Introduction
The recent sentencing of Latvian national Deniss Zolotarjovs for his role in encryption-based cyber attacks orchestrated by former Conti leadership serves as a stark reminder of the persistent and devastating impact of ransomware operations. Zolotarjovs, tasked with pressuring victims—including the egregious leaking of hundreds of children's health records—demonstrates the ruthless double-extortion tactics that define modern ransomware-as-a-service (RaaS) operations. While law enforcement continues to make strides in dismantling these criminal enterprises, the operational reality is that Conti-affiliated threat actors remain active, having evolved into new offshoots and variants.
For defenders, this case underscores a critical reality: the human element of ransomware—operators who actively exfiltrate data, negotiate with victims, and weaponize sensitive information—requires more than just endpoint protection. Organizations face multi-vector threats where encryption is only one component of the attack chain. This post provides actionable detection strategies and remediation guidance to defend against Conti-style ransomware operations.
Technical Analysis
Attack Chain Overview
Conti and its successor variants typically employ a sophisticated attack chain involving:
- Initial Access: Often through phishing campaigns, compromised credentials (via info stealers like Qakbot/Emotet), or exploitation of unpatched VPN/remote services (e.g., Fortinet, Pulse Secure)
- Lateral Movement: Use of tools like Cobalt Strike, SystemBC, and legitimate admin tools (RDP, PSExec)
- Privilege Escalation: Exploitation of vulnerabilities (e.g., PrintNightmare, ZeroLogon) or credential dumping (Mimikatz)
- Defense Evasion: Disabling security tools (EDR/AV), clearing event logs, using living-off-the-land binaries (LOLBins)
- Data Exfiltration: Prior to encryption, exfiltrating sensitive data to leak sites or cloud storage
- Encryption: Deployment of ransomware payload using AES-256 or ChaCha20 encryption
Affected Products and Platforms
- Windows Operating Systems: All versions susceptible to credential abuse and lateral movement
- VPN/Remote Access Gateways: Historically targeted include FortiOS, Pulse Connect Secure, Citrix ADC
- Network Security Tools: Often disabled during attacks include CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne
Exploitation Status
- Active Exploitation: Conti-affiliated groups remain highly active despite the disruption of the core operation in 2022
- CISA KEV: While Conti-specific, many initial access vectors (e.g., CVE-2021-44228, CVE-2021-34527) are listed in the CISA Known Exploited Vulnerabilities Catalog
- Variants: Offshoots including BlackByte, BlackBasta, and Royal ransomware share TTPs with original Conti operations
Detection & Response
SIGMA Rules
YAML
---
title: Conti-Style Ransomware Mass File Encryption Pattern
id: 8b4f3a1c-7d2e-4f5a-9b3c-1d2e3f4a5b6c
status: experimental
description: Detects rapid encryption of multiple files consistent with Conti ransomware behavior by monitoring process creation with file access patterns.
references:
- https://attack.mitre.org/techniques/T1486/
author: Security Arsenal
date: 2024/06/18
tags:
- attack.impact
- attack.t1486
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\rundll32.exe'
filter:
ParentImage|contains:
- '\Program Files\'
- '\Windows\System32\'
condition: selection and not filter
falsepositives:
- Legitimate batch file operations
- System administration tasks
level: high
---
title: Conti Affiliate Cobalt Strike Lateral Movement
id: 3c9e8f2a-1b4d-4a7e-9c5f-2d3e4f5a6b7c
status: experimental
description: Detects Cobalt Strike Beacon activity commonly used by Conti operators for lateral movement and command execution.
references:
- https://attack.mitre.org/techniques/T1059/
- https://attack.mitre.org/techniques/T1021/
author: Security Arsenal
date: 2024/06/18
tags:
- attack.execution
- attack.t1059.003
- attack.lateral_movement
- attack.t1021.002
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationPort:
- 443
- 80
- 8443
filter_legitimate:
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\edge.exe'
- '\iexplore.exe'
condition: selection and not filter_legitimate
falsepositives:
- Legitimate web browsing
- Corporate application traffic
level: medium
---
title: Ransomware Double-Extortion Data Exfiltration Preparation
id: 7d2e3f4a-5b6c-7d8e-9f0a-1b2c3d4e5f6a
status: experimental
description: Detects preparation for data exfiltration consistent with ransomware double-extortion tactics including archiving and large file transfers.
