-23Trend MicroMatsugaya Shingo
@online{shingo:20220523:lockbit:8d0fff2, author = {Matsugaya Shingo}, title = {{LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022}}, date = {2022-05-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022}, language = {English}, urldate = {2022-05-24} } LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022
BlackCat Conti LockBit
2022-05-23Trend MicroTrend Micro Research
@techreport{research:20220523:lockbit:6eb72ce, author = {Trend Micro Research}, title = {{LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022 (PDF)}}, date = {2022-05-23}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf}, language = {English}, urldate = {2022-05-29} } LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022 (PDF)
BlackCat Conti LockBit
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-18PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20220518:wizard:e7ee1c4, author = {PRODAFT}, title = {{Wizard Spider In-Depth Analysis}}, date = {2022-05-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf}, language = {English}, urldate = {2022-05-25} } Wizard Spider In-Depth Analysis
Cobalt Strike Conti
2022-05-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220517:hydra:16615d9, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups}}, date = {2022-05-17}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups}, language = {English}, urldate = {2022-05-25} } Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups
BlackByte Conti
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-05YouTube (The Vertex Project)Ryan Hallbeck
@online{hallbeck:20220505:contileaks:bf91010, author = {Ryan Hallbeck}, title = {{Contileaks: Identifying, Extracting, & Modeling Bitcoin Addresses}}, date = {2022-05-05}, organization = {YouTube (The Vertex Project)}, url = {https://www.youtube.com/watch?v=cYx7sQRbjGA}, language = {English}, urldate = {2022-05-18} } Contileaks: Identifying, Extracting, & Modeling Bitcoin Addresses
Conti
2022-05-03Talos IntelligenceJON MUNSHAW
@online{munshaw:20220503:conti:ae16fc1, author = {JON MUNSHAW}, title = {{Conti and Hive ransomware operations: What we learned from these groups' victim chats}}, date = {2022-05-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html}, language = {English}, urldate = {2022-05-04} } Conti and Hive ransomware operations: What we learned from these groups' victim chats
Conti Hive
2022-05-03CiscoKendall McKay, Paul Eubanks., JAIME FILSON
@online{mckay:20220503:conti:c764c61, author = {Kendall McKay and Paul Eubanks. and JAIME FILSON}, title = {{Conti and Hive ransomware operations: Leveraging victim chats for insights}}, date = {2022-05-03}, organization = {Cisco}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098}, language = {English}, urldate = {2022-05-04} } Conti and Hive ransomware operations: Leveraging victim chats for insights
Conti Hive
2022-05-02Cisco TalosKendall McKay, Paul Eubanks, JAIME FILSON
@techreport{mckay:20220502:conti:330e34b, author = {Kendall McKay and Paul Eubanks and JAIME FILSON}, title = {{Conti and Hive ransomware operations: Leveraging victim chats for insights}}, date = {2022-05-02}, institution = {Cisco Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf}, language = {English}, urldate = {2022-05-04} } Conti and Hive ransomware operations: Leveraging victim chats for insights
Cobalt Strike Conti Hive
2022-04-29NCC GroupMike Stokkel, Nikolaos Totosis, Nikolaos Pantazopoulos
@online{stokkel:20220429:adventures:7be43ad, author = {Mike Stokkel and Nikolaos Totosis and Nikolaos Pantazopoulos}, title = {{Adventures in the land of BumbleBee – a new malicious loader}}, date = {2022-04-29}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/}, language = {English}, urldate = {2022-04-29} } Adventures in the land of BumbleBee – a new malicious loader
BazarBackdoor BumbleBee Conti
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-28PWCPWC UK
@techreport{uk:20220428:cyber:c43873f, author = {PWC UK}, title = {{Cyber Threats 2021: A Year in Retrospect (Annex)}}, date = {2022-04-28}, institution = {PWC}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf}, language = {English}, urldate = {2022-04-29} } Cyber Threats 2021: A Year in Retrospect (Annex)
Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen
2022-04-26Intel 471Intel 471
@online{471:20220426:conti:6bcff7d, author = {Intel 471}, title = {{Conti and Emotet: A constantly destructive duo}}, date = {2022-04-26}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-emotet-ransomware-conti-leaks}, language = {English}, urldate = {2022-04-29} } Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot
2022-04-21SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220421:gold:5d6ad6d, author = {Counter Threat Unit ResearchTeam}, title = {{GOLD ULRICK Continues Conti Operations Despite Public Disclosures}}, date = {2022-04-21}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures}, language = {English}, urldate = {2022-04-29} } GOLD ULRICK Continues Conti Operations Despite Public Disclosures
Conti Conti
2022-04-20Bleeping ComputerBill Toulas
@online{toulas:20220420:microsoft:c1073df, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Hive ransomware}}, date = {2022-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/}, language = {English}, urldate = {2022-04-24} } Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-04-18TrellixMarc Elias, Jambul Tologonov, Alexandre Mundo
@online{elias:20220418:conti:b15356d, author = {Marc Elias and Jambul Tologonov and Alexandre Mundo}, title = {{Conti Group Targets ESXi Hypervisors With its Linux Variant}}, date = {2022-04-18}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html}, language = {English}, urldate = {2022-04-20} } Conti Group Targets ESXi Hypervisors With its Linux Variant
Conti Conti
2022-04-17BushidoToken BlogBushidoToken
@online{bushidotoken:20220417:lessons:d4d0595, author = {BushidoToken}, title = {{Lessons from the Conti Leaks}}, date = {2022-04-17}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html}, language = {English}, urldate = {2022-04-25} } Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot
2022-04-15Arctic WolfArctic Wolf
@online{wolf:20220415:karakurt:623f8e6, author = {Arctic Wolf}, title = {{The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model}}, date = {2022-04-15}, organization = {Arctic Wolf}, url = {https://arcticwolf.com/resources/blog/karakurt-web}, language = {English}, urldate = {2022-05-04} } The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model
Conti Diavol Ryuk TrickBot
2022-04-15Bleeping ComputerIonut Ilascu
@online{ilascu:20220415:karakurt:6fc6399, author = {Ionut Ilascu}, title = {{Karakurt revealed as data extortion arm of Conti cybercrime syndicate}}, date = {2022-04-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/}, language = {English}, urldate = {2022-05-04} } Karakurt revealed as data extortion arm of Conti cybercrime syndicate
Anchor BazarBackdoor Conti TrickBot
2022-04-12ConnectWiseConnectWise CRU
@online{cru:20220412:threat:d5577b2, author = {ConnectWise CRU}, title = {{Threat Profile: Conti}}, date = {2022-04-12}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/conti-profile}, language = {English}, urldate = {2022-04-13} } Threat Profile: Conti
Conti
2022-04-11cocomelonc
@online{cocomelonc:20220411:conti:a30496a, author = {cocomelonc}, title = {{Conti ransomware source code investigation - part 2}}, date = {2022-04-11}, url = {https://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html}, language = {English}, urldate = {2022-09-27} } Conti ransomware source code investigation - part 2
Conti
2022-04-09Bleeping ComputerLawrence Abrams
@online{abrams:20220409:hackers:0a9cea8, author = {Lawrence Abrams}, title = {{Hackers use Conti's leaked ransomware to attack Russian companies}}, date = {2022-04-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/}, language = {English}, urldate = {2022-05-05} } Hackers use Conti's leaked ransomware to attack Russian companies
Conti
2022-04-08ReversingLabsPaul Roberts
@online{roberts:20220408:conversinglabs:270c740, author = {Paul Roberts}, title = {{ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles}}, date = {2022-04-08}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles}, language = {English}, urldate = {2022-06-09} } ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles
Conti Emotet TrickBot
2022-04-06TRM LabsTRM Labs
@online{labs:20220406:trm:84a2174, author = {TRM Labs}, title = {{TRM Analysis Corroborates Suspected Ties Between Conti and Ryuk Ransomware Groups and Wizard Spider}}, date = {2022-04-06}, organization = {TRM Labs}, url = {https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider}, language = {English}, urldate = {2022-05-05} } TRM Analysis Corroborates Suspected Ties Between Conti and Ryuk Ransomware Groups and Wizard Spider
Conti Ryuk
2022-04-04The DFIR Report@0xtornado, @yatinwad, @MettalicHack, @_pete_0
@online{0xtornado:20220404:stolen:3df91a7, author = {@0xtornado and @yatinwad and @MettalicHack and @_pete_0}, title = {{Stolen Images Campaign Ends in Conti Ransomware}}, date = {2022-04-04}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/}, language = {English}, urldate = {2022-04-04} } Stolen Images Campaign Ends in Conti Ransomware
Conti IcedID
2022-04-02Github (cocomelonc)cocomelonc
@online{cocomelonc:20220402:malware:48c405d, author = {cocomelonc}, title = {{Malware development tricks. Find kernel32.dll base: asm style. C++ example.}}, date = {2022-04-02}, organization = {Github (cocomelonc)}, url = {https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html}, language = {English}, urldate = {2022-04-07} } Malware development tricks. Find kernel32.dll base: asm style. C++ example.
Conti
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-31nccgroupNikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team
@online{pantazopoulos:20220331:continuation:b38514d, author = {Nikolaos Pantazopoulos and Alex Jessop and Simon Biggs and RIFT: Research and Intelligence Fusion Team}, title = {{Conti-nuation: methods and techniques observed in operations post the leaks}}, date = {2022-03-31}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/}, language = {English}, urldate = {2022-03-31} } Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot
2022-03-27cocomelonc
@online{cocomelonc:20220327:conti:07dddfb, author = {cocomelonc}, title = {{Conti ransomware source code investigation - part 1}}, date = {2022-03-27}, url = {https://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html}, language = {English}, urldate = {2022-09-27} } Conti ransomware source code investigation - part 1
Conti
2022-03-25ZscalerBrett Stone-Gross
@online{stonegross:20220325:conti:0d568cc, author = {Brett Stone-Gross}, title = {{Conti Ransomware Attacks Persist With an Updated Version Despite Leaks}}, date = {2022-03-25}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks}, language = {English}, urldate = {2022-03-28} } Conti Ransomware Attacks Persist With an Updated Version Despite Leaks
Conti
2022-03-23Intel 471Intel 471
@online{471:20220323:conti:694f144, author = {Intel 471}, title = {{Conti puts the ‘organized’ in organized crime}}, date = {2022-03-23}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-leaks-cybercrime-fire-team}, language = {English}, urldate = {2022-03-23} } Conti puts the ‘organized’ in organized crime
Conti
2022-03-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220323:threat:84ad46c, author = {Counter Threat Unit ResearchTeam}, title = {{Threat Intelligence Executive Report Volume 2022, Number 2}}, date = {2022-03-23}, organization = {Secureworks}, url = {https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx}, language = {English}, urldate = {2022-03-25} } Threat Intelligence Executive Report Volume 2022, Number 2
Conti Emotet IcedID TrickBot
2022-03-23splunkShannon Davis
@online{davis:20220323:gone:56f570f, author = {Shannon Davis}, title = {{Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed}}, date = {2022-03-23}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html}, language = {English}, urldate = {2022-03-25} } Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-03-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220323:gold:0f3da90, author = {Counter Threat Unit ResearchTeam}, title = {{GOLD ULRICK Leaks Reveal Organizational Structure and Relationships}}, date = {2022-03-23}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships}, language = {English}, urldate = {2022-03-25} } GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
Conti Emotet IcedID TrickBot
2022-03-22ThreatStopOfir Ashman
@online{ashman:20220322:conti:7ffebe5, author = {Ofir Ashman}, title = {{Conti ransomware leaks - what happens when hackers support Russia}}, date = {2022-03-22}, organization = {ThreatStop}, url = {https://www.threatstop.com/blog/conti-ransomware-source-code-leaked}, language = {English}, urldate = {2022-04-07} } Conti ransomware leaks - what happens when hackers support Russia
Conti
2022-03-21Threat PostLisa Vaas
@online{vaas:20220321:conti:0b203c8, author = {Lisa Vaas}, title = {{Conti Ransomware V. 3, Including Decryptor, Leaked}}, date = {2022-03-21}, organization = {Threat Post}, url = {https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/}, language = {English}, urldate = {2022-03-22} } Conti Ransomware V. 3, Including Decryptor, Leaked
Cobalt Strike Conti TrickBot
2022-03-21eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220321:conti:507fdf9, author = {eSentire Threat Response Unit (TRU)}, title = {{Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered}}, date = {2022-03-21}, organization = {eSentire}, url = {https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire}, language = {English}, urldate = {2022-05-23} } Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID
2022-03-18eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220318:analysis:fd06091, author = {eSentire Threat Response Unit (TRU)}, title = {{Analysis of Leaked Conti Intrusion Procedures by eSentire’s Threat Response Unit (TRU)}}, date = {2022-03-18}, organization = {eSentire}, url = {https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru}, language = {English}, urldate = {2022-05-23} } Analysis of Leaked Conti Intrusion Procedures by eSentire’s Threat Response Unit (TRU)
Conti Conti
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-17GoogleVladislav Stolyarov, Benoit Sevens, Google Threat Analysis Group
@online{stolyarov:20220317:exposing:f818c6d, author = {Vladislav Stolyarov and Benoit Sevens and Google Threat Analysis Group}, title = {{Exposing initial access broker with ties to Conti}}, date = {2022-03-17}, organization = {Google}, url = {https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/}, language = {English}, urldate = {2022-03-18} } Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-03-17GoogleVladislav Stolyarov, Benoit Sevens
@online{stolyarov:20220317:exposing:5f565b6, author = {Vladislav Stolyarov and Benoit Sevens}, title = {{Exposing initial access broker with ties to Conti}}, date = {2022-03-17}, organization = {Google}, url = {https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti}, language = {English}, urldate = {2022-05-17} } Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Conti EXOTIC LILY
2022-03-16DragosJosh Hanrahan
@online{hanrahan:20220316:suspected:325fc01, author = {Josh Hanrahan}, title = {{Suspected Conti Ransomware Activity in the Auto Manufacturing Sector}}, date = {2022-03-16}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/}, language = {English}, urldate = {2022-03-17} } Suspected Conti Ransomware Activity in the Auto Manufacturing Sector
Conti Emotet
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-03-15PrevailionMatt Stafford, Sherman Smith
@online{stafford:20220315:what:1df16e6, author = {Matt Stafford and Sherman Smith}, title = {{What Wicked Webs We Un-weave}}, date = {2022-03-15}, organization = {Prevailion}, url = {https://www.prevailion.com/what-wicked-webs-we-unweave/}, language = {English}, urldate = {2022-03-17} } What Wicked Webs We Un-weave
Cobalt Strike Conti
2022-03-10Check Point Research
@online{research:20220310:leaks:4880b6a, author = {Check Point Research}, title = {{Leaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up… Sort Of}}, date = {2022-03-10}, url = {https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/}, language = {English}, urldate = {2022-03-14} } Leaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up… Sort Of
Conti
2022-03-09Bleeping ComputerIonut Ilascu
@online{ilascu:20220309:cisa:63f18cd, author = {Ionut Ilascu}, title = {{CISA updates Conti ransomware alert with nearly 100 domain names}}, date = {2022-03-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/}, language = {English}, urldate = {2022-03-10} } CISA updates Conti ransomware alert with nearly 100 domain names
BazarBackdoor Cobalt Strike Conti TrickBot
2022-03-08Github (whichbuffer)Arda Büyükkaya
@online{bykkaya:20220308:contiransomwareioc:57c8ab1, author = {Arda Büyükkaya}, title = {{Conti-Ransomware-IOC}}, date = {2022-03-08}, organization = {Github (whichbuffer)}, url = {https://github.com/whichbuffer/Conti-Ransomware-IOC}, language = {English}, urldate = {2022-03-10} } Conti-Ransomware-IOC
Conti
2022-03-08YoroiLuigi Martire, Carmelo Ragusa, Luca Mella
@online{martire:20220308:conti:bc6c20c, author = {Luigi Martire and Carmelo Ragusa and Luca Mella}, title = {{Conti Ransomware source code: a well-designed COTS ransomware}}, date = {2022-03-08}, organization = {Yoroi}, url = {https://yoroi.company/research/conti-ransomware-source-code-a-well-designed-cots-ransomware/}, language = {English}, urldate = {2022-03-10} } Conti Ransomware source code: a well-designed COTS ransomware
Conti
2022-03-08MBSDMBSD
@techreport{mbsd:20220308:contileaks:1c34368, author = {MBSD}, title = {{ContiLeaks}}, date = {2022-03-08}, institution = {MBSD}, url = {https://www.mbsd.jp/2022/03/08/assets/images/MBSD_Summary_of_ContiLeaks_Rev3.pdf}, language = {Japanese}, urldate = {2022-03-14} } ContiLeaks
Conti
2022-03-08The RecordDina Temple-Raston
@online{templeraston:20220308:inside:4c0cda0, author = {Dina Temple-Raston}, title = {{Inside Conti leaks: The Panama Papers of ransomware}}, date = {2022-03-08}, organization = {The Record}, url = {https://therecord.media/conti-leaks-the-panama-papers-of-ransomware/}, language = {English}, urldate = {2022-03-10} } Inside Conti leaks: The Panama Papers of ransomware
Conti
2022-03-07CyberScoopSuzanne Smalley
@online{smalley:20220307:ransomware:bfdda67, author = {Suzanne Smalley}, title = {{Ransomware gang Conti has already bounced back from damage caused by chat leaks, experts say}}, date = {2022-03-07}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/ransomware-gang-conti-bounced-back/}, language = {English}, urldate = {2022-03-10} } Ransomware gang Conti has already bounced back from damage caused by chat leaks, experts say
Conti
2022-03-03Trend MicroTrend Micro Research
@techreport{research:20220303:ioc:216aad3, author = {Trend Micro Research}, title = {{IOC Resource for Russia-Ukraine Conflict-Related Cyberattacks}}, date = {2022-03-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf}, language = {English}, urldate = {2022-03-04} } IOC Resource for Russia-Ukraine Conflict-Related Cyberattacks
ClipBanker Conti HermeticWiper PartyTicket WhisperGate
2022-03-03Trend MicroTrend Micro Research
@online{research:20220303:cyberattacks:d961eb0, author = {Trend Micro Research}, title = {{Cyberattacks are Prominent in the Russia-Ukraine Conflict}}, date = {2022-03-03}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html}, language = {English}, urldate = {2022-03-04} } Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate
2022-03-02elDiarioCarlos del Castillo
@online{castillo:20220302:cybercrime:c1663a8, author = {Carlos del Castillo}, title = {{Cybercrime bosses warn that they will "fight back" if Russia is hacked}}, date = {2022-03-02}, organization = {elDiario}, url = {https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html}, language = {Spanish}, urldate = {2022-03-04} } Cybercrime bosses warn that they will "fight back" if Russia is hacked
