Conti Ransomware Gang: An Analysis of the Group’s Motives and Methods
by
Kameron A. Williams
A Capstone Project Submitted to the Faculty of
Utica University
August 2022
in Partial Fulfillment of the Requirements for the Degree of
Master of Science in Cybersecurity
© Copyright 2022 by Kameron A. Williams
All Rights Reserved
ii
Abstract
This research project aims to provide a threat assessment of the Conti ransomware gang (Conti).
The research first examined Conti’s Russian origins and their motivations. Next, the paper
reviewed disruptive cyber-attacks by Conti against large organizations and the outcomes of these
attacks. The research also investigated Conti’s effort to rebrand itself to avoid sanctions by
associating itself with the Russian government. Next is an analysis of Conti’s techniques, tactics,
and procedures (TTP) used to compromise victims, execute the Conti ransomware, and demand
payments through ransom negotiations. Conti is a significant threat to all public and private
businesses and entities, but they primarily target the healthcare industry. Conti targets the
healthcare sector and hospitals at a higher rate because they can typically afford the millions in
ransom demanded. Conti is also using cyber-attacks to aid in their rebranding to evade sanctions
incurred by its support of the Russian invasion of Ukraine. Lastly, the research paper analyzes
how to prevent or minimize a successful Conti attack at various phases of their attack. Security
professionals need to understand the threat that Conti poses to organizations and how they can
mitigate successful Conti attacks.
Keywords: Cybersecurity, Professor Carmen Mercado, Conti Costa Rica, Conti
Ransomware Analysis, Conti Ransomware Gang, Ransomware-as-a-Service, Russia
Ransomware.
iii
Table of Contents
List of Illustrative Materials.............................................................................................................v
Conti Ransomware Gang: An Analysis of the Group’s Motives and Methods ...............................1
Ransomware-as-a-Service........................................................................................................... 1
The Conti Ransomware Gang ..................................................................................................... 2
Conti’s Targets ............................................................................................................................ 4
Purpose Statement ....................................................................................................................... 6
Literature Review.............................................................................................................................7
Conti’s Russian Origin................................................................................................................ 8
Conti’s Organizational Structure .............................................................................................. 10
High-profile Conti Attacks ....................................................................................................... 12
The Healthcare Service Executive Attack ............................................................................ 13
The Costa Rica attack ........................................................................................................... 15
Understanding the Cyber Kill Chain......................................................................................... 16
Ransomware Infection .............................................................................................................. 18
Conti Email Phishing ............................................................................................................ 19
Privilege Escalation .............................................................................................................. 20
Ransomware Execution ............................................................................................................ 21
Ransomware Extortion.............................................................................................................. 23
Ransom Negotiations ............................................................................................................ 24
Discussion of the Findings .............................................................................................................25
Conti’s Motivations .................................................................................................................. 26
Impact of Conti Attacks ............................................................................................................ 27
Conti’s Attack Patterns ............................................................................................................. 29
Recommendations ..........................................................................................................................31
Future Research .............................................................................................................................35
Conclusion .....................................................................................................................................37
References ......................................................................................................................................42
iv
List of Illustrative Materials
Figure 1 – Lockheed Martin Cyber Kill Chain Model ..................................................................17
v
Conti Ransomware Gang: An Analysis of the Group’s Motives and Methods
Ransomware is malware that blocks access to the device until the victim pays a ransom
specified by the malware operator. Attackers typically require ransom payments paid via the
cryptographic currency system, Bitcoin, due to the anonymity of cryptocurrency (PaquetClouston et al., 2019). Ransomware started as a proof of concept in 1996 by researchers Young
and Yung when they posed the idea of using cryptographic procedures offensively. They
suggested cryptography as an extortion technique by preventing access to a device until the
attacker’s demand is met (Hull et al., 2019). Today, ransomware attacks are the most concerning
form of cybercrime, and law enforcement agencies and cyber security professionals across the
globe are seeking ways to deal with the increasing threat (Paquet-Clouston et al., 2019).
The early days of ransomware saw its distribution on a massive scale, with little regard
for the infected victims’ financial holdings. These early ransomware attacks also saw malware
delivered on mass to infect as many victims as possible rather than specifically target a singular
entity (Eurpol, 2021). However, ransomware attacks changed to target private businesses,
government agencies, and critical infrastructures increasingly. The increase in attacks on larger
institutions shows that ransomware operators choose their victims based on their financial
capabilities and willingness to comply with ransoms. By doing so, perpetrators have the chance
to demand and receive higher ransoms more quickly from victims on the successful execution of
their ransomware. The Conti ransomware gang (Conti) is a prime example of a ransomware gang
that seeks high-profile targets for exploitation (Europol, 2021).
Ransomware-as-a-Service
Ransomware has evolved into two forms of attacks in preventing file access on infected
devices. The first is locking a user out of their device by disabling its operating system. In these
1
attacks, the victim views the ransom note once the device is booted, preventing them from
accessing it until the ransom gets paid or removed (Paquet- Clouston et al., 2019). The second
form of attack is much more sophisticated and used by Conti. This attack sees the victim’s files
on a device become encrypted, so paying a ransom is the only way to decrypt the files (PaquetClouston et al., 2019).
The RaaS model allows customers to use ransomware owned by service providers
through darknet marketplaces (Meland et al., 2020). These service providers deliver ransomware
tailored to the buyer’s specific target, with some providers offering additional services like
privilege escalation or ransom negotiation. After an attacker’s successful exploitation and the
victim pays the ransom, the service provider receives a portion of the ransom, 20%-30%, as a fee
(Meland et al., 2020). The RaaS model is most threatening because it empowers cybercriminals
without the necessary programming skills to utilize ransomware, increasing the number of
individuals behind ransomware attacks.
The Conti Ransomware Gang
Conti is one of the infamous ransomware families responsible for several high-profile
ransomware attacks. Conti gets credit as a descendant of the Ryuk ransomware, and the creators
of Ryuk are likely responsible for the development of Conti (Trend Micro, 2021). Conti’s attacks
are regularly against much larger targets. The Conti ransomware is also sold under the RaaS
model and significantly contributes to the spike in ransomware attacks. Conti extorts even more
money from their victims through the double extortion ransomware technique (Trend Micro,
2021). Through double extortion, Conti not only encrypted a victim’s files but also stole their
files and confidential data. Conti then forces their victims to pay for access to their files and a
separate ransom to prevent them from publishing or selling the stolen data (Trend Micro, 2021).
2
One of the aspects of Conti’s methods that are so threatening is their choice of targets.
Conti targets businesses and governments worldwide, but most attacks are against United States
institutions (Trend Micro, 2021). From January 1, 2021, to November 12, 2021, Conti attempted
over 1.6 million attacks against companies in the United States. The attacks against companies in
the Netherlands rank the second-highest during this period, at nearly 49 thousand attempted
attacks (Trend Micro, 2021). Part of the reason for the disparity in attack frequency comes from
the motivations of Conti. While most ransomware gangs are monetarily motivated, Conti is also
motivated by the desires of their country.
Conti is based and primarily operated out of Russia. Russia allows cybercrime groups to
operate out of the country with relative freedom. The Russian government is widely known to
overlook ransomware attacks from their country as long as the perpetrators avoid attacks against
Russia and Russian companies (Burgess, 2022). Because of this freedom, most ransomware
gangs trace back to Russia. Some ransomware strains never attack Russian organizations because
of how the malware code. Some ransomware strains run scans on an infected network to detect if
that network lies within Russian Controlled areas. The ransomware will shut itself down if the
infected network is in a Russian-controlled state, preventing its execution (Freeze, 2022). Conti
is tied to the interests of the Russian government, specifically Vladimir Putin, on a much closer
level. Leaks from Conti’s chat messages show that the ransomware gang is connected to Russia
and is involved with the government’s state-sponsored hackers (Burgess, 2022).
Being encouraged by the Russian government led Conti to attack critical infrastructure
and industries. For example, the Coronavirus (COVID-19) pandemic began in March 2020 and
contributed to increased cyber-attacks against the healthcare industry. COVID-19 caused most
governments to perform lockdowns to prevent the spread of the disease, and with that came an
3
increase in remote working (Minnaar & Herbig, 2021). Cybercriminals, including Conti, quickly
exploited the new remote working trend.
Conti’s Targets
Conti is responsible for a major attack on Ireland’s Healthcare Services Executive (HSE)
that caused significant disruptions and forced many healthcare professionals to revert to using
pen and paper to continue treating patients. The HSE attack began on May 14, 2021, when the
Conti ransomware compromised their network (PWC, 2021). Although the HSE attempted to
mitigate the damage by the ransomware through its Critical Incident Process, they lost access to
all Information Technology (IT) systems. The affected IT systems included critical systems like
patient information, clinical care, payroll, and procurement systems. Conti hid in the HSE’s
network before the ransomware’s execution, stealing confidential information. Despite the
HSE’s efforts, Conti demanded ransom for access to encrypted machines and the previously
stolen confidential information (PWC, 2021).
