Leaked Tools, TTPs, and IOCs Used by Conti Ransomware Group

While the Russian invasion of Ukraine continues, cybersecurity professionals and threats actors worldwide directly or indirectly show their support for either side. On February 27th, 2022, the Conti ransomware group, one of the most infamous ransomware operators, announced their support for Russia, causing conflict within the group. As a result, Ukrainian members of the Conti threat group leaked internal chats and log data. The leaked conversations in Conti leaks are dated between January 2021 and February 2022 and contain information and TTPs on the recent activities of the Conti group.

Figure 1: Conti Ransomware Group Pro-Russian Announcement [1]

In this blog post, we explained the TTPs and tools used by the Conti ransomware group in detail. 

TRY NOW: Simulate Conti Ransomware Group Attacks in minutes and gain a holistic view of your controls’ effectiveness against Conti Ransomware at all times

Conti Ransomware Group

Conti is a Ransomware-as-a-Service (RaaS) operator that sells or leases ransomware to their affiliate cyber threat actors. Conti ransomware group was first seen in October 2019; however, malware analysis and their TTPs indicate that they had been active since 2017 under different names such as Ryuk, Hermes, CryptoTech and Wizard Spider. For example, Ryuk and Conti ransomware uses the same bitcoin wallet address for ransom payments creating a direct link between two groups. The Conti RaaS group is also affiliated with other cyber-criminal groups such as TrickBot, Emotet and BazarLoader for distribution of their ransomware [2].

Recent leaks show that the Conti ransomware group has collected more than 2.7 Billion USD as ransom payment between April 2017 and February 2022 [3].

Tools Used By Conti RaaS Group

MITRE ATT&CK TA0004 - Privilege Escalation

• dazzleUP: A scanner for privilege escalation vulnerabilities [4]
• PEASS-ng: Multi-platform privilege escalation framework [5]
• Watson: A scanner for missing updates that lists privilege escalation vulnerabilities [6]

MITRE ATT&CK TA0006 - Credential Access

• Invoke-SMBAutoBrute: A PowerShell script for brute-forcing to acquire credentials [7]
• Net-GPPPassword: Plaintext credential and data collector [8]
• SharpChromium: Data extraction tool for Google Chrome and Microsoft Edge that collects cookies, history, and login credentials. [9]

MITRE ATT&CK TA0007 - Discovery

• ADfind.exe: A command-line tool that queries Active Directory and collects information about users, networks, and systems in the network [10].
• BloodHound: Active Directory mapping tool that gives possible attack paths [11]
• Invoke-Kerberoast: A PowerShell script for MITRE ATT&CK T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting [12]
• NtdsAudit: A tool that audits Active Directory databases [13]
• PowerTools: A collection of offensive PowerShell scripts for network discovery and privilege escalation. [14]
• ShareFinder: A PowerShell script in PowerTools that searches and lists shared files.
• Rubeus: Open-source toolset for raw Kerberos interaction and abuses [15]. 
• Seatbelt: A project that performs safety checks security posture of the host [16]
• SharpView: .NET port of PowerView, a PowerShell script for AD [17]
• WinPwn: A PowerShell script for automated penetration testing for Windows [18]

MITRE ATT&CK TA0011 - Command and Control

• AnyDesk: A remote desktop tool [19]
• ngrok: A tool that exposes local servers to public internet [20]

MITRE ATT&CK TA0010 - Exfiltration

• Filezilla: A tool for data exfiltration using FTP services [21].
• Mega: A cloud storage service that is abused for data exfiltration [22].
• rclone: A command-line tool for data exfiltration using cloud storage services [23]

How Picus Helps Simulate Conti Ransomware Group Attacks?

Using the Picus Continuous Security Validation Platform, you can test your security controls against the Conti ransomware attacks. We advise you to simulate Conti attacks and determine whether your security controls can prevent them or not. Picus Threat Library includes the following threats to simulate attacks and malicious tools used by the Conti ransomware group.