Conti Ryuk
2022-03-02CyberArkCyberArk Labs
@online{labs:20220302:conti:52c16db, author = {CyberArk Labs}, title = {{Conti Group Leaked!}}, date = {2022-03-02}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked}, language = {English}, urldate = {2022-03-03} } Conti Group Leaked!
TeamTNT Conti TrickBot
2022-03-02Cluster25Cluster25
@online{cluster25:20220302:contis:27cb79d, author = {Cluster25}, title = {{Conti's Source Code: Deep-Dive Into}}, date = {2022-03-02}, organization = {Cluster25}, url = {https://cluster25.io/2022/03/02/contis-source-code-deep-dive-into/}, language = {English}, urldate = {2022-03-07} } Conti's Source Code: Deep-Dive Into
Conti
2022-03-02Youtube (OALabs)Sergei Frankoff, Sean Wilson
@online{frankoff:20220302:botleggers:1cb3ac9, author = {Sergei Frankoff and Sean Wilson}, title = {{Botleggers Exposed - Analysis of The Conti Leaks Malware}}, date = {2022-03-02}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=uORuVVQzZ0A}, language = {English}, urldate = {2022-03-07} } Botleggers Exposed - Analysis of The Conti Leaks Malware
Conti
2022-03-02KrebsOnSecurityBrian Krebs
@online{krebs:20220302:conti:03b0358, author = {Brian Krebs}, title = {{Conti Ransomware Group Diaries, Part II: The Office}}, date = {2022-03-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/}, language = {English}, urldate = {2022-03-07} } Conti Ransomware Group Diaries, Part II: The Office
Conti Emotet Ryuk TrickBot
2022-03-02ThreatpostLisa Vaas
@online{vaas:20220302:conti:ffc8271, author = {Lisa Vaas}, title = {{Conti Ransomware Decryptor, TrickBot Source Code Leaked}}, date = {2022-03-02}, organization = {Threatpost}, url = {https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/}, language = {English}, urldate = {2022-03-07} } Conti Ransomware Decryptor, TrickBot Source Code Leaked
Conti TrickBot
2022-03-01Twitter (@TheDFIRReport)The DFIR Report
@online{report:20220301:twitter:fbd496d, author = {The DFIR Report}, title = {{Twitter thread with highlights from conti leaks}}, date = {2022-03-01}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1498642512935800833}, language = {English}, urldate = {2022-03-02} } Twitter thread with highlights from conti leaks
Conti
2022-03Arctic WolfArctic Wolf
@online{wolf:202203:conti:1fd1864, author = {Arctic Wolf}, title = {{Conti Ransomware: An Analysis of Key Findings}}, date = {2022-03}, organization = {Arctic Wolf}, url = {https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed}, language = {English}, urldate = {2022-04-29} } Conti Ransomware: An Analysis of Key Findings
Conti
2022-03-01Bleeping ComputerLawrence Abrams
@online{abrams:20220301:conti:4cd4535, author = {Lawrence Abrams}, title = {{Conti Ransomware source code leaked by Ukrainian researcher}}, date = {2022-03-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/}, language = {English}, urldate = {2022-03-07} } Conti Ransomware source code leaked by Ukrainian researcher
Conti
2022-03-01Medium whickey000Wade Hickey
@online{hickey:20220301:how:5c93535, author = {Wade Hickey}, title = {{How I Cracked CONTI Ransomware Group’s Leaked Source Code ZIP File}}, date = {2022-03-01}, organization = {Medium whickey000}, url = {https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a8}, language = {English}, urldate = {2022-03-02} } How I Cracked CONTI Ransomware Group’s Leaked Source Code ZIP File
Conti
2022-03-01VX-Underground
@online{vxunderground:20220301:leaks:6e42f8b, author = {VX-Underground}, title = {{Leaks: Conti / Trickbot}}, date = {2022-03-01}, url = {https://share.vx-underground.org/Conti/}, language = {English}, urldate = {2022-03-07} } Leaks: Conti / Trickbot
Conti TrickBot
2022-02-28Medium arnozobecArnaud Zobec
@online{zobec:20220228:analyzing:4990203, author = {Arnaud Zobec}, title = {{Analyzing conti-leaks without speaking russian — only methodology}}, date = {2022-02-28}, organization = {Medium arnozobec}, url = {https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b}, language = {English}, urldate = {2022-03-02} } Analyzing conti-leaks without speaking russian — only methodology
Conti
2022-02-28Github (TheParmak)TheParmak
@online{theparmak:20220228:contileaksenglished:93562ee, author = {TheParmak}, title = {{conti-leaks-englished}}, date = {2022-02-28}, organization = {Github (TheParmak)}, url = {https://github.com/TheParmak/conti-leaks-englished}, language = {English}, urldate = {2022-03-01} } conti-leaks-englished
Conti
2022-02-28SophosSean Gallagher
@online{gallagher:20220228:conti:bcf09a0, author = {Sean Gallagher}, title = {{Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits}}, date = {2022-02-28}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728}, language = {English}, urldate = {2022-03-02} } Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits
Conti Karma
2022-02-27The RecordCatalin Cimpanu
@online{cimpanu:20220227:conti:935e928, author = {Catalin Cimpanu}, title = {{Conti ransomware gang chats leaked by pro-Ukraine member}}, date = {2022-02-27}, organization = {The Record}, url = {https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/}, language = {English}, urldate = {2022-03-01} } Conti ransomware gang chats leaked by pro-Ukraine member
Conti LockBit
2022-02-27Bleeping ComputerLawrence Abrams
@online{abrams:20220227:conti:bf48bb7, author = {Lawrence Abrams}, title = {{Conti ransomware's internal chats leaked after siding with Russia}}, date = {2022-02-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/}, language = {English}, urldate = {2022-03-01} } Conti ransomware's internal chats leaked after siding with Russia
Conti
2022-02-25Red Hot CyberRed Hot Cyber
@online{cyber:20220225:il:2af16d4, author = {Red Hot Cyber}, title = {{Il ransomware Conti si schiera a favore della Russia.}}, date = {2022-02-25}, organization = {Red Hot Cyber}, url = {https://www.redhotcyber.com/post/il-ransomware-conti-si-schiera-a-favore-della-russia}, language = {Italian}, urldate = {2022-03-01} } Il ransomware Conti si schiera a favore della Russia.
Conti
2022-02-23splunkShannon Davis, SURGe
@techreport{davis:20220223:empirically:fe03729, author = {Shannon Davis and SURGe}, title = {{An Empirically Comparative Analysis of Ransomware Binaries}}, date = {2022-02-23}, institution = {splunk}, url = {https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf}, language = {English}, urldate = {2022-03-25} } An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-02-23AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220223:24:59b3a28, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)}}, date = {2022-02-23}, organization = {AdvIntel}, url = {https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir}, language = {English}, urldate = {2022-03-01} } 24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)
Cobalt Strike Conti
2022-02-22Bankinfo SecurityMatthew J. Schwartz
@online{schwartz:20220222:cybercrime:ccc094e, author = {Matthew J. Schwartz}, title = {{Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware}}, date = {2022-02-22}, organization = {Bankinfo Security}, url = {https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573}, language = {English}, urldate = {2022-02-26} } Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware
Conti TrickBot
2022-02-22SophosChester Wisniewski
@online{wisniewski:20220222:cyberthreats:c100e29, author = {Chester Wisniewski}, title = {{Cyberthreats during Russian-Ukrainian tensions: what can we learn from history to be prepared?}}, date = {2022-02-22}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/02/22/cyberthreats-during-russian-ukrainian-tensions-what-can-we-learn-from-history-to-be-prepared/}, language = {English}, urldate = {2022-03-18} } Cyberthreats during Russian-Ukrainian tensions: what can we learn from history to be prepared?
Conti
2022-02-20Security AffairsPierluigi Paganini
@online{paganini:20220220:conti:a6d57b1, author = {Pierluigi Paganini}, title = {{The Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor malware.}}, date = {2022-02-20}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html}, language = {English}, urldate = {2022-02-26} } The Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor malware.
Conti TrickBot
2022-02-18Bleeping ComputerIonut Ilascu
@online{ilascu:20220218:conti:9a7f82b, author = {Ionut Ilascu}, title = {{Conti ransomware gang takes over TrickBot malware operation}}, date = {2022-02-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/}, language = {English}, urldate = {2022-02-19} } Conti ransomware gang takes over TrickBot malware operation
Conti TrickBot
2022-02-14Cyware
@online{cyware:20220214:ransomware:e449514, author = {Cyware}, title = {{Ransomware Becomes Deadlier, Conti Makes the Most Money}}, date = {2022-02-14}, url = {https://cyware.com/news/ransomware-becomes-deadlier-conti-makes-the-most-money-39e17bae/}, language = {English}, urldate = {2022-02-16} } Ransomware Becomes Deadlier, Conti Makes the Most Money
Conti
2022-02-09DragosAnna Skelton
@online{skelton:20220209:dragos:89d2a68, author = {Anna Skelton}, title = {{Dragos ICS/OT Ransomware Analysis: Q4 2021}}, date = {2022-02-09}, organization = {Dragos}, url = {https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/}, language = {English}, urldate = {2022-02-14} } Dragos ICS/OT Ransomware Analysis: Q4 2021
LockBit Conti LockBit
2022-02-04Bleeping ComputerSergiu Gatlan
@online{gatlan:20220204:hhs:2f39dbe, author = {Sergiu Gatlan}, title = {{HHS: Conti ransomware encrypted 80% of Ireland's HSE IT systems}}, date = {2022-02-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/}, language = {English}, urldate = {2022-02-17} } HHS: Conti ransomware encrypted 80% of Ireland's HSE IT systems
Conti
2022-01-27CoveWare
@online{coveware:20220127:ransomware:165f513, author = {CoveWare}, title = {{Ransomware as a Service Innovation Curve}}, date = {2022-01-27}, url = {https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve}, language = {English}, urldate = {2022-02-14} } Ransomware as a Service Innovation Curve
Conti LockBit
2022-01-27BleepingComputerSergiu Gatlan