Although the attack against the HSE proves Conti does not regard the consequences of its
targets, Conti will also attack entire governments if they deem it necessary. Conti also attacked
the Costa Rican government in May 2022. Conti’s attack against Costa Rica is widely different
because Conti’s intent is much more sinister (Faife, 2022). The ransomware attack massively
disrupted the government and affected an estimated 27 government agencies, including the
Finance Ministry and the Ministry of Labor and Social Security. Costa Rica’s President Chaves
declared war against Conti due to their statements about their attack. Conti publicly stated that
their goal in the attack was to “overthrow the government utilizing a cyberattack” (Faife, 2022,
para. 4). Although the attack may seem non-monetarily motivated, Conti still demanded a large
4
ransom from Costa Rica. The original ransom of $10 million changed to $20 million after Costa
Rica refused to pay (Faife, 2022).
Conti regularly partners with other malware gangs to aid in distributing their
ransomware. Documentation shows that threat actors such as Conti and Emotet will use a
combination of each other’s malware during an attack. Emotet is another malware gang based in
Russia. Emotet uses mass email phishing campaigns in its attacks against organizations. During
these attacks, Emotet sends emails with malicious attachments that, when executed, download
separate malware from a staging site (Computer Fraud & Security, 2021). The cybercrime
intelligence group Intel 471 assessed with high confidence that victims infected through
Emotet’s malware spam operation enter a collection where they eventually get infected with
Conti ransomware (Intel 471, 2022). This correlation between Emotet and Conti victims offers
an insight into how often and easily targets get infected with the Conti ransomware.
This research project discovered a gap in available research when attempting to uncover
Conti’s new encryption method for the Conti ransomware. Conti previously incorporated the
Advanced Encryption Standard-256 (AES-256) when the Conti ransomware initially executed
and encrypted files on an infected system (CrowdStrike Intel Team, 2022). AES is a block cipher
technique commonly used in standard encryption due to its speed and versatility. AES-256 builds
upon this by encrypting data with 256-bit keys, leading to more secure encryption (Utami et al.,
2019). However, an August 2020 update saw Conti’s ransomware use the ChaCha Cipher as a
new encryption method during execution. As a result, the ChaCha Cipher gets used in
subsequent Conti encryptions since the 2020 update. There is currently not much information on
the ChaCha Cipher, although the change in cipher will allow a more efficient approach to
5
selecting files to encrypt (CrowdStrike Intel Team, 2022). Further studying the ChaCha Cipher
can lead to future decryption of the Conti ransomware.
Purpose Statement
The purpose of this research project was to provide a threat assessment of the Conti
ransomware gang by uncovering the group’s motivations and methods used to distribute the
malware and extort their victims. This paper examines why Conti targets companies, critical
infrastructure, and government entities without regard to consequences. Because Conti is willing
to attack various organizations, it is also important to understand how Conti and its affiliates
perpetrate their attacks. By knowing how Conti begins their attack and what its ransomware does
after execution, security professionals can create detections for Conti’s indicators of attack.
The general problem is that Conti remains one of the most relentless cybercriminal
organizations. Conti uses sophisticated ransomware and techniques to attack businesses, critical
infrastructure, and governmental agencies (Hickman, 2021). Because of this, it is difficult to
understand how their attacks happen and how to mitigate or prevent them from occurring.
The specific problem is that the attacks perpetrated by Conti have dire consequences,
especially when its targets are critical infrastructure and government entities (Minnaar & Herbig,
2021). Conti will target most organizations regardless of their renown or sovereignty, except for
the Russian government and its allies (Freeze, 2022). Furthermore, the evolution of Conti’s
organizational structure and its ransomware-as-a-service model is something that future
ransomware gangs will adopt (Microsoft Security, 2022). Therefore, security professionals also
need to understand Conti’s methods to discover the indicators of a Conti attack.
The project intended to answer the following questions: 1) How is the Conti ransomware
gang a threat to global organizations? 2) What attacks are the Conti ransomware gang and
6
affiliates responsible for, and what have been their outcomes? And 3) What are Conti’s
techniques, tactics, and procedures (TTPs) throughout the Conti ransomware’s execution? The
research utilized for this project includes peer-reviewed journals, newspaper articles, and cyber
security articles.
The researched information presented in this project is for cyber security professionals
and individuals seeking to understand the Conti cybercriminal organization. The material gained
from this study provides information for those seeking to learn about Conti and why they are
considered a dangerous ransomware gang. This research provides the knowledge necessary for
cyber security professionals to know who Conti’s primary targets are and some insight into why
they are targets. Additionally, cyber security professionals will learn the TTPs employed by
Conti to incorporate indicators of attack for the Conti ransomware.
Literature Review
The ransomware-as-a-service (RaaS) model is an agreement between the ransomware
operator and an affiliate that purchases the malware. Ransomware operators are responsible for
creating and sustaining the equipment used in ransomware operations. Some equipment
operators can be responsible for builders that create ransomware executables and the payment
portals used to obtain ransoms from their victims (Microsoft Security, 2022). Several RaaS
platforms will also contain additional support to their affiliates during the extortion process of an
attack. The support may include creating information-sharing sites to display exfiltrated data
from their victims. Through this, the affiliate can prove to the victim that they got breached and
the affiliate stole their data (Microsoft Security, 2022).
Ransomware operators may sometimes offer support in retrieving ransom payments from
their affiliates’ victims. Operators can communicate with victims and pressure them into paying
7
the ransom, typically in some form of cryptocurrency. Some affiliates use operators to
compromise their targets and do not care about the payload or access gained from the operator’s
initial compromise. The affiliate can then use the newly gained access as a server to perform
other actions like privilege escalation or data exfiltration within the compromised network
(Microsoft Security, 2022). The Conti ransomware gang also utilizes the affiliate model in
ransomware attacks and uses its operators to gain initial access, retrieve confidential data, and
execute ransomware (Trend Micro, 2021).
The Conti ransomware is used in ransomware-as-a-service and gets utilized in prominent
attacks. Conti ransomware operators also use double extortion techniques and require their
victims to pay additional ransom payments. Ransomware operators use double extortion by
stealing confidential data from their target during their initial intrusion into their victim’s
network. Then, operators threaten to sell this stolen data unless the additional ransom is paid
(Trend Micro, 2021).
Countries across the globe realize that several active ransomware gangs choose to operate
out of countries such as Russia. However, Russia does not hold these criminal groups
accountable and shelters them from the deserved global retribution for their malicious attacks.
During the previous G-7 summit in June 2021, the G-7 committed to holding Russia accountable
for the malware groups (Nakashima, 2021).
Conti’s Russian Origin
Many ransomware attacks on US-based private and government agencies point back to
Russia. Most of the ransomware analyzed operates so that it would avoid executing on Russianspeaking victims (Sanger & Perlroth, 2021). On the July 4 weekend in 2021, the software
company Kaseya fell victim to a ransomware attack perpetrated by the Russian-based
8
ransomware group REvil. Kaseya’s software SolarWinds manages technology for other smaller
businesses. After REvil compromised Kaseya, the group used SolarWinds to breach at least
1,500 companies using the software (Sanger & Perlroth, 2021). A separate Russian-based
ransomware group, DarkSide, compromised the Colonial Pipeline in May 202l. The Colonial
Pipeline is the United States’ largest refined fuel pipeline. After DarkSide launched its attack on
the Colonial Pipeline, in addition to the $5 million ransom Colonial Pipeline paid, the Southeast
of the United States also suffered from gasoline shortages (Nakashima, 2021). Although the
Russian government could reprimand the criminal actors in their country, it is unlikely that they
will without significant actions taken by the United States government.
Rarely are Russia and its close allies the victims of ransomware attacks. Some
ransomware avoids execution on Russian-speaking systems. Ransomware can scan an infected
network and determine if the network or its devices lie within the Russian Commonwealth of
States (CIS). Should the infected network be located in the CIS, the ransomware can shut itself
down, preventing the attack from proceeding further. Jeremy Kennelly of the cybersecurity
company Mandiant stated, “You effectively see minimal or no CIS targeting in the known victim
lists of any major ransomware operator” (Freeze, 2022, para. 18). Kennelly further stressed the
Russia ransomware point by also stating that the largest ransomware groups (which would
include Conti) would rather have Russian speaking affiliates (Freeze, 2022).
More recently, Conti has publicly sided with the Russian government and supports their
invasion of Ukraine in February 2022. In May 2022, the cybersecurity threat intelligence group
Advanced Intel claimed that this support was more than a vocal announcement and that the
group had not received any ransoms since the invasion started. The stoppage of ransom
payments is likely due to sanctions levied by the United States government. Advanced Intel
9
stated that “the group [Conti] can no longer sufficiently support and obtain extortion” (Culafi,
2022, para. 6). Advanced Intel further stated that Conti’s victims get forbidden from paying
demanded ransoms before the invasion. Advanced Intel also claims that some of Conti’s victims
refuse to make payments to Conti as they are now essentially a ransomware group sponsored by
the Russian State (Culafi, 2022).
