The spectacular actions of the Conti Ransomware extortionists - a journey into the world of cybercriminals


Reading time: minutes ( words)

What is behind the Conti Ransomware?

Conti belongs to the class of extortion Trojans. The Trickbot gang is considered to be the developer of the malware. The Ryuk ransomware already came from this group. Conti is considered a further development of Ryuk. Alongside REvil, Conti is probably the most dangerous and, above all, the most widespread malware used in cyber attacks in 2021. Conti is also very effective. In the first half of 2021 alone, Conti extortionists used this ransomware to extort around twelve million US dollars in ransom.

The interesting thing about the Conti ransomware is the business model surrounding the malware. It is not the developers themselves who act as Conti extortionists, but cybercriminals who rent the malware. In this context, there is talk of Ransomware as a Service. This concept is copied directly from the well-known cloud services of the Software as a Service type. A cybercriminal rents the ransomware and, in addition to the software, also receives precise instructions on how to deal with Conti. The entire cyber attack, including the extortion payments, takes place via infrastructure provided by the operators of the ransomware as a service. According to the Conti leak, the payment model is based on a percentage share of the developers in the event of a successful extortion.

This is how Conti blackmailers proceed in cyber attacks

A special feature of the Conti ransomware is the comprehensive manual that comes with it. It not only describes how to deal with the ransomware, but also how cybercriminals identify suitable targets. The complete manual is elaborated in such a way that even laymen can successfully carry out cyber attacks with Conti. Thus, the attackers need little to no experience in dealing with ransomware. Rather, they simply follow the instructions in the manual step by step. This shows how specialised cybercrime has become in this sector.

Equally surprising is that the Ransomware as a Service includes Conti as well as a software called Cobalt Strike. Cobalt Strike is, at its core, an IT security tool. It is used in attack simulations on networks in the context of so-called red teaming. Here, IT specialists simulate cyber attacks on their own or customers' networks and test whether there are any security gaps. Cobalt Strike can be placed remotely on computers and is then used to communicate with the attackers' command & control server. These Cobalt Strike beacons provide the attackers with information about the compromised computer and the ability to move around on that system and deeper in the network. Conti Ransomware as a Service also provides comprehensive operating instructions for the use of Cobalt Strike.

The first step of the actual cyber attack is to find gaps in the IT security of the designated target. Cobalt Strike is used for this purpose. The software scans firewalls for vulnerabilities and thus enables attackers to exploit these gaps in IT security.

In the next step, the manual deals with obtaining the necessary rights to take control of the systems. The focus here is on Active Directory. The manual also refers to other tools, such as ADFind or SharpView, which are suitable for spying on network structures as well as Active Directory. By compromising, it is possible to change the domain admin credentials. In this way, the attackers then gain possession of an account with administrator rights. The next and final step is then the actual ransomware attack. The encryption Trojan is now loaded into the network and executed via the account or even several accounts with administrator rights. This leads to the encryption of the data on the compromised servers and computers.

The Conti Leak shows how precise the instructions are also with regard to stealing data. This process optionally takes place as soon as access to the networks and servers is available. For the extraction, an account is created with a file hoster, which the attackers necessarily pay for via a cryptocurrency due to the traceability. A new, separate account is needed for each attack, the instructions warn. Access data for storage space at such a file hoster is part of the ransomware as a service, as the Conti Leak shows. Stealing data is another way in which Conti extortionists demand a ransom. It has already happened several times that the attackers threatened to publish the stolen data. Depending on what types of files the attackers have stolen, the consequences for the company or even individuals are more or less devastating. Since such data thefts are irreversible, it has become all the more important to equip IT security with the necessary resources to prevent such cyber attacks.

The exact contents and background of the Conti Leak

The originator of the Conti Leak is a disgruntled user of Ransomware as a Service who revealed details about the model in an online forum. The reason is quite obvious that this Conti blackmailer was successful, but only received 1,500 US dollars for his criminal machinations. The rest of the extorted sum was collected by the operators of the Ransomware as a Service platform. The Conti blackmailer felt this was unfair and published information about the ransomware and the procedure in the Conti Leak. He published an archive with 113 MB of tools and instructions. Among them are scripts that can be used to deactivate antivirus solutions such as Bitdefender, TrendMicro or Windows Defender on target systems. The Conti Leak also revealed the IP addresses of the Cobalt Strike servers, which the operators of the Ransomware as a Service platform use to control the extortion Trojan.