@online{gatlan:20220127:taiwanese:287d9cf, author = {Sergiu Gatlan}, title = {{Taiwanese Apple and Tesla contractor hit by Conti ransomware}}, date = {2022-01-27}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/taiwanese-apple-and-tesla-contractor-hit-by-conti-ransomware/}, language = {English}, urldate = {2022-02-01} } Taiwanese Apple and Tesla contractor hit by Conti ransomware
Conti
2022-01-24CyCraftCyCraft AI
@online{ai:20220124:road:2070066, author = {CyCraft AI}, title = {{The Road to Ransomware Resilience, Part 2: Behavior Analysis}}, date = {2022-01-24}, organization = {CyCraft}, url = {https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd}, language = {English}, urldate = {2022-03-02} } The Road to Ransomware Resilience, Part 2: Behavior Analysis
Conti Prometheus WastedLocker
2022Silent PushSilent Push
@online{push:2022:consequences:765e347, author = {Silent Push}, title = {{Consequences- The Conti Leaks and future problems}}, date = {2022}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems}, language = {English}, urldate = {2022-07-15} } Consequences- The Conti Leaks and future problems
Cobalt Strike Conti
2021-12-23SymantecSiddhesh Chandrayan
@online{chandrayan:20211223:log4j:58ea562, author = {Siddhesh Chandrayan}, title = {{Log4j Vulnerabilities: Attack Insights}}, date = {2021-12-23}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks}, language = {English}, urldate = {2022-01-25} } Log4j Vulnerabilities: Attack Insights
Tsunami Conti Dridex Khonsari Orcus RAT TellYouThePass
2021-12-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20211217:ransomware:767cb9b, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Ransomware Advisory: Log4Shell Exploitation for Initial Access & Lateral Movement}}, date = {2021-12-17}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement}, language = {English}, urldate = {2021-12-20} } Ransomware Advisory: Log4Shell Exploitation for Initial Access & Lateral Movement
Conti
2021-12-13The DFIR ReportThe DFIR Report
@online{report:20211213:diavol:7b6e4e6, author = {The DFIR Report}, title = {{Diavol Ransomware}}, date = {2021-12-13}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/12/13/diavol-ransomware/}, language = {English}, urldate = {2021-12-22} } Diavol Ransomware
BazarBackdoor Conti Diavol
2021-12-08DarktraceJustin Fier
@online{fier:20211208:double:d7f9207, author = {Justin Fier}, title = {{The double extortion business: Conti Ransomware Gang finds new avenues of negotiation}}, date = {2021-12-08}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/the-double-extortion-business-conti-ransomware-gang-finds-new-avenues-of-negotiation/}, language = {English}, urldate = {2021-12-09} } The double extortion business: Conti Ransomware Gang finds new avenues of negotiation
Conti
2021-12-03HSEHSE
@techreport{hse:20211203:conti:eae1edb, author = {HSE}, title = {{Conti cyber attack on the HSE}}, date = {2021-12-03}, institution = {HSE}, url = {https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf}, language = {English}, urldate = {2022-02-07} } Conti cyber attack on the HSE
Conti
2021-12-01Trend MicroTrend Micro
@online{micro:20211201:ransomware:8af82b0, author = {Trend Micro}, title = {{Ransomware Spotlight: Conti}}, date = {2021-12-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti}, language = {English}, urldate = {2022-03-02} } Ransomware Spotlight: Conti
Conti
2021-11-29The DFIR ReportThe DFIR Report
@online{report:20211129:continuing:646e622, author = {The DFIR Report}, title = {{CONTInuing the Bazar Ransomware Story}}, date = {2021-11-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/}, language = {English}, urldate = {2021-12-07} } CONTInuing the Bazar Ransomware Story
BazarBackdoor Cobalt Strike Conti
2021-11-18EllipticElliptic Intel
@online{intel:20211118:conti:4806ab9, author = {Elliptic Intel}, title = {{Conti Ransomware Nets at Least $25.5 Million in Four Months}}, date = {2021-11-18}, organization = {Elliptic}, url = {https://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months}, language = {English}, urldate = {2021-11-19} } Conti Ransomware Nets at Least $25.5 Million in Four Months
Conti
2021-11-18Red CanaryThe Red Canary Team
@online{team:20211118:intelligence:7b00cb9, author = {The Red Canary Team}, title = {{Intelligence Insights: November 2021}}, date = {2021-11-18}, organization = {Red Canary}, url = {https://redcanary.com/blog/intelligence-insights-november-2021/}, language = {English}, urldate = {2021-11-19} } Intelligence Insights: November 2021
Andromeda Conti LockBit QakBot Squirrelwaffle
2021-11-18QualysGhanshyam More
@online{more:20211118:conti:f09071f, author = {Ghanshyam More}, title = {{Conti Ransomware}}, date = {2021-11-18}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware}, language = {English}, urldate = {2022-03-02} } Conti Ransomware
Conti
2021-11-18PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20211118:conti:d10b80f, author = {PRODAFT}, title = {{Conti Ransomware Group In-Depth Analysis}}, date = {2021-11-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf}, language = {English}, urldate = {2021-11-19} } Conti Ransomware Group In-Depth Analysis
Conti
2021-11-16IronNetIronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski
@online{research:20211116:how:d7fdaf8, author = {IronNet Threat Research and Morgan Demboski and Joey Fitzpatrick and Peter Rydzynski}, title = {{How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware}}, date = {2021-11-16}, organization = {IronNet}, url = {https://www.ironnet.com/blog/ransomware-graphic-blog}, language = {English}, urldate = {2021-11-25} } How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil
2021-11-15TRUESECFabio Viggiani
@online{viggiani:20211115:proxyshell:bf17c6d, author = {Fabio Viggiani}, title = {{ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks}}, date = {2021-11-15}, organization = {TRUESEC}, url = {https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks}, language = {English}, urldate = {2021-11-17} } ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot
2021-11-10AT&TJosh Gomez
@online{gomez:20211110:stories:4ce1168, author = {Josh Gomez}, title = {{Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!}}, date = {2021-11-10}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my}, language = {English}, urldate = {2021-11-17} } Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!
Cobalt Strike Conti
2021-11-09CybereasonAleksandar Milenkoski, Eli Salem
@online{milenkoski:20211109:threat:9f898c9, author = {Aleksandar Milenkoski and Eli Salem}, title = {{THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware}}, date = {2021-11-09}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware}, language = {English}, urldate = {2022-02-09} } THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware
Cobalt Strike Conti
2021-11-07Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20211107:conti:1f13ec3, author = {Marco Ramilli}, title = {{CONTI Ransomware: Cheat Sheet}}, date = {2021-11-07}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/11/07/conti-ransomware-cheat-sheet/}, language = {English}, urldate = {2021-11-08} } CONTI Ransomware: Cheat Sheet
Conti
2021-11-02Intel 471Intel 471
@online{471:20211102:cybercrime:4d53035, author = {Intel 471}, title = {{Cybercrime underground flush with shipping companies’ credentials}}, date = {2021-11-02}, organization = {Intel 471}, url = {https://intel471.com/blog/shipping-companies-ransomware-credentials}, language = {English}, urldate = {2021-11-03} } Cybercrime underground flush with shipping companies’ credentials
Cobalt Strike Conti
2021-11-02unh4ckCyb3rSn0rlax
@online{cyb3rsn0rlax:20211102:detecting:a2828eb, author = {Cyb3rSn0rlax}, title = {{Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2}}, date = {2021-11-02}, organization = {unh4ck}, url = {https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2}, language = {English}, urldate = {2021-11-03} } Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
Cobalt Strike Conti
2021-10-26unh4ckHamza OUADIA
@online{ouadia:20211026:detecting:2a3e2fa, author = {Hamza OUADIA}, title = {{Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1}}, date = {2021-10-26}, organization = {unh4ck}, url = {https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1}, language = {English}, urldate = {2021-11-03} } Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
Cobalt Strike Conti
2021-10-25KrebsOnSecurityBrian Krebs
@online{krebs:20211025:conti:786ccff, author = {Brian Krebs}, title = {{Conti Ransom Gang Starts Selling Access to Victims}}, date = {2021-10-25}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/}, language = {English}, urldate = {2021-11-03} } Conti Ransom Gang Starts Selling Access to Victims
Conti
2021-10-22HUNT & HACKETTKrijn de Mik
@online{mik:20211022:advanced:e22d6f6, author = {Krijn de Mik}, title = {{Advanced IP Scanner: the preferred scanner in the A(P)T toolbox}}, date = {2021-10-22}, organization = {HUNT & HACKETT}, url = {https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox}, language = {English}, urldate = {2021-11-02} } Advanced IP Scanner: the preferred scanner in the A(P)T toolbox
Conti DarkSide Dharma Egregor Hades REvil Ryuk
2021-10-05Trend MicroFyodor Yarochkin, Janus Agcaoili, Byron Gelera, Nikko Tamana
@online{yarochkin:20211005:ransomware:e5f5375, author = {Fyodor Yarochkin and Janus Agcaoili and Byron Gelera and Nikko Tamana}, title = {{Ransomware as a Service: Enabler of Widespread Attacks}}, date = {2021-10-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks}, language = {English}, urldate = {2021-10-20} } Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk
2021-10-04The DFIR ReportThe DFIR Report
@online{report:20211004:bazarloader:fe3adf3, author = {The DFIR Report}, title = {{BazarLoader and the Conti Leaks}}, date = {2021-10-04}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/}, language = {English}, urldate = {2021-10-11} } BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti
2021-09-29Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20210929:backup:4aebe4e, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Backup “Removal” Solutions - From Conti Ransomware With Love}}, date = {2021-09-29}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love}, language = {English}, urldate = {2021-10-20} } Backup “Removal” Solutions - From Conti Ransomware With Love
Cobalt Strike Conti
2021-09-22CISAUS-CERT
@online{uscert:20210922:alert:50b9d38, author = {US-CERT}, title = {{Alert (AA21-265A) Conti Ransomware}}, date = {2021-09-22}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-265a}, language = {English}, urldate = {2021-10-05} } Alert (AA21-265A) Conti Ransomware
Cobalt Strike Conti
2021-09-14CrowdStrikeCrowdStrike Intelligence Team
@online{team:20210914:big:b345561, author = {CrowdStrike Intelligence Team}, title = {{Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack}}, date = {2021-09-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/}, language = {English}, urldate = {2021-09-19} } Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil
2021-09-13The DFIR ReportThe DFIR Report
@online{report:20210913:bazarloader:5073703, author = {The DFIR Report}, title = {{BazarLoader to Conti Ransomware in 32 Hours}}, date = {2021-09-13}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/}, language = {English}, urldate = {2021-09-14} } BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti
2021-09-03SophosSean Gallagher, Peter Mackenzie, Anand Ajjan, Andrew Ludgate, Gabor Szappanos, Sergio Bestulic, Syed Zaidi
@online{gallagher:20210903:conti:db20680, author = {Sean Gallagher and Peter Mackenzie and Anand Ajjan and Andrew Ludgate and Gabor Szappanos and Sergio Bestulic and Syed Zaidi}, title = {{Conti affiliates use ProxyShell Exchange exploit in ransomware attacks}}, date = {2021-09-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/}, language = {English}, urldate = {2021-09-06} } Conti affiliates use ProxyShell Exchange exploit in ransomware attacks
Cobalt Strike Conti
2021-09-02TalosCaitlin Huey, David Liebenberg, Azim Khodjibaev, Dmytro Korzhevin
@online{huey:20210902:translated:dfdc05f, author = {Caitlin Huey and David Liebenberg and Azim Khodjibaev and Dmytro Korzhevin}, title = {{Translated: Talos' insights from the recently leaked Conti ransomware playbook}}, date = {2021-09-02}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html}, language = {English}, urldate = {2021-09-06} } Translated: Talos' insights from the recently leaked Conti ransomware playbook
Conti
2021-08-19Sekoiasekoia
@online{sekoia:20210819:insider:ceb84de, author = {sekoia}, title = {{An insider insights into Conti operations – Part two}}, date = {2021-08-19}, organization = {Sekoia}, url = {https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/}, language = {English}, urldate = {2021-09-06} } An insider insights into Conti operations – Part two
Cobalt Strike Conti
2021-08-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20210817:hunting:1dc14d0, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration}}, date = {2021-08-17}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations}, language = {English}, urldate = {2021-08-31} } Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration
Cobalt Strike Conti
2021-08-17Sekoiasekoia
@online{sekoia:20210817:insider:3b427c7, author = {sekoia}, title = {{An insider insights into Conti operations – Part one}}, date = {2021-08-17}, organization = {Sekoia}, url = {https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one}, language = {English}, urldate = {2021-09-06} } An insider insights into Conti operations – Part one
Cobalt Strike Conti
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-11Advanced IntelligenceVitali Kremez
@online{kremez:20210811:secret:5c5f06c, author = {Vitali Kremez}, title = {{Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent}}, date = {2021-08-11}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent}, language = {English}, urldate = {2021-08-31} } Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent
Cobalt Strike Conti
2021-08-10LIFARSVlad Pasca
@techreport{pasca:20210810:detailed:40b9c7e, author = {Vlad Pasca}, title = {{A Detailed Analysis of The Last Version of Conti Ransomware}}, date = {2021-08-10}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2021/10/ContiRansomware_Whitepaper.pdf}, language = {English}, urldate = {2022-01-20} } A Detailed Analysis of The Last Version of Conti Ransomware
Conti
2021-08-10Youtube (OALabs)OALabs
@online{oalabs:20210810:leaked:4d4be75, author = {OALabs}, title = {{Leaked Conti Ransomware Playbook - Red Team Reacts}}, date = {2021-08-10}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=hmaWy9QIC7c}, language = {English}, urldate = {2021-08-25} } Leaked Conti Ransomware Playbook - Red Team Reacts
Conti
2021-08-06Threat PostElizabeth Montalbano
@online{montalbano:20210806:angry:5c2b1ff, author = {Elizabeth Montalbano}, title = {{Angry Affiliate Leaks Conti Ransomware Gang Playbook}}, date = {2021-08-06}, organization = {Threat Post}, url = {https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/}, language = {English}, urldate = {2022-02-14} } Angry Affiliate Leaks Conti Ransomware Gang Playbook
Conti
2021-08-06Sophos Naked SecurityPaul Ducklin
@online{ducklin:20210806:conti:9bcfb85, author = {Paul Ducklin}, title = {{Conti ransomware affiliate goes rogue, leaks “gang data”}}, date = {2021-08-06}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/}, language = {English}, urldate = {2022-03-18} } Conti ransomware affiliate goes rogue, leaks “gang data”
Conti
2021-08-05The RecordCatalin Cimpanu
@online{cimpanu:20210805:disgruntled:4a7c7d7, author = {Catalin Cimpanu}, title = {{Disgruntled ransomware affiliate leaks the Conti gang’s technical manuals}}, date = {2021-08-05}, organization = {The Record}, url = {https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/}, language = {English}, urldate = {2021-08-06} } Disgruntled ransomware affiliate leaks the Conti gang’s technical manuals
Conti
2021-08-05Bleeping ComputerLawrence Abrams
@online{abrams:20210805:angry:a9916d3, author = {Lawrence Abrams}, title = {{Angry Conti ransomware affiliate leaks gang's attack playbook}}, date = {2021-08-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/}, language = {English}, urldate = {2021-08-06} } Angry Conti ransomware affiliate leaks gang's attack playbook
Conti
2021-08-05Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210805:conti:8ba71b6, author = {Peter Mackenzie}, title = {{Tweet on Conti ransomware affiliates using AnyDesk, Atera, Splashtop, Remote Utilities and ScreenConnect to maintain network access}}, date = {2021-08-05}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1423188974298861571}, language = {English}, urldate = {2021-08-06} } Tweet on Conti ransomware affiliates using AnyDesk, Atera, Splashtop, Remote Utilities and ScreenConnect to maintain network access
Conti
2021-08-05KrebsOnSecurityBrian Krebs
@online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-12-13} } Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-08-01The DFIR ReportThe DFIR Report
@online{report:20210801:bazarcall:bb6829b, author = {The DFIR Report}, title = {{BazarCall to Conti Ransomware via Trickbot and Cobalt Strike}}, date = {2021-08-01}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/}, language = {English}, urldate = {2021-08-02} } BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot
2021-07-21Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210721:conti:085858b, author = {Peter Mackenzie}, title = {{Tweet on Conti ransomware actor installing AnyDesk for remote access in victim environment}}, date = {2021-07-21}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1417849181012647938}, language = {English}, urldate = {2021-07-22} } Tweet on Conti ransomware actor installing AnyDesk for remote access in victim environment
Conti
2021-07-08SentinelOneIdan Weizman, Antonio Pirozzi
@online{weizman:20210708:conti:db03f2a, author = {Idan Weizman and Antonio Pirozzi}, title = {{Conti Unpacked: Understanding Ransomware Development as a Response to Detection - A Detailed Technical Analysis}}, date = {2021-07-08}, organization = {SentinelOne}, url = {https://assets.sentinelone.com/ransomware-enterprise/conti-ransomware-unpacked}, language = {English}, urldate = {2021-07-12} } Conti Unpacked: Understanding Ransomware Development as a Response to Detection - A Detailed Technical Analysis
Conti
2021-07-01FortinetDor Neemani, Asaf Rubinfeld
@online{neemani:20210701:diavol:d1ed746, author = {Dor Neemani and Asaf Rubinfeld}, title = {{Diavol - A New Ransomware Used By Wizard Spider?}}, date = {2021-07-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider}, language = {English}, urldate = {2021-12-15} } Diavol - A New Ransomware Used By Wizard Spider?
Conti Diavol
2021-07-01DomainToolsChad Anderson
@online{anderson:20210701:most:39f64b8, author = {Chad Anderson}, title = {{The Most Prolific Ransomware Families: A Defenders Guide}}, date = {2021-07-01}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide}, language = {English}, urldate = {2021-07-11} } The Most Prolific Ransomware Families: A Defenders Guide
REvil Conti Egregor Maze REvil
2021-06-30CynetMax Malyutin
@online{malyutin:20210630:shelob:1c93f5d, author = {Max Malyutin}, title = {{Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration}}, date = {2021-06-30}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/}, language = {English}, urldate = {2021-07-20} } Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration
Conti IcedID
2021-06-18Palo Alto Networks Unit 42Richard Hickman
@online{hickman:20210618:conti:9b8903f, author = {Richard Hickman}, title = {{Conti Ransomware Gang: An Overview}}, date = {2021-06-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/conti-ransomware-gang/}, language = {English}, urldate = {2021-07-02} } Conti Ransomware Gang: An Overview
Conti
2021-06-15Trend MicroJanus Agcaoili, Miguel Ang, Earle Earnshaw, Byron Gelera, Nikko Tamana