references:
- https://attack.mitre.org/techniques/T1567/
author: Security Arsenal
date: 2024/06/18
tags:
- attack.exfiltration
- attack.t1567
logsource:
category: file_event
product: windows
detection:
selection_archive:
TargetFilename|contains:
- '\Temp\'
- '\AppData\Local\Temp\'
TargetFilename|endswith:
- '.zip'
- '.rar'
- '.7z'
selection_rclone:
Image|endswith:
- '\rclone.exe'
selection_wget:
Image|endswith:
- '\wget.exe'
- '\curl.exe'
condition: 1 of selection_*
falsepositives:
- Legitimate archiving operations
- Valid administrative tool usage
level: high
KQL (Microsoft Sentinel / Defender)
KQL — Microsoft Sentinel / Defender
// Hunt for Conti-style ransomware precursor activity
// Detects multiple high-risk behaviors within a 24-hour window
let timeframe = 1d;
let accountLookback = 14d;
// Detect unusual lateral movement and SMB access
let SuspiciousSMBAccess =
DeviceNetworkEvents
| where Timestamp > ago(timeframe)
| where RemotePort == 445
| where ActionType in ("FileCreated", "FileAccessed")
| summarize count() by DeviceName, InitiatingProcessAccountName, RemoteIP
| where count_ > 100;
// Detect mass file encryption patterns
let RapidFileEncryption =
DeviceFileEvents
| where Timestamp > ago(timeframe)
| where ActionType == "FileCreated"
| where InitiatingProcessFileName in ("cmd.exe", "powershell.exe", "wscript.exe", "rundll32.exe", "mshta.exe")
| summarize count() by DeviceName, InitiatingProcessAccountName, InitiatingProcessFolderPath
| where count_ > 50;
// Detect security product tampering
let SecurityToolTampering =
DeviceProcessEvents
| where Timestamp > ago(timeframe)
| where ProcessCommandLine contains "sc stop"
or ProcessCommandLine contains "net stop"
or ProcessCommandLine contains "Set-MpPreference"
| where ProcessCommandLine contains any_(
"Defender", "CrowdStrike", "SentinelOne", "Sophos", "FireEye", "Symantec",
"McAfee", "TrendMicro", "Kaspersky", "ESET")
| summarize count() by DeviceName, AccountName, ProcessCommandLine;
// Detect credential dumping behavior
let CredentialDumping =
DeviceProcessEvents
| where Timestamp > ago(timeframe)
| where FileName in ("mimikatz.exe", "procdump.exe", "rundll32.exe", "taskmgr.exe")
| where ProcessCommandLine contains "lsass"
or ProcessCommandLine contains "sekurlsa"
or ProcessCommandLine contains "mini"
| project DeviceName, AccountName, ProcessCommandLine;
// Correlate indicators for potential Conti ransomware activity
SuspiciousSMBAccess
| join kind=inner (RapidFileEncryption) on DeviceName
| join kind=inner (SecurityToolTampering) on DeviceName
| project DeviceName, InitiatingProcessAccountName, RemoteIP, Timestamp
| distinct *
| extend DetectionTime = now(), AlertType = "Potential Conti-Style Ransomware Activity"
Velociraptor VQL
VQL — Velociraptor
-- Hunt for Conti ransomware precursor activity on endpoints
-- Detect processes and files indicative of ransomware preparation
-- Detect recently created suspicious processes
SELECT
Pid,
Name,
CommandLine,
Exe,
Username,
CreateTime
FROM pslist()
WHERE Name IN (
'cmd.exe', 'powershell.exe', 'wscript.exe', 'rundll32.exe',
'mshta.exe', 'certutil.exe', 'bitsadmin.exe', 'regsvr32.exe'
)
AND CreateTime > now() - 24h
AND (
CommandLine =~ '-enc' OR
CommandLine =~ 'FromBase64String' OR
CommandLine =~ 'IEX' OR
CommandLine =~ 'Invoke-Expression' OR
CommandLine =~ 'DownloadString' OR
CommandLine =~ '/c ' OR
CommandLine =~ 'powershell -'
)
-- Detect mass file creation patterns (potential encryption)
SELECT
FullPath,
Size,
Mode.String,
Mtime,
Btime
FROM glob(globs='/*/*.*', root='C:\')
WHERE Mode.String =~ 'r'
AND Mtime > now() - 24h
AND FullPath =~ '\.lock' OR FullPath =~ '\.enc' OR FullPath =~ '\.crypt' OR FullPath =~ '\.encrypted'
LIMIT 1000
-- Detect modifications to critical security registry keys
SELECT
KeyPath,
Name,
Data,
LastWriteTime
FROM registry()
WHERE KeyPath =~ 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services'
AND LastWriteTime > now() - 24h
AND Name =~ 'Start'
AND Data IN (4, 3)
Remediation Script (PowerShell)
PowerShell
# Conti Ransomware Hardening and Detection Script
# Run with elevated privileges
# Function to write output with timestamp
function Write-Log {
param([string]$Message)
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
Write-Host "[$timestamp] $Message" -ForegroundColor Cyan
}
# Check for suspicious processes associated with Conti operations
Write-Log "Checking for suspicious ransomware-related processes..."
