Back to Intelligence

Conti Ransomware TTPs: Active Defense and Incident Response Playbook

SA
Security Arsenal Team
June 13, 2026
6 min read

The recent extradition and guilty plea of a Ukrainian national in Ireland for conspiracy to commit computer fraud and wire fraud serves as a stark reminder: while the specific branding of "Conti" may have ostensibly dissolved, its operatives, codebases, and Tactics, Techniques, and Procedures (TTPs) have splintered into the dominant ransomware ecosystems of 2026.

This legal victory is significant, but for defenders, the operational reality remains unchanged. The affiliates behind these encryption-based operations are still active, leveraging refined playbooks that prioritize speed—often achieving full domain encryption in under four hours. This post dissects the persistent threat of Conti-style operations and provides immediate detection and remediation guidance for security teams.

Technical Analysis

While the specific indictment covers past operations, the TTPs used by this actor group remain the "gold standard" for modern ransomware-as-a-service (RaaS) variants active in 2026. Conti-derived code and methodologies are currently observed in active campaigns involving LockBit, BlackBasta, and Akira.

Attack Chain Overview

  1. Initial Access: In 2026, these groups have shifted slightly away from pure vulnerability exploitation (e.g., ProxyShell) and heavily toward Initial Access Brokers (IABs) using Qakbot, IcedID, or Pikabot loaders delivered via highly targeted phishing.
  2. Execution & Persistence: Upon execution, payloads typically establish persistence via Scheduled Tasks or Registry Run keys. We frequently see the deployment of Cobalt Strike or Sliver beacons for Command & Control (C2).
  3. Privilege Escalation & Lateral Movement: Operators aggressively hunt for credentials using tools like Mimikatz or LaZagne. They utilize Windows Management Instrumentation (WMI) and SMB for lateral movement, frequently abusing the PsExec utility.
  4. Defense Evasion: A hallmark of Conti and its descendants is the systematic destruction of Volume Shadow Copies to prevent system recovery. This is achieved via vssadmin.exe, wmic, or PowerShell.
  5. Impact: Encryption is performed using ChaCha20 or AES-256. Exfiltration occurs prior to encryption using tools like rclone or WinSCP to cloud storage providers for double-extortion leverage.

Exploitation Status

  • Status: Confirmed Active. While the original Conti builder is retired, the TTPs are actively used in "Big Game Hunting" operations in 2026.
  • Risk Level: Critical. The speed of these operations leaves a small window for detection.

Detection & Response

Detecting Conti-style operations requires identifying the specific behaviors that signal the transition from access to impact (encryption).

SIGMA Rules

YAML
---
title: Conti Style Shadow Copy Deletion
id: 85c9b9e0-8c6e-4b0b-8f9e-1b2b3d4e5f6g
status: experimental
description: Detects the deletion of Volume Shadow Copies, a common Conti tactic to prevent recovery.
references:
  - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\vssadmin.exe'
      - '\wmic.exe'
    CommandLine|contains:
      - 'delete shadows'
      - 'shadowcopy delete'
  condition: selection
falsepositives:
  - System administrator maintenance (rare)
level: critical
---
title: Potential Rclone Exfiltration Tool
id: 92f1c8d0-7e5a-3c6a-9e8f-0a1b2c3d4e5f
status: experimental
description: Detects the use of rclone, a tool frequently used by ransomware actors for data exfiltration.
references:
  - https://attack.mitre.org/techniques/T1041/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.exfiltration
  - attack.t1041
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\rclone.exe'
    CommandLine|contains:
      - 'config create'
      - 'copy'
      - 'sync'
  condition: selection
falsepositives:
  - Legitimate backup operations using rclone
level: high
---
title: PowerShell AMSI Bypass via Reflection
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects common PowerShell patterns used by Conti loaders to bypass AMSI.
references:
  - https://attack.mitre.org/techniques/T1562.001/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.defense_evasion
  - attack.t1562.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
    CommandLine|contains:
      - 'System.Management.Automation.AmsiUtils'
      - 'amsiInitFailed'
  condition: selection
falsepositives:
  - Rare, usually indicates malicious intent
level: critical

KQL (Microsoft Sentinel)

This query hunts for the sequential execution of discovery commands (net view, net group) followed by shadow copy deletion, indicative of the reconnaissance-to-impact transition.