@online{agcaoili:20210615:ransomware:41013af, author = {Janus Agcaoili and Miguel Ang and Earle Earnshaw and Byron Gelera and Nikko Tamana}, title = {{Ransomware Double Extortion and Beyond: REvil, Clop, and Conti}}, date = {2021-06-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti}, language = {English}, urldate = {2021-06-21} } Ransomware Double Extortion and Beyond: REvil, Clop, and Conti
Clop Conti REvil
2021-06-02CrowdStrikeJosh Dalman, Heather Smith
@online{dalman:20210602:under:2e7083b, author = {Josh Dalman and Heather Smith}, title = {{Under Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware}}, date = {2021-06-02}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/}, language = {English}, urldate = {2021-06-09} } Under Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware
DarkSide Conti DarkSide REvil
2021-05-20FBIFBI
@techreport{fbi:20210520:alert:65d3256, author = {FBI}, title = {{Alert Number CP-000147-MW: Conti Ransomware Attacks Impact Healthcare and First Responder Networks}}, date = {2021-05-20}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210521.pdf}, language = {English}, urldate = {2021-05-26} } Alert Number CP-000147-MW: Conti Ransomware Attacks Impact Healthcare and First Responder Networks
Conti
2021-05-16NCSC IrelandNCSC Ireland
@techreport{ireland:20210516:ransomware:b091d9b, author = {NCSC Ireland}, title = {{Ransomware Attack on Health Sector - UPDATE 2021-05-16}}, date = {2021-05-16}, institution = {NCSC Ireland}, url = {https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf}, language = {English}, urldate = {2021-05-17} } Ransomware Attack on Health Sector - UPDATE 2021-05-16
Cobalt Strike Conti
2021-05-12The DFIR Report
@online{report:20210512:conti:598c5f2, author = {The DFIR Report}, title = {{Conti Ransomware}}, date = {2021-05-12}, url = {https://thedfirreport.com/2021/05/12/conti-ransomware/}, language = {English}, urldate = {2021-05-13} } Conti Ransomware
Cobalt Strike Conti IcedID
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-29The Institute for Security and TechnologyThe Institute for Security and Technology
@techreport{technology:20210429:combating:0d7c48e, author = {The Institute for Security and Technology}, title = {{Combating Ransomware A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force}}, date = {2021-04-29}, institution = {The Institute for Security and Technology}, url = {https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf}, language = {English}, urldate = {2021-05-03} } Combating Ransomware A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force
Conti EternalPetya
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-25Vulnerability.ch BlogCorsin Camichel
@online{camichel:20210425:ransomware:1a1ee7f, author = {Corsin Camichel}, title = {{Ransomware and Data Leak Site Publication Time Analysis}}, date = {2021-04-25}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/}, language = {English}, urldate = {2021-04-29} } Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-04-13MBSDTakashi Yoshikawa, Kei Sugawara
@online{yoshikawa:20210413:unraveling:fc0612e, author = {Takashi Yoshikawa and Kei Sugawara}, title = {{Unraveling the internal structure of the Conti Ransomware}}, date = {2021-04-13}, organization = {MBSD}, url = {https://www.mbsd.jp/research/20210413/conti-ransomware/}, language = {Japanese}, urldate = {2022-03-07} } Unraveling the internal structure of the Conti Ransomware
Conti
2021-04-07ANALYST1Jon DiMaggio
@techreport{dimaggio:20210407:ransom:a543eac, author = {Jon DiMaggio}, title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf}, language = {English}, urldate = {2021-04-09} } Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-04-07ANALYST1Jon DiMaggio
@online{dimaggio:20210407:ransom:a109d6f, author = {Jon DiMaggio}, title = {{Ransom Mafia - Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, organization = {ANALYST1}, url = {https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel}, language = {English}, urldate = {2021-06-01} } Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2021-02-25ANSSICERT-FR
@techreport{certfr:20210225:ryuk:7895e12, author = {CERT-FR}, title = {{Ryuk Ransomware}}, date = {2021-02-25}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf}, language = {English}, urldate = {2021-03-02} } Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-16SophosLabs UncutMichael Heller
@online{heller:20210216:conti:9090709, author = {Michael Heller}, title = {{A Conti ransomware attack day-by-day}}, date = {2021-02-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/}, language = {English}, urldate = {2021-02-20} } A Conti ransomware attack day-by-day
Conti
2021-02-16SophosLabs UncutAndrew Brandt, Anand Ajjan
@online{brandt:20210216:conti:24c2333, author = {Andrew Brandt and Anand Ajjan}, title = {{Conti ransomware: Evasive by nature}}, date = {2021-02-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/}, language = {English}, urldate = {2021-02-20} } Conti ransomware: Evasive by nature
Conti
2021-02-16SophosLabs UncutPeter Mackenzie, Tilly Travers
@online{mackenzie:20210216:what:9c9f413, author = {Peter Mackenzie and Tilly Travers}, title = {{What to expect when you’ve been hit with Conti ransomware}}, date = {2021-02-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/}, language = {English}, urldate = {2021-02-20} } What to expect when you’ve been hit with Conti ransomware
Conti
2021-02-11CTI LEAGUECTI LEAGUE
@techreport{league:20210211:ctil:69c2ab8, author = {CTI LEAGUE}, title = {{CTIL Darknet Report – 2021}}, date = {2021-02-11}, institution = {CTI LEAGUE}, url = {https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf}, language = {English}, urldate = {2021-02-20} } CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk
2021-02-04ClearSkyClearSky Research Team
@techreport{team:20210204:conti:27cb3a2, author = {ClearSky Research Team}, title = {{CONTI Modus Operandi and Bitcoin Tracking}}, date = {2021-02-04}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf}, language = {English}, urldate = {2021-02-06} } CONTI Modus Operandi and Bitcoin Tracking
Conti Ryuk
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-17Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210117:conti:db7f1cb, author = {Peter Mackenzie}, title = {{Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders}}, date = {2021-01-17}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1350755169965924352}, language = {English}, urldate = {2021-01-21} } Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders
Cobalt Strike Conti
2021-01-12CybereasonLior Rochberger
@online{rochberger:20210112:cybereason:5707e14, author = {Lior Rochberger}, title = {{Cybereason vs. Conti Ransomware}}, date = {2021-01-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware}, language = {English}, urldate = {2021-01-18} } Cybereason vs. Conti Ransomware
BazarBackdoor Conti
2020-12-15Medium 0xthreatintel0xthreatintel
@online{0xthreatintel:20201215:reversing:eddc936, author = {0xthreatintel}, title = {{Reversing Conti Ransomware}}, date = {2020-12-15}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74}, language = {English}, urldate = {2020-12-15} } Reversing Conti Ransomware
Conti
2020-12-15Chuongdong blogChuong Dong
@online{dong:20201215:conti:afb68fe, author = {Chuong Dong}, title = {{Conti Ransomware v2}}, date = {2020-12-15}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/}, language = {English}, urldate = {2020-12-23} } Conti Ransomware v2
Conti
2020-12-12Github (cdong1012)Chuong Dong
@online{dong:20201212:contiunpacker:05a9897, author = {Chuong Dong}, title = {{ContiUnpacker: An automatic unpacker for Conti rasnomware}}, date = {2020-12-12}, organization = {Github (cdong1012)}, url = {https://github.com/cdong1012/ContiUnpacker}, language = {English}, urldate = {2020-12-14} } ContiUnpacker: An automatic unpacker for Conti rasnomware
Conti
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-18KELAVictoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-16CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201016:wizard:12b648a, author = {The Crowdstrike Intel Team}, title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}}, date = {2020-10-16}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/}, language = {English}, urldate = {2020-10-21} } WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ryuk TrickBot
2020-10-01KELAVictoria Kivilevich
@online{kivilevich:20201001:to:fd3aa09, author = {Victoria Kivilevich}, title = {{To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem}}, date = {2020-10-01}, organization = {KELA}, url = {https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/}, language = {English}, urldate = {2021-05-07} } To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-08-25BleepingComputerLawrence Abrams
@online{abrams:20200825:ryuk:fbd5d99, author = {Lawrence Abrams}, title = {{Ryuk successor Conti Ransomware releases data leak site}}, date = {2020-08-25}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/}, language = {English}, urldate = {2020-08-26} } Ryuk successor Conti Ransomware releases data leak site
Conti
2020-08-18AreteArete Incident Response
@techreport{response:20200818:is:72e08da, author = {Arete Incident Response}, title = {{Is Conti the New Ryuk?}}, date = {2020-08-18}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf}, language = {English}, urldate = {2020-08-25} } Is Conti the New Ryuk?
Conti Ryuk
2020-07-08VMWare Carbon BlackBrian Baskin
@online{baskin:20200708:tau:4b05a00, author = {Brian Baskin}, title = {{TAU Threat Discovery: Conti Ransomware}}, date = {2020-07-08}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/}, language = {English}, urldate = {2020-07-08} } TAU Threat Discovery: Conti Ransomware
Conti
Yara Rules
[TLP:WHITE] win_conti_auto (20220808 | Detects win.conti.)
rule win_conti_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.conti."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 750f c705????????0b000000 e9???????? }
            // n = 4, score = 900
            //   85c0                 | test                eax, eax
            //   750f                 | jne                 0x11
            //   c705????????0b000000     |     
            //   e9????????           |                     