$suspiciousProcesses = @(
"mimikatz.exe",
"procdump.exe",
"rclone.exe",
"pskill.exe",
"psexec.exe",
"anydesk.exe",
"supremo.exe",
"ammyy.exe"
)
$foundProcesses = Get-Process | Where-Object {
$suspiciousProcesses -contains $_.ProcessName.ToLower()
}
if ($foundProcesses) {
Write-Log "ALERT: Suspicious processes detected: $($foundProcesses.ProcessName -join ', ')"
$foundProcesses | Format-Table Id, ProcessName, Path, StartTime -AutoSize
} else {
Write-Log "No suspicious processes detected."
}
# Check for mass file encryption indicators
Write-Log "Scanning for potential encrypted file indicators..."
$encryptedExtensions = @('*.lock', '*.enc', '*.crypt', '*.encrypted', '*.Locked')
$driveLetters = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($drive in $driveLetters) {
foreach ($ext in $encryptedExtensions) {
$files = Get-ChildItem -Path $drive -Filter $ext -Recurse -ErrorAction SilentlyContinue -Depth 2
if ($files) {
Write-Log "ALERT: Found potential encrypted files in $drive with extension $ext: $($files.Count) files"
}
}
}
# Audit and protect critical services
Write-Log "Checking status of critical security services..."
$securityServices = @(
@{Name="WinDefend"; DisplayName="Windows Defender Antivirus"},
@{Name="WdNisSvc"; DisplayName="Windows Defender Network Inspection Service"},
@{Name="Sense"; DisplayName="Windows Defender Advanced Threat Protection"},
@{Name="EventLog"; DisplayName="Windows Event Log"}
)
foreach ($svc in $securityServices) {
$service = Get-Service -Name $svc.Name -ErrorAction SilentlyContinue
if ($service) {
if ($service.Status -ne "Running") {
Write-Log "WARNING: $($svc.DisplayName) is not running. Current status: $($service.Status)"
try {
Start-Service -Name $svc.Name -ErrorAction Stop
Write-Log "Successfully started $($svc.DisplayName)"
} catch {
Write-Log "ERROR: Failed to start $($svc.DisplayName): $_"
}
} else {
Write-Log "OK: $($svc.DisplayName) is running."
}
} else {
Write-Log "WARNING: Service $($svc.Name) not found."
}
}
# Check for Remote Desktop Services (common Conti attack vector)
Write-Log "Checking Remote Desktop Services security..."
$rdpService = Get-Service -Name "TermService" -ErrorAction SilentlyContinue
if ($rdpService) {
if ($rdpService.Status -eq "Running") {
Write-Log "WARNING: Remote Desktop Services is running. Consider disabling if not required."
Write-Log "RDP Security Recommendations:"
Write-Log "- Enable Network Level Authentication (NLA)"
Write-Log "- Enforce account lockout policies"
Write-Log "- Implement MFA for RDP access"
Write-Log "- Use VPN or jump hosts for remote access"
}
}
# Check for SMBv1 (legacy protocol often exploited)
Write-Log "Checking SMBv1 status..."
