Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.
| Title | Available | Last Visit | FQDN | Screenshot |
|---|---|---|---|---|
| CONTI.News | 🔴 | 2022-06-22 06:25:03.781324 | continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion | N/A |
| Access Blocked | 🔴 | 2024-03-30 16:43:34.398214 | continews.click | N/A |
| Error Response Page | 🔴 | 2022-11-23 12:36:43.837460 | continews.bz | N/A |
| Discovery | RMM Tools | Defense Evasion | Credential Theft | OffSec | Networking | LOLBAS | Exfiltration |
|---|---|---|---|---|---|---|---|
| AdFind | AnyDesk | GMER | Mimikatz | Cobalt Strike | BITSAdmin | Dropfiles | |
| Bloodhound | Atera | PCHunter | ProcDump | Metasploit | NTDS Utility (ntdsutil) | MEGA | |
| PowerView | Splashtop | Router Scan | Meterpreter | PsExec | Qaz[.]im | ||
| Seatbelt | SharpChrome | PowerShell Empire | WMIC | RClone | |||
| ShareFinder | PowerSploit | Sendspace | |||||
| SharpView | Rubeus | WinSCP | |||||
| SoftPerfect NetScan |
This information is provided by Ransomware-Tool-Matrix
| Name | # Msg | Initial Ransom | Negotiated Ransom | Paid |
|---|---|---|---|---|
| 20201017 | 78 | N/A | N/A | |
| 20210805 | 47 | N/A | N/A | |
| 20211112 | 32 | N/A | N/A | |
| 20210904 | 17 | N/A | N/A | |
| 20210513 | 78 | $200,000 | $100,000 | 💸 |
| 20210107 | 139 | $900,000 | $162,792 | 💸 |
| 20210316 | 63 | $920,000 | $172,000 | 💸 |
| 20210628 | 34 | N/A | N/A | |
| 20210812 | 46 | $300,650 | $150,000 | 💸 |
| 20210708 | 25 | N/A | N/A | |
| 20210923 | 14 | N/A | N/A | |
| 20210219 | 12 | N/A | N/A | |
| 20210426 | 12 | N/A | N/A | |
| 20201230 | 146 | $8,500,000 | $450,000 | 💸 |
| 20210902 | 43 | N/A | N/A | |
| 20210602 | 81 | N/A | N/A | |
| 20210517_b | 69 | N/A | N/A | |
| 20210126 | 9 | N/A | N/A | |
| 20201109 | 255 | N/A | N/A | |
| 20210715 | 10 | N/A | N/A | |
| 20211108 | 32 | N/A | N/A | |
| 20210305 | 45 | N/A | N/A | |
| 20211217 | 27 | N/A | N/A | |
| 20201019 | 9 | N/A | N/A | |
| 20210315 | 49 | $1,100,000 | $100,000 | 💸 |
| 20201121 | 6 | N/A | N/A | |
| 20210820 | 50 | $980,000 | $350,000 | 💸 |
| 20211205 | 63 | $950,000 | $170,000 | 💸 |
| 20210520 | 101 | $900,000 | $325,000 | 💸 |
| 20210611 | 48 | $600,000 | $256,000 | 💸 |
| 20210517 | 56 | $400,000 | $200 | |
| 20210428 | 13 | N/A | N/A |
This information is provided by Valéry Marchive
| Employees(s) | Customer(s) | Third Party Employee(s) |
|---|---|---|
This information is provided by HudsonRock
You're leaving the Ransomare.live site. Do you want to continue?
/*
Conti 2 and 3 ransomware
*/
rule Conti
{
meta:
author = "rivitna"
family = "ransomware.conti.windows"
description = "Conti 2 and 3 ransomware Windows payload"
severity = 10
score = 100
strings:
$h0 = { 85 ?? 0F 84 ?? 0? 00 00 ( 0F B6 00 | 8A 0? ) 3C E9 74 1?
3C FF 0F 85 ?? 0? 00 00 80 7? 01 25 0F 85 }
$h1 = { 45 33 C9 C7 44 24 ?? 0C 02 00 00 [0-4] 33 D2 48 89 [8-12]
45 8D 41 01 FF D0 85 C0 }
$h2 = { 83 C4 08 8D 4D ?? 68 0C 02 00 00 5? 5? 6A 00 6A 01 6A 00
FF 75 ?? FF D0 }
$h3 = { ( 2D 5B 00 00 | DA FC 01 B8 ) ( 41 83 | 83 ) F? 04 7C ??
[12-24] 69 0? 95 E9 D1 5B ( 48 83 | 83 ) C2 04
( 45 69 | 69 ) ?? 95 E9 D1 5B }
condition:
((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
(
(2 of ($h*))
)
}