        $sequence_1 = { 8b0d???????? 83c00b 99 83c117 }
            // n = 4, score = 600
            //   8b0d????????         |                     
            //   83c00b               | add                 eax, 0xb
            //   99                   | cdq                 
            //   83c117               | add                 ecx, 0x17

        $sequence_2 = { 83c10b f7e9 03d1 c1fa06 }
            // n = 4, score = 600
            //   83c10b               | add                 ecx, 0xb
            //   f7e9                 | imul                ecx
            //   03d1                 | add                 edx, ecx
            //   c1fa06               | sar                 edx, 6

        $sequence_3 = { ffd0 8b0d???????? 85c0 ba0d000000 }
            // n = 4, score = 600
            //   ffd0                 | call                eax
            //   8b0d????????         |                     
            //   85c0                 | test                eax, eax
            //   ba0d000000           | mov                 edx, 0xd

        $sequence_4 = { 83c10b f7e9 c1fa02 8bc2 }
            // n = 4, score = 600
            //   83c10b               | add                 ecx, 0xb
            //   f7e9                 | imul                ecx
            //   c1fa02               | sar                 edx, 2
            //   8bc2                 | mov                 eax, edx

        $sequence_5 = { 85c0 ba0d000000 0f44ca 890d???????? }
            // n = 4, score = 600
            //   85c0                 | test                eax, eax
            //   ba0d000000           | mov                 edx, 0xd
            //   0f44ca               | cmove               ecx, edx
            //   890d????????         |                     

