| Category | Details | References |
|---|---|---|
| Actors | ||
| First Observed | late 2019 | 1 |
| Threat Actors | Conti Group (aka Wizard Spider aka TrickBot) | 2 3 |
| Environment | ||
| Platforms | Windows | 4 |
| Artifacts | ||
| Extensions | .conti 5 alpahnumeric characters (generated once per execution instance) | 5 6 7 |
| Ransomware Notes | Readme.txt CONTI.txt R3ADME3.txt CONTI_README.txt | 5 7 |
| Services It Disables | ||
| Other Observables | ||
| Automation | ||
| Automatically Gains Access | No | 4 |
| Automatically Escalates Privileges | No | 4 |
| Requires Human Interaction | Yes | |
| Automatic Exfiltration | No | 4 |
| Automatic Propagation | Sort of. It will encrypt files accessible via SMB share, but will not launch itself on another system. | 8 |
Please note, this page was last updated at 2023-03-14 20:21.
-
https://www.csoonline.com/article/3638056/conti-ransomware-explained-and-why-its-one-of-the-most-aggressive-criminal-groups.html ↩
-
https://www.theregister.com/2022/05/18/wizard-spider-ransomware-conti/ ↩
-
https://www.cisa.gov/uscert/ncas/alerts/aa21-265a ↩ ↩2 ↩3 ↩4
-
https://labs.vipre.com/how-conti-ransomware-works-and-our-analysis/ ↩
-
https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/ ↩