Threat Thursday - Conti Ransomware

    Jorge Orchilles
    by Jorge Orchilles
    May 27, 2021

    Conti Ransomware

    You may have noticed that SCYTHE really believes in collaboration, hence why we continue to push the industry forward towards Purple Teaming. To stay ahead of the attackers, we must work together: Cyber Threat Intelligence, Red Teams, and Blue Teams. For this #ThreatThursday we are looking at one of the most common ransomware threat actors, Conti. We are leveraging Cyber Threat Intelligence from a new partner, TrukNo, that provides adversary behavior all the way down to the procedure level, facilitating the creation of adversary emulation plans so that you can test against these behaviors in your production environment more efficiently. TrukNo is an aggregator of CTI and in this case, they leveraged another partner we have sponsored and supported for some time: The DFIR Report. As usual, we cover how to detect and respond to the behaviors of Conti so that you can avoid the business impact of ransomware.

    Cyber Threat Intelligence

    This week we are leveraging a new platform from a startup called TruKno. You can access the beta dashboard here. This site is nice to navigate adversary behaviors/TTPs at the procedure level which is required to create adversary emulation plans. We are also leveraging a partner we have sponsored and supported for some time: The DFIR Report.

    Conti is currently the “King of Ransomware on the DarkWeb” according to DarkTracer. Interestingly, and probably a coincidence, all of the ransomware we have shared in previous Threat Thursdays are no longer active (Maze, Ryuk, Egregor, DarkSide):

    Conti ransomware has impacted healthcare and first responder networks as per this FBI Flash and multiple news outlets covering the Ireland, New Zealand, and Canada health services. As a ransomware that has hit hundreds of organizations, we have enough CTI to create an adversary emulation plan.
    We have created multiple ways to visualize the Conti Cyber Threat Intelligence as a ATT&CK Navigator Heat Map, SCYTHE Heat Map, and VECTR Escalation Path.

    Mitre Att&CK Conti

    Adversary Emulation Plan

    As usual, we have created and shared the Conti ransomware adversary emulation plan in our GitHub. Here is a table with the CTI analyzed and organized for easier consumption:

     Tactic  Techniques
    Description   Conti is currently the most active ransomware threat according to DarkTracer. It performs double extortion in environments to ensure payment is received.
    Execution   T1059.001 - Command and Scripting Interpreter: PowerShell
    T1059.003 - Command and Scripting Interpreter: Windows Command Shell
     Command and Control  T1071 - Application Layer Protocol: HTTPS heartbeat of 62 seconds and jitter of 39%
    T1573 - Encrypted Channel: HTTPS
    Initial Access   T1566.001: Spearphishing Attachment
    T1566.003: Spearphishing via Service
     Defense Evasion T1218.011 - Signed Binary Proxy Execution: Rundll32
    T1112 - Modify Registry
     Discovery T1010: Application Window Discovery
    T1083: File and Directory Discovery
    T1057: Process Discovery
    T1012: Query Registry
    T1082: System Information Discovery
    T1016: System Network Configuration Discovery
    T1033: System Owner/User Discovery
     Persistence T1136.001 - Local Account - net user /add /Y nuuser 7HeC00l3stP@ssw0rd
    T1543.003 - Windows Service
     Credential Access T1003.001 - LSASS Memory
     Lateral Movement T1021.001 - Remote Desktop Protocol
    T1021.002 - SMB/Windows Admin Shares
     Collection T1074.001 - Local Data Staging
    T1560.002 - Archive via Library
     Exfiltration T1041 - Exfiltration Over C2 Channel
     Impact T1486 - Data Encrypted for Impact
    T1489 - Service Stop
    T1531 - Account Access Removal
    T1491.001 - Internal Defacement

    To emulate:

    1. Download and import the threat in JSON format to your SCYTHE instance -
    2. Download the Virtual File System (VFS) files under Conti/VFS
    3. Upload the VFS files to your SCYTHE VFS in the following location: VFS:/shared/Conti
    4. Create a new campaign, selecting HTTPS, and ensuring the communication options match the CTI: --cp yourdomain[.]com:443 --secure true --multipart 10240 --heartbeat 62 --jitter 39
    5. Set the Program database path to: A:\source\conti_v3\x64\Release\cryptor_dll.pdb
    6. Import from Existing Threat: Conti
    7. Launch Campaign
    8. Execute with rundll32.exe

    Note that different TTPs will be performed based on the endpoint being on a domain or not and running with local administrator privileges or not.

    Detect and Respond

    The FBI Flash covers a number of mitigations that we are providing in this post but also want to add a few items related to detection and response. Prevention will make initial access and execution a little harder but for those, logically, working under assumed breach, we need detection and response:

    • Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
    • Implement network segmentation.
    • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
    • Install updates/patch operating systems, software, and firmware as soon as they are released.
    • Use multifactor authentication where possible.
    • Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts.
    • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
    • Require administrator credentials to install software.
    • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
    • Install and regularly update anti-virus and anti-malware software on all hosts.
    • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
    • Consider adding an email banner to messages coming from outside your organizations.
    • Disable hyperlinks in received emails.
    • Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).
    • Detect when new services are created on endpoints
    • Detect when certain registry keys are modified such as enabling Remote Desktop Protocol
    • Detect when new users are created and/or added to the local administrator group


    Conti is the current “King of Ransomware” and we don’t like it. We hope that by analyzing the cyber threat intelligence from their damaging attacks, we can provide adversary emulation plans so that you can test, measure, and improve your people, process, and technology. These attacks will evolve and organizations need to continually attack, detect, and respond to ensure they are not impacted by known adversary behaviors. Maze, Ryuk, Egregor, and DarkSide have shut down after being featured on a Threat Thursday. Will Conti be next?

    This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

    About SCYTHE

    SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email, or follow on Twitter @scythe_io.

    Jorge Orchilles
    Post by Jorge Orchilles
    May 27, 2021