Simulate Conti Ransomware Group Attacks in minutes Now

MITRE ATT&CK TTPs used by Conti Ransomware Group

T1016 System Network Configuration Discovery

T1018 Remote System Discovery

T1021.002 Remote Services: SMB/Windows Admin Shares

T1027 Obfuscated Files or Information

T1049 System Network Connections Discovery 

T1055.001 Process Injection: Dynamic-link Library Injection 

T1057 Process Discovery 

T1059.003 Command and Scripting Interpreter: Windows Command Shell

T1078 Valid Accounts

T1080 Taint Shared Content 

T1083 File and Directory Discovery 

T1106 Native API

T1110 Brute Force 

T1133 External Remote Services

T1135 Network Share Discovery 

T1140 Deobfuscate/Decode Files or Information

T1190 Exploit Public Facing Application

T1486 Data Encrypted for Impact 

T1489 Service Stop 

T1490 Inhibit System Recovery 

T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 

T1566.001 Phishing: Spearphishing Attachment

T1566.002 Phishing: Spearphishing Link 

T1567 Exfiltration over Web Service

Indicators of Compromise (IOCs)

Reference

[1] C. Cimpanu, “Conti ransomware gang chats leaked by pro-Ukraine member,” The Record by Recorded Future, Feb. 28, 2022. [Online]. Available: https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/.

[2] “[Conti] Ransomware Group In-Depth Analysis.” [Online]. Available: https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis.

[3] “[No title],” Twitter. [Online]. Available: https://twitter.com/vxunderground/status/1498394338027610124?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1498394338027610124%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.techtarget.com%2Fsearchsecurity%2Fnews%2F252514047%2FConti-ransomware-source-code-documentation-leaked.

[4] hlldz, “GitHub - hlldz/dazzleUP: A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems,” GitHub. [Online]. Available: https://github.com/hlldz/dazzleUP. 

[5] carlospolop, “GitHub - carlospolop/PEASS-ng: PEASS - Privilege Escalation Awesome Scripts SUITE (with colors),” GitHub. [Online]. Available: https://github.com/carlospolop/PEASS-ng. 

[6] rasta-mouse, “GitHub - rasta-mouse/Watson: Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities,” GitHub. [Online]. Available: https://github.com/rasta-mouse/Watson.

[7] Shellntel, “scripts/Invoke-SMBAutoBrute.ps1 at master · Shellntel/scripts,” GitHub. [Online]. Available: https://github.com/Shellntel/scripts.

[8] outflanknl, “GitHub - outflanknl/Net-GPPPassword: .NET implementation of Get-GPPPassword. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences,” GitHub. [Online]. Available: https://github.com/outflanknl/Net-GPPPassword.

[9] djhohnstein, “GitHub - djhohnstein/SharpChromium: .NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins,” GitHub. [Online]. Available: https://github.com/djhohnstein/SharpChromium. 

[10] “AdFind.” [Online]. Available: http://www.joeware.net/freetools/tools/adfind/index.htm. 

[11] BloodHoundAD, “GitHub - BloodHoundAD/BloodHound: Six Degrees of Domain Admin,” GitHub. [Online]. Available: https://github.com/BloodHoundAD/BloodHound. 

[12] EmpireProject, “Empire/Invoke-Kerberoast.ps1 at master · EmpireProject/Empire,” GitHub. [Online]. Available: https://github.com/EmpireProject/Empire. 

[13] Dionach, “GitHub - Dionach/NtdsAudit: An Active Directory audit utility,” GitHub. [Online]. Available: https://github.com/Dionach/NtdsAudit.

[14] darkoperator, “GitHub - darkoperator/Veil-PowerView: Veil-PowerView is a powershell tool to gain network situational awareness on Windows domains,” GitHub. [Online]. Available: https://github.com/darkoperator/Veil-PowerView. 

[15] GhostPack, “GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog,” GitHub. [Online]. Available: https://github.com/GhostPack/Rubeus.

[16] GhostPack, “GitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey ‘safety checks’ relevant from both offensive and defensive security perspectives,” GitHub. [Online]. Available: https://github.com/GhostPack/Seatbelt. 

[17] tevora-threat, “GitHub - tevora-threat/SharpView: C# implementation of harmj0y’s PowerView,” GitHub. [Online]. Available: https://github.com/tevora-threat/SharpView. 

[18] S3cur3Th1sSh1t, “GitHub - S3cur3Th1sSh1t/WinPwn: Automation for internal Windows Penetrationtest / AD-Security,” GitHub. [Online]. Available: https://github.com/S3cur3Th1sSh1t/WinPwn. 

[19] “The Fast Remote Desktop Application –,” AnyDesk. [Online]. Available: https://anydesk.com/en. 

[20] inconshreveable, “ngrok - secure introspectable tunnels to localhost.” [Online]. Available: https://ngrok.com/. 

[21] “FileZilla - The free FTP solution.” [Online]. Available: https://filezilla-project.org.

[22] “MEGA.” [Online]. Available: https://mega.io/. 

[23] N. Craig-Wood, “Rclone.” [Online]. Available: https://rclone.org.