Conti’s Organizational Structure
A thought-provoking aspect of the Conti gang that differs from most ransomware gangs
is that they structure themselves like a legitimate organization. The cyber security software
company, Check Point Software, offers software and products to protect their customers from
various forms of malware, denial of service, and other cyber-attacks. Security researchers at
Check Point Software discovered that Conti hires for and maintains various organizational
departments such as human resources, management, and finance (Landau, 2022). These
departments operate in a typical managerial fashion, with employees reporting to management
reporting to upper management. Conti employs salaried employees paid in Bitcoin and
negotiators paid on commission of paid ransoms. One of the more surprising details discovered
is that Conti also has an employee of the month program where a chosen employee has rewarded
a bonus that is half their salary (Landau, 2022).
An anonymous Ukrainian cybersecurity researcher released over 60,000 leaked Conti
chat logs and files in late February 2022. The chat logs provide glimpses into how Conti interacts
with the Russian government. The Conti chat leaks also provide an insight into how the
organization’s internal departments are structured. Conti shares many similarities with legitimate
businesses in their structure of organizational hierarchy. This normality extends to Conti’s hiring
process with a Human Resources department that interviews and hires potential employees
10
(Krebs, 2022a). Conti maintains various other departments with budget allocation, staff, and
management. However, some of these departmental units’ operations betray a typical business’s
familiarity. For example, Conti employs units dedicated to creating and integrating malicious
code into malware and other technologies, as well as testers that obfuscate the code and run their
malware against security tools attempting to bypass it (Krebs, 2022a). Conti has departments
responsible for searching for computer vulnerabilities and weaknesses through disassembling
computer code for other departments’ exploitation. The departments responsible for exploiting
vulnerabilities create and manage command-and-control servers. The command-and-control
servers exfiltrate data and install the Conti ransomware on the infected device (Krebs, 2022a).
Cybersecurity researchers monitoring Conti at Advanced Intel found that on May 19,
2022, Conti shut down their internal infrastructure. The Conti Tor admin pages used to publish
content and negotiate ransom payments with victims are no longer operational, leading the
researchers to believe that a significant shake is occurring with the ransomware gang. It is not
likely that the Conti ransomware group will disappear completely. Conti will likely remain an
active threat through partnerships with other ransomware groups, effectively shedding their
names while operating under the same leadership (Abrams, 2022).
Ransomware families tend to rebrand themselves once pressured enough by global law
enforcement. For example, after the United States Department of Justice recovered much of the
Colonial Pipeline ransom and an individual seized DarkSide’s internet servers, DarkSide
announced its shutdown. DarkSide’s shutdown coincided with the start of BlackMatter, a new
ransomware gang using the same unique encryption techniques used by DarkSide. Experts
believe that DarkSide is a rebranded version of BlackMatter. Likewise, REvil shut itself down at
about the same time that DarkSide shut down. However, the CEO of Intel 471 stated that it is
11
still uncertain if BlackMatter is the REvil crew or if it is a rebranding of DarkSide. Conti’s
abrupt shutdowns of its services could also indicate a rebranding with the United States’ recent
offer of $10 million for information on Conti affiliates and operators (Krebs, 2021).
High-profile Conti Attacks
The mid to late 2010s saw ransomware attacks on more prominent organizations and
critical infrastructures. The most infamous of these early ransomware attacks was the attack on
Los Angeles, California’s Hollywood Presbyterian Medical Center (Medical Center) in 2016. As
with most ransomware victims, Medical Center saw their files encrypted, and they could not
access them (Moran et al., 2021). The attack perpetrators demanded $17,000 in Bitcoin for
access to a key to decrypt the unusable files. Due to the relatively small ransom price, Medical
Center did pay out the amount required for the decryption key. The damage to their reputation
and the money spent to upgrade their infrastructure was much more significant (Moran et al.,
2021). Since then, ransomware has become much more sophisticated, and the amounts
demanded as ransom has increased significantly.
The cost incurred and damage caused by these early ransomware attacks pale compared
to the more recent attacks of the 2020s. The Conti ransomware gang’s attacks, in particular,
cause much more financial and reputational damage than the early Medical Center attack. As
with the Medical Center attack, Conti is willing to attack hospitals, healthcare systems, and other
critical infrastructure institutions. The outages caused by Conti’s attacks have dire consequences
and can result in loss of life if essential systems such as medical services or dispatch carriers are
affected (Hickman, 2021).
During the beginning and height of the COVID-19 pandemic, news and media outlets
widely reported the pandemic and its international effects. This widespread and constant
12
awareness of the disease exposed the public to a new outbreak of cybercrimes. Many searched
online for additional information on COVID-19 and how they could best protect themselves and
their families (Minnaar & Herbig, 2021). Cybercriminals used this desperate time to exploit a
vulnerable public. Cybercriminals used the pandemic as a basis for new phishing campaigns.
These emails contained topics related to the COVID outbreak. Still, they included malicious
links that could, for example, direct a user to a spoofed website where the user might provide
login information (Minnaar & Herbig, 2021). This login information would then get transmitted
to the attacker who sent the phishing email. The use of COVID-19 to exploit the public also
extended to cybercriminals seeking larger targets. Hospitals and healthcare facilities are massive
targets, generally some of the most unsecured critical infrastructure sectors. The pandemic also
saw these institutions increasingly becoming targeted by cybercriminals (Minnaar & Herbig,
2021).
The Healthcare Service Executive Attack
Conti’s attack on Ireland’s Health Service Executive (HSE) represents the worst
ransomware attack against hospitals and healthcare systems. The HSE is a significant public
organization that provides all the public health services to hospitals and communities for nearly
4,000 locations and 54 hospitals across Ireland. The public services impacted by the HSE are
essential services throughout the hospital system, including the national ambulance service
(PWC, 2021). Additionally, the HSE is also the largest organization in Ireland, employing a staff
of more than 130,000 employees. For these reasons, the HSE is considered part of Ireland’s
critical infrastructure by the European Union Network and Information Security Directive (PWC,
2021).
13
Conti gained initial access to the HSE network through an application or software with
access to the internet. Conti exploited this internet-accessible application by sending phishing
emails containing an attached document with malicious macros (Moran Stritch, 2021). Once the
macro executes, the victim connects to the attacker’s command-and-control server to wait for
further instructions. Conti then began using the infected system to infect other systems in the
HSE network (Moran Stritch, 2021).
After Conti obtained access to Ireland’s HSE IT environment, the attackers remained
undetected for eight weeks. During these eight weeks, they began compromising a massive
quantity of accounts and escalating their privileges for administrative actions (PWC, 2021). The
attackers also compromised several servers and exfiltrated confidential data from hospitals
within the HSE. At the end of those eight weeks (May 14, 2021), the attacker sent and detonated
the Conti ransomware (PWC, 2021).
The ransomware’s detonation caused an instant outage in HSE’s clinical and non-clinical
systems. The outages caused by the ransomware attack also included communication channels,
connected phone lines, and email communications. The Conti attack sought to disrupt Ireland’s
hospital and healthcare systems, steal confidential and patient data, and demand a ransom to
access and retrieve the data (PWC, 2021). HSE refused to pay the ransoms and sought out
PricewaterhouseCoopers (PWC) to remediate the attack. On September 9, 2021, PWC decrypted
all the affected servers and restored all applications (PWC, 2021). Although the HSE attack
represents one of Conti’s most brazen attacks for ransom against the healthcare industry, not all
of Conti’s attacks is against hospitals.
14
The Costa Rica attack
The Conti attack on the Costa Rican government showcases the ransomware group’s
willingness to attack nation-states. The Conti ransomware gang began to attack Costa Rica’s
governing bodies in the week of April 10, 2022. During this time, Conti targeted 27 agencies,
including the Ministry of Finance, with systems responsible for digital tax services and customs
control (Burgess, 2022b). The attack crippled the country and halted intranational trade, causing
the Costa Rican government to lose millions of dollars. Private businesses also faced a loss in
revenue from the Conti attack. Reports from local businesses state that the disruption caused
significant losses to imports and exports, with an estimated “$38 million per day up to $125
million over 48 hours” (Burgess, 2022b, para 8).
Costa Rica’s President Chaves declared war against the Conti ransomware gang for their
persistent attacks against the Costa Rican government. Conti’s attacks against the country are
blatant, and the group publicly stated that they intend to “overthrow the government utilizing a
cyberattack” (Faife, 2022, para. 4). Conti posted messages on their website advocating for Costa
Ricans to compel their government into paying Conti’s demands. However, President Chaves’
refusal has caused these ransom demands made by Conti to have also doubled from the original
$10 million to $20 million in payment (Faife, 2022).
On May 31, 2022, a second attack against Costa Rica occurred. Although, the
perpetrators of this attack appeared to use the HIVE ransomware rather than Conti. There are
links to the HIVE ransomware and the Conti family, leading security experts to believe the attack
is by the same group (Burgess, 2022b). The Conti ransomware gang may have also shut down
servers and chat portals because of their recent show of support for the Russian invasion of
Ukraine in February 2022. Conti’s support backfired as their publicly stated allegiance made
15
them unable to collect demanded ransom payments (Krebs, 2022b). Their allegiances now mean
that victims who pay the ransom could mean they would violate the United States economic
sanctions on Russia. Advanced Intel also learned through leaks in Conti’s internal
communications that payment is not the goal of the Costa Rica attack. Instead, Advanced Intel
claims that Conti is using the attack to create the illusion of Conti as the world’s greatest
ransomware gang when, in reality, they are currently dismantling themselves (Krebs, 2022b).