        $sequence_6 = { ffd0 85c0 750f c705????????0c000000 }
            // n = 4, score = 600
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   750f                 | jne                 0x11
            //   c705????????0c000000     |     

        $sequence_7 = { 8d04c9 c1e002 99 f7fb 8d427f 99 f7fb }
            // n = 7, score = 600
            //   8d04c9               | dec                 eax
            //   c1e002               | mov                 dword ptr [edi + 0x7d08], eax
            //   99                   | test                eax, eax
            //   f7fb                 | jne                 0x11
            //   8d427f               | lea                 eax, [ecx + ecx*8]
            //   99                   | shl                 eax, 2
            //   f7fb                 | cdq                 

        $sequence_8 = { 85c0 750f c705????????0a000000 e9???????? }
            // n = 4, score = 500
            //   85c0                 | test                eax, eax
            //   750f                 | jne                 0x11
            //   c705????????0a000000     |     
            //   e9????????           |                     

        $sequence_9 = { 3d00005000 7605 b800005000 6a00 }
            // n = 4, score = 400
            //   3d00005000           | cmp                 eax, 0x500000
            //   7605                 | jbe                 7
            //   b800005000           | mov                 eax, 0x500000
            //   6a00                 | push                0

        $sequence_10 = { ff7104 ff15???????? 8b0d???????? 46 3b31 }
            // n = 5, score = 400
            //   ff7104               | push                dword ptr [ecx + 4]
            //   ff15????????         |                     
            //   8b0d????????         |                     
            //   46                   | inc                 esi
            //   3b31                 | cmp                 esi, dword ptr [ecx]

        $sequence_11 = { ffd0 85c0 7519 c705????????0a000000 }
            // n = 4, score = 400
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   7519                 | jne                 0x1d
            //   c705????????0a000000     |     

        $sequence_12 = { 55 8bec 8b4d08 e8???????? 6a00 ff15???????? }
            // n = 6, score = 400
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_13 = { 50 6a20 ff15???????? 68???????? ff15???????? }
            // n = 5, score = 400
            //   50                   | push                eax
            //   6a20                 | push                0x20
            //   ff15????????         |                     
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_14 = { 7411 a801 740d 83f001 }
            // n = 4, score = 400
            //   7411                 | je                  0x13
            //   a801                 | test                al, 1
            //   740d                 | je                  0xf
            //   83f001               | xor                 eax, 1

        $sequence_15 = { 52 6a01 ff7004 ff15???????? }
            // n = 4, score = 400
            //   52                   | push                edx
            //   6a01                 | push                1
            //   ff7004               | push                dword ptr [eax + 4]
            //   ff15????????         |                     

        $sequence_16 = { b800005000 6a00 8d4c2418 51 50 ff742424 }
            // n = 6, score = 400
            //   b800005000           | mov                 eax, 0x500000
            //   6a00                 | push                0
            //   8d4c2418             | lea                 ecx, [esp + 0x18]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ff742424             | push                dword ptr [esp + 0x24]

        $sequence_17 = { 6a01 6810660000 ff7508 ff15???????? 85c0 }
            // n = 5, score = 400
            //   6a01                 | push                1
            //   6810660000           | push                0x6610
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 520192
}
[TLP:WHITE] win_conti_w0   (20220318 | Detect the Conti ransomware (x64))
rule win_conti_w0 {
   meta:
        author = "Arkbird_SOLG"
        description = "Detect the Conti ransomware (x64)"
        reference = "Internal Research"
        date = "2022-02-25"
        hash1 = "930ec6d08e9d29fa23805ff9784cb0d78b1dc4cc4d58daa0e653dfe478c45d3a"
        hash2 = "ea524e8b0dd046561b59a8d4da5a122aeff02036c87bb03056437a1d0f584039"
        hash3 = "ed4afa874e75b7bac665b9bcbf1d8e1324d4f9263c862755101cd79bb087ad45"
        hash4 = "1dea453e5344898c9a66309bd6d1cf6e21c56eb1427c026aac84b14a6b23f7fc"
        tlp = "White"
        adversary = "RAAS"
        source = "https://github.com/StrangerealIntel/Orion/blob/main/Ransomware/RAN_Conti_Feb_2022_1.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
        malpedia_version = "20220318"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
   strings:
        $s1 = { f7 e9 03 d1 c1 fa 06 8b c2 c1 e8 1f 03 d0 6b c2 7f 2b c8 b8 09 04 02 81 83 c1 7f f7 e9 03 d1 c1 fa 06 8b c2 c1 e8 1f 03 d0 6b c2 7f 2b c8 88 4c 3c 39 48 ff c7 48 83 ff 24 72 ?? 0f b7 44 24 7c 48 8d 54 24 39 44 0f b7 4c 24 7a 48 8d 4d 80 44 0f b7 44 24 78 89 44 24 20 ff 15 [2] 01 00 8b d8 85 c0 74 32 48 8b 3d [2] 01 00 ba 0f 00 00 00 41 b8 14 b4 02 e8 44 8d 4a 50 e8 [2] fe ff 44 8d 04 1b 4c 89 74 24 20 4c 8d 4c 24 68 48 8b cf 48 8d 55 80 ff d0 48 8b 3d [2] 01 00 ba 0f 00 00 00 41 b8 14 b4 02 e8 44 8d 4a 50 e8 [2] fe ff 4c 8d 4c 24 68 4c 89 74 24 20 44 8b c6 48 8d 95 80 00 00 00 48 8b cf ff d0 48 8b 3d [2] 01 00 ba 0f 00 00 00 41 b8 14 b4 02 e8 44 8d 4a 50 e8 [2] fe ff 4c 8d 4c 24 68 4c 89 74 24 20 41 b8 04 }
        $s2 = { 48 89 5c 24 08 48 89 74 24 18 57 48 83 ec 20 40 8a f1 8b 05 [2] 01 00 33 db 85 c0 7f 12 33 c0 48 8b 5c 24 30 48 8b 74 24 40 48 83 c4 20 5f c3 ff c8 89 05 [2] 01 00 e8 73 fa ff ff 40 8a f8 88 44 24 38 83 3d [2] 01 00 02 75 35 e8 86 fb ff ff e8 25 06 00 00 e8 9c 06 00 00 89 1d [2] 01 00 e8 a1 fb ff ff 40 8a cf e8 6d fd ff ff 33 d2 40 8a ce e8 87 fd ff ff 84 c0 0f 95 c3 8b c3 eb }
        $s3 = { 48 8b 0d [2] 01 00 4c 8b c3 33 d2 ff 15 [2] 00 00 48 85 c0 74 d4 eb 0d e8 60 08 00 00 c7 00 0c 00 00 00 33 c0 48 83 c4 20 5b c3 cc cc 48 85 c9 74 37 53 48 83 ec 20 4c 8b c1 33 d2 48 8b 0d [2] 01 00 ff 15 [2] 00 00 85 c0 75 17 e8 2b 08 00 00 48 8b d8 ff 15 [2] 00 00 8b c8 e8 63 07 00 00 89 03 48 83 c4 20 5b c3 cc cc cc 48 89 5c 24 08 4c 89 4c 24 20 57 48 83 ec 20 49 8b d9 49 }
        $s4 = { 48 83 c0 27 48 83 e0 e0 48 89 48 f8 eb 11 48 85 d2 74 0a 48 8b ca e8 [2] 00 00 eb 02 33 c0 4c 8d 04 5d 02 00 00 00 48 89 45 c0 48 8b d6 48 8b c8 e8 [2] 00 00 48 89 7d d8 48 c7 c7 ff ff ff ff 4c 8d 45 40 48 89 5d d0 48 8d 55 c0 48 8d 8d 20 04 00 00 e8 ?? dd ff ff 48 81 bd 30 04 00 00 04 01 00 00 0f 87 b2 00 00 00 48 83 bd 38 04 00 00 08 48 8d 8d 20 04 00 00 48 0f 43 8d 20 04 00 00 ff 15 [2] 01 00 85 c0 0f 84 8d 00 00 00 48 8d 8d ec 04 00 00 e8 ?? e0 ff ff }
    condition:
        uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 
}
Download all Yara Rules