$smbv1Feature = Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -ErrorAction SilentlyContinue
if ($smbv1Feature -and $smbv1Feature.State -eq "Enabled") {
Write-Log "WARNING: SMBv1 protocol is enabled. This is a significant security risk."
Write-Log "Consider disabling with: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol"
}
# Check PowerShell execution policies
Write-Log "Checking PowerShell execution policies..."
$policy = Get-ExecutionPolicy -List
foreach ($p in $policy) {
if ($p.ExecutionPolicy -eq "Unrestricted" -or $p.ExecutionPolicy -eq "Bypass") {
Write-Log "WARNING: $($p.Scope) scope has ExecutionPolicy set to $($p.ExecutionPolicy)."
}
}
# Create a baseline hash of critical directories for future comparison
Write-Log "Creating baseline file hashes for monitoring..."
$monitorPaths = @(
"$env:SystemRoot\System32",
"$env:ProgramFiles",
"$env:ProgramData"
)
foreach ($path in $monitorPaths) {
if (Test-Path $path) {
Write-Log "Hashing files in $path..."
Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue |
Where-Object { -not $_.PSIsContainer } |
ForEach-Object {
try {
$hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
[PSCustomObject]@{
Path = $_.FullName
Hash = $hash.Hash
Size = $_.Length
Modified = $_.LastWriteTime
}
} catch {
# Skip files that can't be accessed
}
} | Export-Csv -Path "$env:TEMP\SecurityArsenal-Baseline-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Log "Baseline saved to $env\TEMP\SecurityArsenal-Baseline-$(Get-Date -Format 'yyyyMMdd').csv"
}
}
Write-Log "Conti Ransomware Hardening and Detection Script completed."
Write-Log "Please review the output above and take appropriate action for any WARNING or ALERT messages."
Remediation
Immediate Actions
-
Isolate Affected Systems:
- Disconnect potentially compromised endpoints from network immediately
- Disable affected user accounts and service accounts used during incident
- Suspend privileged access for accounts that may have been compromised
-
Backup Verification:
- Verify integrity of recent backups using test restores
- Ensure backup systems are air-gapped from production networks
- Check for backup encryption or modification
-
Password Reset:
- Force password reset for all accounts with access to affected systems
- Prioritize service accounts and privileged accounts
- Implement temporary increased password complexity requirements
Configuration Hardening
-
Disable Vulnerable Services:
- Disable SMBv1 if enabled:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol - Disable RDP from internet-facing systems
- Block inbound SMB (TCP 445) and RDP (TCP 3389) at network perimeter
- Disable SMBv1 if enabled:
-
Implement Network Segmentation:
- Separate critical systems from general network access
- Implement jump hosts for administrative access
- Restrict lateral movement with internal firewall rules
-
Enable Security Monitoring: powershell
Enable PowerShell logging
PowerShell
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableTranscripting" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "OutputDirectory" -Value "C:\Logs\PowerShell"
- Patch Known Vulnerabilities:
- Prioritize CISA KEV vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Apply security updates for VPN gateways immediately (Fortinet, Pulse Secure, Citrix)
- Review and patch any exposed services to the internet
Long-term Improvements
-
Implement Multifactor Authentication:
- Enforce MFA for all remote access (VPN, RDP)
- Implement MFA for all administrative accounts
- Use phishing-resistant authenticators (FIDO2, hardware tokens)
-
Enhance Endpoint Detection:
- Deploy EDR with anti-ransomware capabilities
- Enable Microsoft Defender for Endpoint ransomware protection: powershell
PowerShell
Set-MpPreference -EnableControlledFolderAccess Enabled
Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\Users\%USERNAME%\Documents"
Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\Users\%USERNAME%\Desktop"
- Develop Incident Response Playbooks:
- Create specific ransomware response procedures
- Define decision points for payment vs. rebuild
- Establish legal and law enforcement contacts in advance
Vendor Advisory References
- CISA Ransomware Guide: https://www.cisa.gov/stopransomware
- NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide): https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
- Microsoft Ransomware Protection: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/controlled-folders
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
incident-responseransomwarebreach-responseforensicsdfirconti-ransomwarethreat-huntingransomware-defense
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.