Understanding the Cyber Kill Chain
Before examining Conti’s typical operations, it is important to understand that cyberattacks will generally follow the same sequence of events, culminating with the attackers causing
harm to the victimized party. In 2011, Lockheed Martin developed the Cyber Kill Chain (kill
chain) model to understand an attacker’s process. Although there are proposals to improve the
model by adding and removing some kill chain model stages, the model remains unchanged
(Villalon-Huerta et al., 2022). The kill chain addresses the problems discovered and methods
utilized by specific Advanced Persistent Threats (APTs). Through understanding an APT
through the kill chain, security professionals can create models of the attack stages against
critical infrastructures and organizations (Villalon-Huerta et al., 2022).
16
Figure 1
Lockheed Martin Cyber Kill Chain Model
Note. The seven stages of the cyber kill chain model. Lockheed Martin, n.d.,
(https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html)
The first stage of the kill chain is reconnaissance. The reconnaissance stage involves the
attacker identifying their target and researching how to attack them best. The second stage is
weaponization, which consists of creating the malicious payload deployed to its target (Villalon-
17
Huerta et al., 2022). Stage three is delivery and is the method and how the payload gets delivered
to the targeted system. In the exploitation stage, stage four, the delivered payload gets executed
on the victim’s machine. The next stage (stage five) is installation and involves the creation of
backdoors or some other malicious software used in stage six (Villalon-Huerta et al., 2022).
Next, at the command-and-control stage, the victimized system connects back to the attacker’s
command server to wait and listen for further actions. Lastly, at stage seven, the attacker
commences their actions on objectives to accomplish their objectives. In the case of the Conti
gang, their actions are to typically steal confidential data and execute the Conti ransomware
(Villalon-Huerta et al., 2022).
Ransomware Infection
Like all forms of malware, the Conti ransomware can only execute after being installed
on an infected machine. Conti uses several methods to install itself on a previously
uncompromised machine. Remote Desktop Protocol (RDP) is one such attack vector that the
Conti gang or affiliates can exploit. Attackers may also attempt to exploit known vulnerabilities
in Microsoft Exchange, firewalls, or, more recently, the Apache Log4j vulnerability
(Kasiviswanathan & Kamble, 2022). Most Conti attacks include coordinated spear-phishing
campaigns with separate malware strains. For example, phishing emails containing links to
Google Drive with malicious payloads cause the infected device to reach out to domains hosted
by malware strains such as Qakbot or Emotet. Some cases of Conti infection have also seen
attackers use the malware to install the Cobalt Strike command-and-control framework. Cobalt
Strike further compromises a network via lateral movement by pivoting to other systems on the
network (Kasiviswanathan & Kamble, 2022). Regardless of the method used to infect a machine,
the Conti ransomware gets deployed to all affected devices for execution.
18
Conti Email Phishing
The Conti ransomware gang and affiliates initially get access to targeted environments
via email phishing. This technique involves the attacker sending malicious emails to the targeted
organization’s employees. Attackers design these emails so the recipient is goaded into opening
or downloading the email’s contents. The email will contain a document or attachment with
some method of contacting and downloading malware from the internet. Cybercriminals use
email phishing attacks so frequently that the security researcher Calvin Nobles, a fellow at New
America’s Cyber Security Initiative, studied how often human error caused a breach. Nobles’
study discovered that human error, including malicious emails, is responsible for roughly 90% of
cyber security incidents (Kemper, 2019).
Conti operates with other forms of malware and groups like Trickbot and Emotet. Emotet
attacks function as malicious email spam sent to many recipients with the hope of someone
executing the malware within the email. The Conti gang and affiliates use Emotet’s widespread
phishing attacks and malicious spam services to obtain a foothold in a victim’s network or device
(Intel 471, 2022). After an infected user, Emotet lists the organization as a target in a pool of
potential ransomware targets. For a fee, a ransomware operator can choose their next victim with
detailed information regarding the infected system extracted by Emotet (Intel 471, 2022).
However, Conti attacks have begun shifting more towards the Trickbot gang (Trickbot) to aid in
their initial network compromise. Trickbot operates the same way as Emotet, acting as an initial
staging malware used to download and install the secondary payload of the Conti ransomware
(Rochberger, 2021).
19
Privilege Escalation
A device infected with one of Trickbot or Emotet’s staging malware will usually begin
downloading a malicious file to provide the attacker access to the infected device. After the file
gets executed, it will cause the device to reach out to a command-and-control server, typically
Cobalt Strike, through the TLSv1 protocol (Umar et al., 2021). Once connected, the infected
device involves malicious data transfers to and from the Conti command-and-control server and
privilege escalation. This covert data transfer also shows that the device in question is infected
with some form of malware and is possibly exfiltrating data to a malicious actor (Umar et al.,
2021). Once the transfer completes, malware will attempt to spread throughout the network
laterally through various methods such as SMB (Umar et al., 2021).
The Conti leaks explain how Conti searches an infected network for privileged access.
Conti attackers use several Windows native commands (such as Net) and enumeration tools
(such as ADFind) to access an organization’s Active Directory to gather a list of the
organization’s users. Active Directory is an identity store of usernames and passwords for all
employees that log into the organization’s network (Largent, 2022). In addition, Conti actors will
also use Open-Source Intelligence (OSINT) methods such as social media sites to discover
employees and their roles to exploit them for privileged access. Unfortunately, the leaks also
state that this practice of OSINT is much easier for organizations based in the US and EU due to
how often roles and responsibilities get described in job postings (Largent, 2022). Conti’s
primary focus when attempting to escalate privileges is discovering the domain admin
credentials. These credentials would allow Conti complete and unfettered access to the entire
network (Trend Micro, 2021).
20
Ransomware Execution
From January to March 2022, the Conti ransomware gang had the source code of its
malware leaked (Cisco Talos, 2022). The leaks can provide more insight into how the malware
operates, and malware analysts can create additional indicators of attack for the Conti
ransomware. However, these leaks can make it more difficult to attribute attacks to the Conti
gang (Cisco Talos, 2022). In addition, other malicious actors may use the leaked source code to
modify the Conti ransomware or attack businesses using methods not usually observed in Conti
attacks.
The most recent strain of the Conti ransomware is more dangerous and has increased
capabilities compared to its predecessors. The Conti ransomware version 3 gets downloaded as
an independent executable that acts as a loader and a dynamic linked library (DLL) (Rochberger,
2021). The significance of the Conti ransomware contained to a singular executable is that the
ransomware can reference itself during its execution. By doing so, the ransomware includes
processes that the victim’s system may not have. The Conti ransomware can also spawn up to 32
independent threads for concurrent file encryption on its target (Baskin, 2020).
After sufficient files get transferred to Conti or their affiliates, the ransomware operators
will download and execute the Conti ransomware. The Conti ransomware is unique when
compared to other ransomware families. Ransomware operators connected to the command-andcontrol server can scan the entire network for specific data. Operators can also make the
ransomware skip encryption of files stored locally on an infected machine and target networked
SMB shares instead. Additionally, the ransomware can target specific IP addresses inputted by
the operator, allowing them even more control over what is encrypted (Baskin, 2020).
21
File Encryption
Asymmetric encryption involves using a public and a private key for either encryption or
decryption of a file. Each of the encryption keys gets used once. The public key is typically
freely available, allowing the recipient to send their public key to the sender. The sender will
then encrypt the necessary file using the recipient’s public key and send the newly encrypted file
to the recipient. Once the recipient receives the encrypted file, they will use their private key to
decrypt it, revealing the file’s contents. The private key remains with the recipient and is not
freely available for others to retrieve, decreasing the likelihood of outside parties decrypting the
files (Rajneesh, 2018). Although the public key encryption method is a secure approach to
sending and receiving files, ransomware uses the public key encryption architecture for
malicious purposes.
Conti has continually been under development, with new features and obfuscation
techniques integrated nearly weekly (CrowdStrike Intel Team, 2022). An example of how
Conti’s methods have evolved is how they changed their methods for encryption. Originally
Conti encrypted victims’ files with AES-256. In August 2020, Conti changed their encryption
methods to be more efficient by instead encrypting files with the ChaCha stream cipher
(CrowdStrike Intel Team, 2022).
The Conti ransomware can spawn up to 32 independent threads for concurrent file
encryption on its target. The increased threads contribute to the ransomware having a much
faster file encryption speed when compared to other ransomware families. Once executed, the
ransomware will attempt to stop all services and prevent system recovery on the infected system.
The Conti ransomware accomplishes this by using VSSadmin commands to delete shadows and
resize shadow storage on the system drives. Once the victim has their services stopped and
22
cannot perform a system recovery, the ransomware begins encrypting all files on a system except
for files that have the .exe, .dll, .lnk, or .sys extension (Baskin, 2020).
During the encryption process, encrypted files change to have a “.CONTI” file extension.
