Day 3: Conti Ransomware

Common Attack Vectors

  • Remote Desktop Protocol access (RDP)
  • Phishing attacks
  • Software/Hardware Vulnerability

Vulnerabilities Exploited

  • 2017 Microsoft Server Message Block 1.0 server vulnerabilities
  • “PrintNightmare” vulnerability in Windows Print spooler service
  • “Zerologon” vulnerability in Microsoft Active Directory Domain Controller systems

Industries Targeted Frequently


Threat actors target manufacturing facilities to disrupt product distribution.


Threat actors target healthcare industries to steal patients' names, financial records, social security numbers, and other personal information.

Critical infrastructure

Threat actors target critical infrastructure, impacting businesses that provide services to consumers and other organizations.


Threat actors target enterprises, stealing sensitive data, encrypting network files and demanding ransoms.

Recent Activity

Conti Ransomware hit high-profile jeweler Graff and threatened to release private information on world leaders, actors, and tycoons.

JVCKenwood hit by Conti ransomware attack exfiltrating 1.7TB of data including staffer’s personally identifiable information (PII) and customer’s personal information.

Common File Extensions


Known Aliases

  • Wizard Spider
  • Ryuk

How Conti Ransomware is Distributed

Conti ransomware utilizes phishing attacks to install the TrickBot and BazarLoader Trojans to obtain remote access to infected machines. The email pretends to be from a sender the victim trusts and uses a link to redirect the user to a malicious document. The Excel file contains a malicious payload, and when the user downloads the document, a Bazaar backdoor malware will be downloaded to connect the victim’s device to Conti’s command-and-control server. Conti will encrypt data and implement the “double extortion” scheme once it’s on the compromised machine.

The ransomware loads an encrypted DDL into memory and executes the encryption method spreading throughout the network. Threat actors use the ransomware to gain access to unprotected RDP ports, use phishing emails to remote access the network through an employee’s computer, or access the network using malicious attachments, downloads, application patch exploits or vulnerabilities.

SpearTip’s engineers have observed Conti utilizing Cobalt Strike in recent instances. Conti typically adds secondary mechanisms for persistence: AnyDesk and Screenconnect.


SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.

Translate »