Resurgence of Conti Ransomware

10066089458?profile=RESIZE_400xConti ransomware was first discovered in December of 2019 and has become one of the most prominent ransomware platforms to date. The Conti Ransomware as a Service (RaaS) platform gained international attention in May of 2021 when it was used to shutdown Ireland’s Health Service Executive (HSE).  The group has shown no signs of slowing down with notable attacks reported in the United States, Australia, United Kingdom, Taiwan, and Indonesia in the past two and a half months.

The most recent attack using the Conti ransomware to make headlines targeted Delta Electronics, a Taiwanese company that provides electronic components for Apple, Tesla, HP, and Dell.[1]  The attack was reported on 22 January 2022 and used double extortion to both encrypt files on Delta Electronics’ machines and exfiltrate that data to be publicly leaked if the ransom is not paid.  After claiming to have encrypted 1,500 servers and 12,000 computers the attackers demanded a ransom of $15 million to decrypt the machines.[2]

Another notable attack using Conti targeted Bank Indonesia.  Bank Indonesia claims that no critical data was taken during the attack and did not immediately acknowledge that Conti was the operation behind the attack.  Conti later claimed that they were responsible and threatened to publicize 13.88 GB of data.[3]

The Conti strain of ransomware is spread through spear-phishing campaigns using the Trickbot or BazarLoader malware, stolen or weak Remote Desktop Protocol (RDP) credentials, fake software promotions, and exploiting common vulnerabilities.[4]

The Conti ransomware is affiliated with the Wizard Spider Cybercrime organization. According to Trend Micro, the Conti ransomware variant is the successor to the Ryuk ransomware.  Wizard Spider is responsible for the development of Trickbot, BazarLoader, and Ryuk in addition to Conti ransomware platform.[5]

Conti differs from the norm in terms of RaaS models by likely paying Conti deployers a wage rather than a percentage of the ransom earned.  This discrepancy from the typical RaaS model could have played a part in the dissemination of the Conti playbook.  The playbook used by Conti operators was leaked by a Conti deployer upset about their pay rate over the summer of 2021 and revealed useful information regarding how the Conti Gang carries out their ransom attacks.

From the playbook it was observed that the gang leverages common penetration testing tools including Cobalt Strike, Metasploit, Sharpview, RouterScan, and Armitage among others to navigate compromised networks and gain access data that will be encrypted using the ransom payload.  The gang has also leveraged vulnerabilities including PrintNightmare, Zerologon, EternalBlue, and Log4j. The playbook also included four Cobalt Strike server IP addresses used to reach command and control (C2) servers.  The IP addresses are:

  • 244.80.235
  • 118.21.1
  • 141.63.120
  • 93.88.165

Based on statistics from DarkTracer, Conti has passed LockBit and Pysa to become the most successful ransomware in compromising organizations from 1 January 2019 to 9 November 2021.  Pictured below is a chart from DarkTracer, showing the spread of ransomware gangs and the number of organizations that they have compromised.

Data from the Cyber Threat Analysis Center (CTAC) by Wapack Labs corroborates the rise of the Conti ransomware variant with 192 organizations affected between 6 December 2021 and 1 February 2022.  Pictured below is a breakdown data from CTAC showing Conti statistics from the past two months.


It seems that the Conti ransomware gang is back in full swing.  It is important that organizations apply mitigation techniques to protect themselves from the Conti ransomware gang.  The Cybersecurity & Infrastructure Security Agency (CISA) along with the Federal Bureau of Investigation (FBI) and National Security Agency (NSA) recommend:

  • Using multi-factor authentication for remote access.
  • Implementing network segmentation and traffic filtering.
  • Conducting antivirus and antimalware scans with up-to-date signatures.
  • Upgrading software and operating systems with the latest patches regularly.
  • Removing unnecessary applications.
  • Implement endpoint and detection response tools.
  • Limit access to resources over the network and restrict RDP.
  • Secure user accounts and employ the principle of least privilege.
  • Audit logs and check that all new accounts are for legitimate users.
  • Use the CISA Ransomware Response Checklist if your organization is infected.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or     

 Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings






E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!