The resulting file is unusable without the proper decryption key, causing greater disruptions to
the victim’s system the more files are encrypted. Throughout the ransomware’s iteration of a
system and file encryption, the ransom note gets generated in each folder with encrypted files
(Baskin, 2020). The ransom note informs the victim that their systems are infected, and files get
encrypted with the Conti ransomware. The ransom note goes into further detail, stating that the
victim should contact them through an email provided in the note. The ransom letter then lists
sites where the victim can download and install the onion router (Tor) and their communication
site. The last information included in the ransom note is that Conti will publish the victim’s
stolen data if their demands are unmet (Rochberger, 2021).
Ransomware Extortion
After the ransomware on an infected machine encrypts the machine’s files, the next phase
is to extort money from the machine’s owner. Ransom notes are usually threatening letters and
may include a countdown timer and the amount requested as ransom in USD or some form of
cryptocurrency. Payment addresses included in ransom notes are Bitcoin wallet addresses or
websites created by affiliates (Conti et al., 2018). Ransom notes will also include details on how
a victim can purchase Bitcoin or other cryptocurrencies if requested as a ransom. Once the victim
pays the demanded ransom and the attacker confirms it, either the ransomware begins decryption
of the encrypted files or the victim is directed to a site to download a decryption tool (Conti et
al., 2018).
23
The RaaS model has evolved to include the double extortion technique to further force
victims into paying more money. Although the process of demanding money from a ransomware
attack is a form of extortion, double extortion seeks to gain additional compensation through
threats to distribute data (Microsoft Security, 2022). Conti also uses the double extortion
technique when performing attacks against organizations. Conti will steal the data from the
targeted organization during their network exploration and before they execute the ransomware.
Conti then threatens to publish this stolen information to extort more from the victim
organization (Rochberger, 2021).
Ransom Negotiations
Once the execution of the Conti malware has occurred, and the infected system’s files are
encrypted, Conti operators begin communication with the victimized party. Recorded
communication by the ransomware operators during their extortion process revealed patterns in
how they attempted to negotiate the amount ransomed (McKay et al., 2022). The operators
communicate professionally using what seems to be a scripted introduction at the start of their
communications. They also employ unemotional and straightforward messages to the victim to
avoid deviating the conversation from the ransom they want to receive. Conti operators attempt
to convince their victims to pay these ransoms immediately or suffer consequences that the
operator state will happen (McKay et al., 2022).
Conti’s promises to restore or decrypt files after a ransom payment are not always true.
Palo Alto’s Unit 42 is a cyber security threat intelligence team that researches and publishes
information on adversaries like Conti. A client of Unit 42 could only decrypt a small percentage
of their files after paying Conti’s demands. With the few files restored, the Conti negotiators
retreated into the dark web (Hickman, 2021). A separate Unit 42 client reported that they sought
24
an inventory of all compromised files from Conti to notify the parties and individuals of the
breach. Conti agreed to provide the client with this information once the client paid the ransom.
However, the inventory list did not get sent to the client. The Conti representatives refused,
insisting that they did not have the requested data anymore and that there was no way of
restoring it (Hickman, 2021).
Attacks perpetrated by Conti can result in significant financial loss and loss of confidence
in the victimized organization. Conti uses a multistage approach during engagements that
typically starts with an initial compromise through malicious emails. Once the target is
compromised, Conti searches for more vulnerable devices. Next, Conti attacks will usually result
in the unleashing of the Conti ransomware and confidential data exfiltrated from the
organization. Lastly, Conti pressures the victim into paying a ransom to decrypt the Conti
ransomware and to have their stolen data returned without getting published (Rochberger, 2021).
Discussion of the Findings
The purpose of this research project was to provide a threat assessment of the Conti
ransomware gang by uncovering the group’s motivations and methods used to distribute the
malware and extort their victims. This paper examines why Conti targets companies, critical
infrastructure, and government entities without regard to consequences. Because Conti is willing
to attack various organizations, it is also important to understand how Conti and its affiliates
perpetrate their attacks. By knowing how Conti begins their attack and what its ransomware does
after execution, security professionals can create detections for Conti’s indicators of attack. The
research utilized for this project intended to answer three specific questions.
25
Conti’s Motivations
The first question that this research paper sought to answer is, “How is the Conti
ransomware gang a threat to global organizations?” This question is important because it can
explain who Conti targets and why. Conti does not typically discriminate in its targets, but there
are industries and geographic locations that Conti attacks at an increased frequency.
Cybersecurity professionals can use this research to discover if they are a prime target for Conti,
adjust their defenses, and prepare for potential Conti attacks.
Conti is a ransomware gang willing to target any organization or governmental agency
for the opportunity of a large payout. With ransom demands topping $25 million, it is evident
that Conti is extremely financially motivated. Examining Conti’s targets also proves Conti’s
financial motivation. Conti typically targets high-value agencies and businesses that can provide
large payouts if successfully compromised. One high-value sector that Conti consistently targets
is hospitals and the healthcare industry. Medical data and personal information are valuable
commodities easily sold on the darknet. Conti also extensively targets hospitals due to their usual
lack of adequate security systems and awareness training. The COVID-19 pandemic thrust
hospitals into the spotlight and became some of the most targeted organizations. Therefore, Conti
views hospitals as an efficient method in its cost-benefit analysis in choosing their next targets.
In 2022, Conti revealed that their motivations also align with the Russian government in
addition to being financially motivated. Ransomware attacks emanating from Russia have a
history of being overlooked by the Russian government. Ransomware strains from Russia also
avoid execution on Russian-speaking systems. The Conti ransomware also follows the example
of originating from Russia and halting execution on Russian-speaking devices. Furthermore,
Conti’s vocal support of Russia’s invasion of Ukraine shows further evidence that Conti is allied
26
with the Russian government. Conti’s statement of support came from the assertion that they
would attack any individual targeting Russia. The chat logs obtained by Advanced Intel also
show the closeness and communications between Conti and the Russian State. Conti’s alignment
with the Russian government may indicate some overlap with its members and Russian
government employees. However, Conti’s support has also made it more difficult for them to
extort ransom payments.
Although, the members of Conti found a way to circumvent their new label as nationstate actors by rebranding as a new ransomware gang. Shortly after Conti announced support for
Russia’s Ukraine invasion, many of their affiliates expressed their opposition to the statement.
That opposition resulted in leaks that uncovered some of Conti’s techniques and organizational
structure. Conti’s support made them appear as a nation-state hacker group, causing victims that
pay ransoms to violate economic sanctions. The possibility of violating sanctions led to Conti
victims seeking advice and getting told to refuse payment of Conti’s demands. Conti is
rebranding as Hive to avoid the issues their support has caused. Even though the group’s name
changes, the impact of their attacks remains the same.
Impact of Conti Attacks
This research paper sought to answer the second question: “What attacks are the Conti
ransomware gang and affiliates responsible for, and what have been their outcomes?” The impact
and damage caused by a successful Conti attack provide insight into how disruptive and
destructive Conti is. Cybersecurity professionals can use this research to understand the potential
damage caused by the successful execution of the Conti ransomware. The answers obtained from
the second question will also give cybersecurity professionals insight into the aftermath of a
Conti attack.
27
Conti is motivated by greed and possibly the Russian government; the resulting impact of
a Conti attack is immense. During a Conti attack, the group usually first attempts to compromise
the victim network through a coordinated phishing email campaign. Once an employee opens
and executes the contents of the email, Conti gains access to the network through command-andcontrol servers. During this phase of a Conti attack, Conti searches the victim’s network to
escalate their credentials to domain administrator privileges. Conti also uses this time to discover
confidential information and trade secrets to steal from the network. Privilege escalation is vital
for Conti because domain administrator privileges allow Conti full access to the network.
The access granted by domain administrator credentials also gives Conti the ability to
leave the Conti ransomware on various systems on the network. Conti gains access to more
systems so they can compromise and encrypt more files. As the number of encrypted files grows,
the targeted organization will face even greater disruptions. Ireland’s HSE attack shows the
disruptions caused after the Conti ransomware executes. Conti had enough time in HSE’s
network to obtain entry to several other departments and locations throughout the HSE network.
The Conti ransomware effectively shut down the HSE after execution. Conti forced the HSE to
revert to pen and paper for patient treatment and routine office work until the critical application
backups got restored. However, it still took months for the HSE to restore backups and recover
from the attack.
Conti’s attack on the Costa Rican government is another example of how disruptive the
Conti ransomware is after execution. While there are no clear motivations behind Conti’s attack
on Costa Rica, the attack caused significant damage to the government. Costa Rican government
employees likely fell victim to a phishing campaign like the HSE attack. After that, Conti
connected government systems to command-and-control servers to search and spread throughout
28
the network. As a result, Conti compromised 27 government agencies and crippled the entire
government and private companies, causing trade and tax stoppages that cost the country
millions of dollars. There are far-reaching consequences of the attack not yet understood. The
attack illustrates how important it is for security professionals to understand how to mitigate and
prevent Conti attacks.
Conti’s Attack Patterns
The final question researched is “What are Conti’s techniques, tactics, and procedures
(TTPs) throughout the Conti ransomware’s execution?” Conti regularly uses other malware
groups for their malicious spam email operations to gain initial footholds on victim networks.