Countermeasures - the weapons of IT security in the fight against Conti extortionists and other ransomware

The options for responding to ransomware cyberattacks such as Conti depend primarily on when IT Security discovers the attack. The worst case is that data is already encrypted and access to systems is denied. In the case of Conti ransomware, this is shown by very clear symptoms. A text document with the name "CONTI_README.txt" appears on the desktop. In this document, the Conti ransomware stores their contact details as well as a short message that parts of the system are encrypted. This often concerns their own files, photos and important documents. A connection to the Conti ransomware can also be seen immediately, because the file names change in the course of the encryption. For example, the file extensions are no longer .docx or .jpg, but .docx.CONTI and jpg.CONTI. Opening is no longer possible and the contents are encrypted with an algorithm.

The options for responding to cyber attacks with ransomware like Conti depend primarily on when IT security detects the attack.

In this case, it is first necessary to immediately interrupt the connection to the Internet. This initially applies to all systems in one's own network, because it is not possible to guarantee that the attackers still have access to other computers in the network. The systems on which data is encrypted must be completely rebuilt by IT Security. If the company has a strategy for backups and system recovery, this is usually an easy task. In some companies, however, such an incident response strategy is still missing. Then there is a threat of partial or even complete data loss. On the other hand, responding to the demands of the Conti blackmailers would be a big mistake. On the one hand, this finances the Ransomware as a Service system with Conti, which ensures that the concept is further expanded. Secondly, there is no guarantee that the criminals will decrypt the data. They may not even have the technical knowledge or capabilities to do so.

IT security also has the task of analysing the cyber attack. The main task here is to find out how the malware got into the company network, for example with a compromise assessment. Another point in this context is how long the criminals were active in the network and which accounts they compromised. Accordingly, it is important to identify and delete any accounts created by the attackers. In the same step, all passwords in the company are changed, as it cannot be ruled out that these have also been compromised. The cybercriminals may have copied the data and use it for a later attack. It is also necessary to check all systems in the company for infection as part of the Compromise Assessment. Only after this check has been completed may a connection to the company network as well as the internet be made again.

Preventive measures against the Conti Ransomware

Due to the Conti leak, the procedures for this form of ransomware are now known in detail. Since most of the users are probably criminals without extensive expertise in IT, it can be assumed that the attackers often proceed exactly according to the instructions. This gives corporate IT security the opportunity to make appropriate preparations and stop cyberattacks of this kind in the early stages. One of these preventive measures is to disable the Remote Desktop Protocol (RDP). This protocol allows remote access and control of a computer via the internet. If RDP is required for remote maintenance, setting up a VPN connection for this purpose is a good idea. Direct access from outside is then not possible.

It is also important to have an incident response plan and a disaster recovery plan in place. This ensures an orderly response in the event of an emergency. These strategies also include techniques for data backup and system recovery. This prevents data loss in the event of an emergency and Conti blackmailers have no leverage if the hard drives are encrypted.

However, the best strategy is to prevent the worst case. This can be achieved with a number of security measures. Particularly noteworthy here are systems for attack detection in real time as well as service providers who offer an Active Cyber Defense service. Such solutions continuously monitor systems and networks and detect unusual activities. This includes, for example, remote access from unknown IPs, new accounts with administrator rights or remote commands from a command & control server. IT Security then receives an alert in real time and has the opportunity to investigate the matter. In this way, cyber attacks can be stopped before the Conti extortionists have a chance to deploy and activate the ransomware.


The Conti Leak confirmed what IT security experts have been warning about for some time. With the concept of Ransomware as a Service, hackers are now renting out their technical skills to a broad mass of cybercriminals. Professional instructions that guide laypeople through every step of a cyber attack, as well as other suitable tools for preparing the ransomware attack, show how highly developed this sector is. For companies, this means an ever-increasing danger from cyber attacks. Everyone is a potential target for the cybercriminals, as the sole aim is ransomware. IT security must adapt to this situation and implement appropriate countermeasures, such as an anomaly early warning system. The most important thing here is to improve prevention with proactive methods so that hackers do not penetrate one's own network in the first place - or IT security identifies such breaches immediately.

Are you already effectively protected against cyber attacks by ransomware? Contact us - we will be happy to advise you!

By clicking on the "Submit" button, you confirm that you have read our privacy policy. You give your consent to the use of your personal data for the purpose of contacting you by secion GmbH.

Go back