Conti Ransomware

SpearTip | March 2nd, 2022


Based on SpearTip Threat Intelligence gained through our 24/7 Incident Response practice, we observed Conti ransomware operators in partner environments attempting to exploit the log4j vulnerability.

In the past, Conti operators have targeted various industries, including Healthcare, Critical Infrastructure, Manufacturing, and Enterprise level businesses. Conti ransomware has been heavily involved with the global conflict between Ukraine and Russia as of late and operators from both countries are utilizing cyberattacks to disrupt various operations.

Conti’s observed attack vectors include exploiting RDP, “PrintNightmare”, and “Zerologon” vulnerabilities to infiltrate networks.

Conti has also used phishing attacks containing malicious links and attachments such as Excel files. The Excel files contain a malicious payload, and when the user downloads the document, a Bazaar backdoor malware will be downloaded to connect the victim’s device to Conti’s command-and-control server. Conti will encrypt data and implement the “double extortion” scheme once it’s on the compromised machine.

The ransomware loads an encrypted DDL into memory and executes the encryption method spreading throughout the network. Threat actors use the ransomware to gain access to unprotected RDP ports, use phishing emails to remote access the network through an employee’s computer, or access the network using malicious attachments, downloads, application patch exploits or vulnerabilities.

Conti Ransomware Attack Method

In this instance, Conti threat actors are attempting to exploit the log4J vulnerability to download an MSIinstaller named setup.msi and quietly execute it in the background. The executable file is then attempting to install the AteraAgent, an RMM tool, which would provide remote access to client endpoints. VMware products are being particularly targeted by this exploit technique.




ShadowSpear is capable of blocking this attack on execution and the SOC is responding to these threats in real-time. We expect these attacks to be relatively widespread. SpearTip will provide more updates as they become available.

















SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Center, ready to assist partners with security issues immediately.

If you or your partners have any questions or concerns surrounding the Conti ransomware group or log4j, please email or call our breach response number at 833.997.7327.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.