These phishing emails usually have links to Google Drive hosting the malicious payload. Once
the victim selects the link and reaches the Drive, the payload gets downloaded and executed on
the victim’s machine. Intel 471 discovered that phishing attacks carried out by other malware
groups are the most common way that Conti achieves access. Trickbot and Emotet are prime
examples of malware groups that Conti utilizes for their initial access.
By leveraging other malware groups, Conti can focus most of its time and resources on
updating the Conti ransomware and discovering new attack vectors. Chris Krebs’ research found
that Conti employs a research and development department within its organizational hierarchy.
By using the existing spam email architecture of other malware groups, Conti can allocate more
funds to further research of the Conti ransomware. The latest version of the Conti ransomware
contains 32 independent threads dedicated to encrypting files on the victim’s machine. The
number of threads responsible for encrypting files causes the Conti ransomware to encrypt files
at a greater speed when compared to most ransomware families. The Conti ransomware or its
29
successors can become even quicker at encrypting files if Conti puts enough time and resources
into developing its next ransomware update.
Once Conti enters a victim’s network, it can remain hidden for months before the Conti
ransomware detonates. Conti uses the time it is undercover to navigate the network to comprise
other devices and locate valuable data. Conti also uses tools like Net and ADFind to aid in its
search for employee credentials. The tools that Conti uses to discover an organization’s users are
helpful, but OSINT is likely the easiest way for Conti to discover employees and their titles.
Employees that post on social media open themselves up to compromise and widen their
organization’s attack surface. The longer Conti persists in a victim’s network, the greater the
damage they can cause. Conti has greater chances of compromising additional devices the longer
it waits in a victim’s network.
The HSE attack shows how long Conti is willing to remain hidden while searching for
other vulnerable devices. Conti hid in HSE’s network for eight weeks before they executed the
Conti ransomware. While inside the network, Conti used lateral movements and privilege
escalations to access most of the HSE. The damage caused by the HSE attack also highlights
Conti’s callousness. Despite being Ireland’s largest public healthcare system, Conti is willing to
shut it down for the chance of a large payout.
Some organizations may first think that surrendering to Conti and giving in to their
demands is the answer to obtaining the decryption key for the encrypted files and applications.
Conti promises that victims who pay the ransom payments will have their files decrypted and
their stolen data deleted before publication. However, even paying Conti’s ransom demands is
not guaranteed to revert the disruption and damages caused by Conti’s attack. There are reported
30
cases of victims still unable to decrypt files encrypted by the Conti ransomware. During those
cases, the decrypting key provided by Conti may not aid in recovering all the files encrypted.
Additionally, organizations seeking inventory of the affected and compromised servers
may not receive the requested information. Conti representatives and operators are not required
to provide information, and it is not unusual for them to refuse these requests. Although, victims
conceding to Conti’s demands may also become liable for legal actions.
Conti’s statements of support for Russia’s invasion of Ukraine also show the dangers to
victims that answer Conti’s demands. The Russian government harboring ransomware gangs like
Conti has caused Russia to face global backlash. Conti’s declaration of support for Russia and
refusal to attack Russian-speaking systems makes security experts believe that Conti is working
under the influence of the Russian government. Culafi stated that ransom payments to Conti are
potentially delivered to a sanctioned individual, making extortion payments a violation of
sanctions against Russia. Therefore, victims of Conti may open themselves to legal issues if they
do decide to pay Conti’s ransom rather than alerting law enforcement agencies.
Recommendations
While Conti primarily attacks large organizations and the healthcare sector, Conti will
also target other industries. Because of this, it is essential for cybersecurity professionals of all
industries to understand how to mitigate Conti attacks at the different stages of the cyber kill
chain. For example, security professionals can mitigate successful Conti attacks before Conti has
access to the targeted network via spam filters and employee training. Additionally,
incorporating network monitors to analyze and block suspicious traffic in and out of an
organization’s network can lessen the damages caused by a Conti attack. Lastly, some methods
31
can be used for data recovery and governmental programs to assist organizations that fall victim
to a successful Conti attack.
Because human error is the cause of most cyber security incidents, mitigation of Conti
attacks should start with reducing the amount of human error. Spam email filters are a
straightforward way to mitigate Conti and other malware campaigns. Because most Conti attacks
rely on employees of the targeted organization to click and execute phishing emails, preventing
the email from reaching its recipient is necessary to prevent a successful attack. Spam email
filters can filter emails based on the sender’s email address. Spam filters can also stop emails in
orchestrated phishing campaigns by blocking email addresses that send out many spam emails.
Blocking these spam email addresses stops phishing campaigns before reaching the targeted
network.
In cases where only a few specific employees get targeted, spam filters may not block
these phishing emails. Groups Conti utilizes for email phishing have specific email subjects they
use to fool employees. These phishing emails include subject lines like invoices, shipping
notices, and other financial information. Because emails with these and similar subject lines may
be legitimate, blocking all emails with these subject lines may not be sustainable. Instead, emails
with suspicious subject lines should get analyzed in a sandboxed environment to ensure that the
email contents are legitimate before allowing the email to continue to its destination.
Email filters cannot prevent all malicious emails from entering the network. There are
other ways to mitigate a Conti attack. The best defense against network intrusions is proper
employee awareness and training. Removing as much human error as possible is the best method
to prevent cyber-attacks. The email phishing attacks employed by Conti require an employee to
access the message or attachment for a successful compromise. Therefore, teaching employees
32
how to spot suspicious and phishing emails is an excellent way to mitigate initial Conti attacks.
Employee phishing training can alert an organization’s cyber security team to a potential Conti
campaign against their network. The cyber security team can further monitor emails and network
analysis with that information to determine if Conti has already compromised their organization.
Should Conti find its way into an organization’s network, there are a few methods the
organization’s security team can take to prevent further spread and contain the intruder. If Conti
manages to enter a secured network, its first task is to elevate its network privileges and infect
other machines across the network. Conti uses several tools during their hunt for administrative
access, such as Net and ADFind, along with social media sites like LinkedIn. These tools and
OSINT allow Conti to quickly discover employees, email addresses, and usernames. In addition,
social media sites like LinkedIn can be significant for Conti in verifying employee names and
occupations. For example, Using ADFind, Conti can determine valid usernames for the first and
last names of employees discovered through LinkedIn. Unfortunately, limiting employee access
and censoring employee profiles on social media is not a viable mitigation action for most
organizations.
Instead, organizations should look to limit the amount of domain administrator accounts
and separate privileged access through the separation of duties model. Under the separation of
duties model, administrative privileges get granted to an employee’s role rather than the
employee. Privileges are only granted based on the level of access and when necessary for the
employee to perform their job. An example of the separation of duties is a marketing director
given admin-level access to the marketing department but not having access to that
organization’s engineering department. By separating access, Conti would face more difficulties
when attempting to escalate their privileges within a network. The increased time taken will also
33
give an organization’s security team more time to discover the intrusion through network
monitoring and loss prevention programs.
Regardless of size, all organizations should incorporate network analysis and monitoring.
Various software and hardware products give security teams the ability to analyze and monitor
network traffic. The simplest of these tools are some forms of an accounting server and event
logging software. Network traffic should get stored on an accounting server to record all data
transmitted and received throughout the network. Once stored, the data would need to be
analyzed using the event logging software to discover if any interactions recorded constitute a
malicious event. If malicious traffic gets discovered, there should be an event logged for the
security team to perform further investigations.
Also, loss prevention software will alert security teams to potential data exfiltration. Loss
prevention software creates events when data from specified locations get seen leaving the
network. Because Conti spends weeks in a network during their privilege escalation and data
discovery phase, there is still time for an attentive security team to discover Conti. Conti also
uses double extortion by stealing data and threatening to publish it should further demands be
unmet. Incorporating an accounting server, network monitoring, and loss prevention software
will mitigate the damage done by Conti attacks after they enter an organization’s network.
Although it is best to attempt to prevent Conti from entering an organization’s network, it
is still possible for them to evade detection, exfiltrate data, and execute the Conti ransomware.
There are still methods that an organization’s security team can take to mitigate the damage
caused by the ransomware’s execution. Another simple and important security element that all
organizations should incorporate is the use of regularly scheduled backups of critical systems
and data. The Conti ransomware encrypts files on all infected systems, preventing those files and
34
applications from being usable. The useless files and applications will cause disruptions
regardless of the targeted organization’s industry. Therefore, security teams should record the
most critical applications and systems that have priority if they become encrypted and unusable.
The list of backed-up applications will need to be protected because the backups can be as
vulnerable to encryption as the original.
An organization’s security teams should protect the scheduled backups from a Conti
ransomware attack. Conti may be able to corrupt or encrypt the stored backups if backups are
stored somewhere on the network. Because Conti spends time navigating through and learning
the layout of an organization’s network, they may also discover the locations where backup files
are stored. Conti will attempt to discover and use domain administrative credentials to gain
unfettered access throughout the network. Domain-level access would allow Conti to access and
damage or encrypt any backups that an organization creates. Therefore, in addition to creating
backups at regularly scheduled intervals, the backups should also be stored offline to avoid data
corruption or encryption.