KQL — Microsoft Sentinel / Defender
let DiscoveryCommands = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("net view", "net group", "net computer", "qwinsta")
| project DeviceId, Timestamp, FileName, ProcessCommandLine;
let DestructiveCommands = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("delete shadows", "shadowcopy delete", "wbadmin delete")
| project DeviceId, Timestamp, FileName, ProcessCommandLine;
DiscoveryCommands
| join (DestructiveCommands) on DeviceId
| where DestructiveCommands_Timestamp between (DiscoveryCommands_Timestamp .. 30m)
| project DeviceId, Discovery_Timestamp=DiscoveryCommands_Timestamp, Destructive_Timestamp=DestructiveCommands_Timestamp, Discovery_Command=DiscoveryCommands_ProcessCommandLine, Destructive_Command=DestructiveCommands_ProcessCommandLine
| order by Destructive_Timestamp desc

Velociraptor VQL

Hunt for suspicious binaries commonly dropped by Conti loaders in user profile directories or public folders.

VQL — Velociraptor
-- Hunt for suspicious binaries in common drop locations
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs="C:\Users\Public\*.exe", root="/")
WHERE Mtime > now() - 7d
  AND Name NOT IN ("desktop.ini", "laptops.ini")
UNION
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs="C:\Users\*\AppData\Local\Temp\*.exe", root="/")
WHERE Mtime > now() - 1h
  AND Name =~ '^[a-zA-Z0-9]{8,}\.(exe|dll)$'

Remediation Script (PowerShell)

Run this script on suspected endpoints to mitigate active encryption attempts and harden the environment against lateral movement.

PowerShell
# 1. Stop and disable common services abused by ransomware
ServicesToStop = @("Schedule", "WSearch", "DHCP", "DNS") # Example, adjust based on environment
Write-Host "Checking for common persistence mechanisms..."

# 2. Audit and Restrict VSS Administration
Write-Host "Restricting VSS Administration to Local System only..."
$vssKey = "HKLM:\SYSTEM\CurrentControlSet\Services\VSS"
$vssACL = Get-Acl $vssKey
$ar = New-Object System.Security.AccessControl.RegistryAccessRule("NT AUTHORITY\SYSTEM","FullControl","Allow")
$vssACL.SetAccessRule($ar)
Set-Acl $vssKey $vssACL

# 3. Enable Network Level Authentication (NLA) for RDP
Write-Host "Enabling NLA for RDP..."
$NLAPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
Set-ItemProperty -Path $NLAPath -Name "UserAuthentication" -Value 1 -Force

# 4. Disable WMI from non-admins
Write-Host "Restricting WMI remote access..."
Set-ItemProperty -Path "HKLM\SOFTWARE\Microsoft\WBEM\CIMOM" -Name "EnableRemoteWMI" -Value 0 -Force

# 5. Check for Suspicious Scheduled Tasks
Write-Host "Auditing Scheduled Tasks created in the last 24 hours..."
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-1)} | Select-Object TaskName, Author, Date

Write-Host "Remediation actions completed."

Remediation

Immediate containment is critical when dealing with Conti-style encryption operations:

  1. Isolate Hosts: Immediately disconnect infected hosts from the network (pull Ethernet/disable WiFi) to prevent lateral movement. Do not shutdown; volatile memory contains encryption keys.
  2. Reset Credentials: Assume all credentials (domain admin, service accounts) on the affected network are compromised. Force a password reset for all privileged accounts.
  3. Patch Hygiene: While Conti often uses phishing, they exploit legacy vulnerabilities for lateral movement. Ensure all systems are patched against critical vulnerabilities in Exchange, VPNs, and printing services.
  4. Disable RDP: If not business-critical, disable Remote Desktop Protocol (RDP) immediately. If required, enforce Network Level Authentication (NLA) and restrict access via VPN with MFA.
  5. Block RMM Tools: Block legitimate Remote Monitoring and Management (RMM) tools (AnyDesk, TeamViewer, ScreenConnect) at the firewall unless strictly allowed via policy; these are top-tier C2 channels for human-operated ransomware.
  6. Review Backups: Ensure offline backups are immutable. Conti actors specifically target backup software agents to delete backups before encryption.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfircontithreat-huntingir

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
Conti Ransomware TTPs: Active Defense and Incident Response Playbook | Security Arsenal | Security Arsenal