Future Research
The findings in this research paper revealed much of Conti’s motives, structures, and
TTPs. However, understanding the ChaCha cipher encryption procedure, the connection between
Conti and HIVE, and Conti’s close ties to the Russian government are all future research that
would benefit cyber security professionals in defending against Conti. The additional research is
vital because of the global disruptions and damage caused by Conti since their sudden
appearance a few years ago. The Conti gang disproportionately targets a substantial number of
US-based businesses. Because of this, the Federal Bureau of Investigations (FBI) and the
Cybersecurity and Infrastructure Security Agency (CISA) issued a dedicated flash alert. Conti
35
also released some information about the organizations they have successfully attacked in their
own CONTI news site accessible via the Dark Web. Their news site also confirms that they have
hacked over 450 organizations (Cymru, 2021).
The ChaCha cipher is the new encryption technique that Conti uses during the Conti
ransomware’s execution. There is not much information on the ChaCha cipher besides that Conti
switched from fully encrypting targeted files and applications with AES-256 to selectively
choosing files with the ChaCha cipher. Future research on the ChaCha cipher could aid in
understanding the speed of the Conti ransomware’s file encryption. The study would also help
security professionals learn how to decrypt Conti ransomware encrypted files and applications.
While understanding how to decode the ChaCha cipher can lead to the decryption of the Conti
ransomware’s encrypted files, there is a possibility the ChaCha cipher will get dropped entirely.
Conti is rebranding itself as a new ransomware gang and may discontinue using the ChaCha
cipher.
Although ransomware gangs will normally rename themselves if they gain too much
attention, the Biden administration’s new reward program shows how important information on
ransomware gangs is. The Administration’s recent $10 million bounties on ransomware gang
information show that international attention for ransomware attacks is at its peak. Conti’s
massive attacks led them to gain international notoriety and attention quickly. Conti is attempting
to avoid international notoriety and punishment through their rebranding as a new ransomware
gang. There is currently a strong connection between Conti and HIVE. Conti members may also
leave to form or join other groups. Therefore, further research into discovering what Conti is
becoming and if its members are still active as criminal hackers. Even if Conti completely
36
rebrands as a new ransomware gang, the new gang will likely have the protection of its
originating country.
The Biden administration’s effort to stop ransomware attacks also aims at Russia for its
sheltering of ransomware gangs. Russia has a long history of harboring criminals seeking refuge
from international law enforcement agencies. Russia rarely extradites these criminals, especially
if they are wanted or guilty of cybercrimes. The members of Conti are also harbored by Russia
and protected by Russian policies. Conti appears to be more vocal than the other ransomware
gangs when discussing their support for Russia. For example, Conti announced their support for
the Russian invasion of Ukraine and added that whoever seeks to retaliate against Russia will be
hacked. Those are not statements common for ransomware gangs even if they do support a
particular country, and some members of Conti may have closer ties to the Russian government
than previously thought. Therefore, future research into understanding the relationship between
Conti and the Russian government. The research would allow security professionals to
understand better ransomware gangs emanating from Russia and the relationship between
cybercriminal organizations and the Russian government.
Conclusion
The purpose of this research project was to provide a threat assessment of the Conti
ransomware gang by uncovering the group’s motivations and methods used to distribute the
malware and extort their victims. This paper examines why Conti targets companies, critical
infrastructure, and government entities without regard to consequences. Because Conti is willing
to attack various organizations, it is also important to understand how Conti and its affiliates
perpetrate their attacks. By knowing how Conti begins their attack and what its ransomware does
after execution, security professionals can create detections for Conti’s indicators of attack.
37
The Conti ransomware gang has remained a persistent threat, attacking over 400
organizations globally from the start of 2020 to May 2021. The ransomware gang also demands
significant amounts in their ransoms, reaching $25 million in some instances. Security and
malware analysts believe that the Conti ransomware gang is based in Russia and offers its
services to paying affiliates. These affiliates then distribute the malware used for attempted
ransomware attacks, with Conti receiving a portion of the paid ransom. Conti affiliates and
members are almost always from Russia, Belarus, and Ukraine and show a high degree of
Russian patriotism.
Conti organizes itself in such a way that it resembles a legitimate organization. Conti has
various business departments that range from mundane human resources to the malicious
ransomware development department. Leaks from Conti chats show that some departments aim
to create and remove command-and-control servers to aid coworkers in data exfiltration and
Conti ransomware installation. Conti is rebranding itself as a new ransomware gang to evade
sanctions and hide from international law enforcement. Conti is attempting to change into HIVE
to continue its ransomware practices without the label of a nation-state actor and the sanctions
associated with that distinction.
There is evidence that Conti is heavily influenced by the Russian government, as seen in
their firm support of the Russian Invasion of Ukraine. That statement of support makes Conti
considered a nation-state actor to cyber security professionals. However, Conti is primarily
motivated by greed, and they are willing to attack high-value and well-known companies to
reach that goal. Hospitals are some of Conti’s most targeted industries because hospitals do not
typically have adequate cyber security defenses, and hospital employees usually do not
understand cyber security awareness. Hospitals can usually afford to pay the large ransoms
38
demanded, and they have an even greater desire to bring downed systems back online as quickly
as possible. Hospitals also contain a massive amount of information valuable to the darknet, such
as patient personal information and medical data. Conti steals a hospital’s confidential
information and uses it to extort even more money from the victimized hospital, threatening to
publish it if not paid.
Conti’s attack against Ireland’s HSE is a prime example of how dangerous and malicious
Conti is during their attacks. Ireland’s HSE is the healthcare system of Ireland, and most of
Ireland’s hospitals are associated with the HSE. The HSE provides public health services to
hospitals and communities throughout Ireland and is an essential part of Ireland’s public health
services. Conti shut down most of Ireland’s HSE after concealing themselves in the HSE
network for approximately eight weeks. After Conti detonated the ransomware, the HSE’s
clinical and non-clinical systems got shut down immediately. Conti also stole a massive amount
of confidential information from the HSE and required the HSE to pay an additional ransom to
prevent the information from being distributed online.
Conti’s attack against Costa Rica shows how Conti is willing to take extraordinary
lengths to complete its objectives. Conti’s goal in attacking the Costa Rican government is not
financial gain, unlike most of their other attacks. Instead, Conti likely attacked Costa Rica to aid
in their rebranding into a separate ransomware gang. Evidence shared by Advanced Intel shows
that Conti is in the process of dismantling its organization and transforming itself into a new
ransomware gang. Other ransomware gangs have also perpetrated large-scale attacks before
shutting themselves down to avoid punishment from law enforcement agencies. However,
Conti’s brazen attack on Costa Rica is one of the most destructive attacks of a ransomware gang
undergoing a rebrand.
39
Conti accomplished the Costa Rica attack and most of their other attacks similarly. Conti
uses other malware gangs specializing in coordinated phishing email campaigns to gain their
initial foothold on a victim’s network. Once Conti gains access to the network, they begin to
explore the network and connected systems for credentials to escalate their privileges to the
domain administrator. During Conti’s privilege escalation and network discovery, they also
locate and steal confidential information for later use as double extortion. Conti then downloads
and installs the Conti ransomware onto the infected systems and executes the ransomware. With
the ransomware executed and files encrypted, Conti will reach out to the affected victim to
demand a ransom to decrypt the files and stop the publication of the stolen data.
Organizations at risk of Conti attacks can take precautions to defend themselves against
the threat and mitigate the potential damages caused by a successful attack. The best method in
repelling Conti is preventing them from ever entering in the first place. Conti regularly uses
email phishing campaigns in their TTPs when attempting to breach an organization’s network.
Incorporating some form of email spam filter and employee phishing awareness training can
mitigate the chances of Conti compromising and gaining access to the network. If Conti obtains
network access, security teams can lessen the damage done to their organization by tightening
security within the network. The longer Conti is in a network attempting to compromise more
machines, the greater the chance security teams can discover and contain them. Separating duties
and limiting the number of individuals with administrative access will make it more difficult for
Conti to escalate their privileges. Implementing loss prevention software to alert security teams
of confidential data leaving the network can also help discover if Conti is in the network. Having
regularly scheduled backups stored in a secure location will aid in bringing an organization back
online if Conti manages to unleash their ransomware. Having backups stored in a secure location
40
will also aid in mitigating the likelihood of the backups becoming damaged or destroyed by
Conti while they probe the network.
Conti is one of the most infamous ransomware gangs with ransom demands in the
millions, and they are a threat to organizations across the globe. Conti is a ransomware gang with
allegiances to the Russian government that also shelters them from the global consequences they
have incurred. Conti is willing to attack any public or private organization not allied with Russia,
as seen with Ireland’s HSE attack. Conti accomplished this and their other attacks through
coordinated email phishing for initial access to the victim’s network. Once inside, Conti searches
for credentials to escalate their privileges, compromise more network-connected devices, and
steal confidential data. Once Conti executes their ransomware, they reach out to their victim to
extort a ransom to access encrypted files and not publish the stolen information. Their attacks
and closeness with Russia have caused them to become considered a state-sponsored entity,
which is the primary reason for their attack on the Costa Rican government. Conti is now
attempting to rebrand as HIVE in the midst of dismantling itself to evade sanctions, preventing
them from receiving ransoms. Conti will likely continue to use their TTPs once they have fully
switched to HIVE. Understanding the Conti threat will help an organization prevent successful
ransomware attacks.
41
References
Baskin, B. (2020, July 8). TAU threat discovery: Conti ransomware. VMWare.
https://blogs.vmware.com/security/2020/07/tau-threat-discovery-conti-ransomware.html
Burgess, M. (2022a, March 18). Conti leaks reveal the ransomware group’s links to Russia.
Wired UK. https://www.wired.co.uk/article/conti-ransomware-russia
Burgess, M. (2022b, June 12). Conti’s attack against Costa Rica sparks a new ransomware era.
Wired. https://www.wired.com/story/costa-rica-ransomware-conti/
Cisco Talos. (2022). Incident response threat summary for January – March 2022. Cisco Talos.
https://www.talosintelligence.com/resources/428
Computer Fraud & Security. (2021). Infamous Emotet botnet taken down by law enforcement.
Computer Fraud & Security, 2021(2), 1. https://doi.org/10.1016/s1361-3723(21)00012-9
CrowdStrike Intel Team. (2022, January 7). Wizard Spider modifies and expands toolset
[adversary update]. Crowdstrike. https://www.crowdstrike.com/blog/wizard-spideradversary-update/
Culafi, A. (2022, May 23). AdvIntel: Conti rebranding as several new ransomware groups.
SearchSecurity. https://www.techtarget.com/searchsecurity/news/252520573/AdvIntelConti-rebranding-as-several-new-ransomware-groups
Cymru, T. (2021). Analyzing ransomware negotiations with Conti: An in-depth analysis. Team
Cymru. https://team-cymru.com/wp-content/uploads/2021/10/Conti_Paper_1.pdf
Europol. (2021). Internet organised crime threat assessment (IOCTA) 2021.
https://www.europol.europa.eu/activities- services/main- reports/ internet-organisedcrime-threat-assessment-iocta-2021.
42
Fadilpasic, S. (2022, May 20). Conti ransomware group officially shuts down - but probably not
for long. TechRadar. https://www.techradar.com/news/conti-ransomware-groupofficially-shuts-down-but-probably-not-for-long
Faife, C. (2022, May 19). Costa Rican president says country is ‘at war’ with Conti ransomware
group. The Verge. https://www.theverge.com/2022/5/18/23125958/costa-rica-presidentsays-country-at-war-conti-ransomware-cybercrime
Freeze, C. (2022, March 26). Canadian hacker’s case offers insight into rise of ‘ransomware as a
service’ in Russia. (Sebastien Vachon-Desjardins). Globe & Mail (Toronto,
Canada), A17, 17.
Hickman, R. (2021, June 18). Conti ransomware gang: An overview. Unit42.
https://unit42.paloaltonetworks.com/conti-ransomware-gang/
Hull, G., John, H., & Arief, B. (2019). Ransomware deployment methods and analysis: Views
from a predictive model and human responses. Crime Science, 8(1).
https://link.gale.com/apps/doc/A573937206/AONE?u=nysl_ce_uticacol&sid=bookmarkAONE&xid=f90d23bd
Intel 471. (2022, May 4). Conti and Emotet: A constantly destructive duo. Intel471.
https://intel471.com/blog/conti-emotet-ransomware-conti-leaks
Kasiviswanathan, K., & Kamble, V. (2022, April 28). Ransomware: How attackers are breaching
corporate networks. Symantec Blogs. https://symantec-enterpriseblogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
Kemper, G. (2019). Improving employees’ cyber security awareness. Computer Fraud &
Security, 2019(8). https://doi.org/10.1016/s1361-3723(19)30085-5
43
Krebs, B. (2021, August 5). Ransomware gangs and the name game distraction. Krebs On
Security. https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-gamedistraction/
Krebs, B. (2022a, March 2). Conti ransomware group diaries, part II: The office. Krebs On
Security. https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-iithe-office/
Krebs, B. (2022b, May 31). Costa Rica may be pawn in Conti ransomware group’s bid to
rebrand, evade sanctions. Krebs On Security. https://krebsonsecurity.com/2022/05/costarica-may-be-pawn-in-conti-ransomware-groups-bid-to-rebrand-evade-sanctions/
Landau, S. (2022, April 15). Conti ransomware gang has “employee of the month” program.
CyberTalk. https://www.cybertalk.org/2022/04/14/conti-ransomware-gang-hasemployee-of-the-month-program/
Largent, W. (2022, May 25). Translated: Talos’ insights from the recently leaked Conti
ransomware playbook. Talos Intelligence.
https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html
McKay, K., Eubanks, P., & Filson, J. (2022, May 2). Conti and Hive ransomware operations:
Leveraging victim chats for insights. Talos Intelligence.
https://talosintelligence.com/resources/437
Meland, P. H., Bayoumy, Y. F. F., & Sindre, G. (2020, February 18). The ransomware-as-aservice economy within the darknet. Computers & Security, 92.
https://doi.org/10.1016/j.cose.2020.101762
44
Minnaar, A., & Herbig, F. J. W. (2021). Cyberattacks and the cybercrime threat of ransomware
to hospitals and healthcare services during the COVID-19 pandemic. Acta
Criminologica: African Journal of Criminology & Victimology, 34(3), 155–185.
https://doi.org/10.10520/ejc-crim_v34_n3_a10
Microsoft Security. (2022, May 9). Ransomware-as-a-service: Understanding the cybercrime gig
economy and how to protect yourself. Microsoft Security Blog.
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-serviceunderstanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
Moran Stritch, M., Winterburn, M., & Houghton, F. (2021). The Conti ransomware attack on
healthcare in Ireland: Exploring the impacts of a cybersecurity breach from a nursing
perspective. Canadian Journal of Nursing Informatics, 16(3-4).
Nakashima, E. (2021, July 7). Pressure grows on Biden to curb ransomware attacks. Washington
Post, https://link.gale.com/apps/doc/A667660786/ITOF?u=nysl_ce_uticacol&sid=
oclc&xid=c7411ad3
Paquet-Clouston, M., Haslhofer, B., Dupont, B. 2019. Ransomware payments in the bitcoin
ecosystem. Oxford University Press (OUP). https://doi.org/10.1093/cybsec/tyz003
PricewaterhouseCoopers. (2021, December). Conti cyber attack on the HSE: Independent post
incident review. https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-thehse-full-report.pdf
Rajneesh G. (2018). Hands-on cybersecurity with blockchain: Implement DDoS protection, PKIbased identity, 2FA, and DNS security using blockchain. Packt Publishing.
Rochberger, L. (2021, January 12). Cybereason vs. Conti ransomware. Cybereason.
https://www.cybereason.com/blog/research/cybereason-vs.-conti-ransomware
45
Sanger, D. & Perlroth, N. (2021, July 8). Biden weighs response to ransomware attacks
emanating from Russia. New York Times, July 8, 2021, p. A9(L). Gale Academic
OneFile,https://link.gale.com/apps/doc/A667742113/AONE?u=nysl_ce_uticacol&sid=bo
okmark-AONE&xid=db4fadc4
Trend Micro. (2021, December 1). Ransomware spotlight: Conti. Security News.
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomwarespotlight-conti
Umar, R., Riadi, I., & Kusuma, R. S. (2021). Analysis of Conti ransomware attack on computer
network with live forensic method. IJID (International Journal on Informatics for
Development), 10(1), 53-61.
Utami, H. D. J. R. H., Arifudin, R., & Alamsyah, A. (2019). Security login system on mobile
application with implementation of Advanced Encryption Standard (AES) using 3 keys
variation 128-bit, 192-bit, and 256-bit. Scientific Journal of Informatics, 6(1), 34–44.
https://doi.org/10.15294/sji.v6i1.17589
Van Praet, N. (2022, March 12). Ransomware gang Conti takes credit for Alouette smelter
cyberattack. (Aluminerie Alouette Inc.). Globe & Mail (Toronto, Canada), B2, 2.
https://www.theglobeandmail.com/business/article-ransomware-gang-conti-takes-creditfor-alouette-cyberattack/
Villalon-Huerta, A., Gisbert, H. M., & Ripoll-Ripoll, I. (2022). Soc critical path: A defensive kill
chain model. Ieee Access, 10. https://doi.org/10.1109/ACCESS.2022.3145029
46
ProQuest Number: 29391647
INFORMATION TO ALL USERS
The quality and completeness of this reproduction is dependent on the quality
and completeness of the copy made available to ProQuest.
Distributed by ProQuest LLC ( 2022 ).
Copyright of the Dissertation is held by the Author unless otherwise noted.
This work may be used in accordance with the terms of the Creative Commons license
or other rights statement, as indicated in the copyright statement or in the metadata
associated with this work. Unless otherwise specified in the copyright statement
or the metadata, all rights are reserved by the copyright holder.
This work is protected against unauthorized copying under Title 17,
United States Code and other applicable copyright laws.
Microform Edition where available © ProQuest LLC. No reproduction or digitization
of the Microform Edition is authorized without permission of ProQuest LLC.
ProQuest LLC
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346 USA