Best Practices to Protect Against Conti Ransomware, from Case Study to Recovery

Part I — Conti Ransomware Case Study

Fig 1. A screenshot of CyCraft AIR’s initial automated IR report of the customer’s environment.
Fig 2. Cyber situation graph of customer’s affected environment

First Wave Operation

Fig 3. CobaltStrike DLL Side Loading
Fig 4. CobaltStrike Beacon oci.dll via DLL SideLoading
Fig 5. PSEXEC and RAR
Fig 6. Procdump execution
Fig 7. Process tree to launch ransomware
Fig 8. Command-line information
Fig 9. Conti Ransomware — 1
Fig 10. Conti Ransomware — 2
Fig 11. Timeline Analysis in EP5
Fig 12. Execution Event for Launching Ransomware

CobaltStrike Config

BeaconType — HTTPS
Port — 443
SleepTime — 5000
MaxGetSize — 1401323
Jitter — 10
MaxDNS — 235
PublicKey — b’0\x81\x9f0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x81\x8d\x000\x81\x89\x02\x81\x81\x00\x8b6g;+\r(\xe3\xbb\xfa\xab&\xab\xf5/\xa0\x83dw\xaf\x81xd4cX\x8b\xcev&<”\x93}\xdet\n\xb0\x10\xdc\x03\xc8\xc0\xe52P\x80\x02\xd1\xc0M-\xe9C\xb6\xa7\x01\x943b\xe4Nj~\xd3)O\x02\xff\xc7\xe0\xa1\xa0\x92=\xb2@ \xf7\x8c\x98\xe3%\x07\x8c\\\xed\xe7/\xbdRO\x90\x1d\xb5R\x7f\x15\x84\xbe\x872\xdf\xd8\x17]”\x1d\xc7r\xdd4\x12Y\xa0r\x15\x8c\x1e\x9e[\x96\xd5\xbfs \xf0}\x02\x03\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'C2Server —,/us/ky/louisville/312-s-fourth-st.htmlUserAgent — Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.36 (KHTML, like Gecko)
HttpPostUri — /OrderEntryService.asmx/AddOrderLineHttpGet_Metadata —
Accept: */*
Accept-Language: en-US,en;q=0.5
Connection: close
HttpPost_Metadata —
Accept: */*
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
SpawnTo — b’\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'PipeName -
DNS_Idle —
DNS_Sleep — 0
SSH_Host — None
SSH_Port — None
SSH_Username — None
SSH_Password_Plaintext — None
SSH_Password_Pubkey — None
HttpGet_Verb — GET
HttpPost_Verb — POST
HttpPostChunk — 0
Spawnto_x86 — %windir%\syswow64\mstsc.exe
Spawnto_x64 — %windir%\sysnative\mstsc.exe
CryptoScheme — 0
Proxy_Config — None
Proxy_User — None
Proxy_Password — None
Proxy_Behavior — Use IE settings
Watermark — 0
bStageCleanup — True
bCFGCaution — True
KillDate — 0
bProcInject_StartRWX — True
bProcInject_UseRWX — False
bProcInject_MinAllocSize — 16700
ProcInject_PrependAppend_x86 — b’\x90\x90\x90'
ProcInject_PrependAppend_x64 — b’\x90\x90\x90'
ProcInject_Execute —
ProcInject_AllocationMethod — NtMapViewOfSection
bUsesCookies — True
HostHeader -

Second Wave Operation

  • 2020–12–06 07:32:00 DC-2, C:\ProgramData\left.dll
  • 2020–12–06 08:04:18 DC-2, C:\ProgramData\left.dll,StartW
  • 2020–12–06 09:10:41 AP-1, C:\ProgramData\left.dll
  • 2020–12–06 10:12:11 EP-7 , C:\ProgramData\rez64.dll
  • 2020–12–07 07:36:53 DC-2, C:\ProgramData\rez64.dll,StartW
  • 2020–12–07 07:42:33 DC-2, C:\ProgramData\sql.dll
  • 2020–12–07 10:42:07 AP-1, C:\ProgramData\sql.dll
Fig 13. Time Bomb for Conti Ransomware
Fig 14. The other privilege escalation commands
Fig 15. Discussion of Conti in Twitter @PeterM

Part II — Brief Analysis of Conti Ransomware

Sped ​​up Encryption

Increased Number of Encrypted Files Per Attack

Detection Evasion Techniques

IoC List



C2 Information

IoC                  | Type
173[.]234.155.85 | C2 IP
arcnew[.]com | C2 Domain
74[.]118.138.144 | C2 IP

Further Research on Conti Ransomware

Medium Article: Conti Ransomeware in Taiwan

Part III — Best Practices for Enterprises Today

1. Do Not Pay the Ransom

“Yes, this is one of the tastiest morsels. Especially to hack the insurers first — to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”

2. Endpoint Security

3. Data Retention & Data Recovery

Useful Tips for Better Data Retention & Recovery

  • Understand what data you have, and define specific policies for each. Attackers typically prioritize data from Human Resources (HR), Enterprise Resource Planning (ERP), Manufacturing Execution System (MES), or Financial-related Information(FI).
  • Mounting multiple network-attached storage (NAS) is not an effective backup remediation strategy. However, meticulous tracking of each backup version is extremely helpful. File synchronization tools are your friends.
  • Sharing folders via Network Drive without proper access control may increase your day-to-day productivity, but it is extremely insecure. Sharing folders with multiple users and devices increases the likelihood of ransomware encrypting those files. Even worse, in cases where several machines are infected, files in a shared folder may be encrypted numerous times, increasing the difficulty to decrypt or even making it impossible to recover at all.
  • Once hit, accept that downtown could be longer than expected. At this point, thoroughness of security should take priority over efficiency or usability.
  • Once hit by ransomware, recovering from damage and resuming day-to-day business operations are always paramount; however, preventing the next intrusion (which has been known to happen, especially in targeted ransomware attacks) is also important. Nobody wants to lose all their progress and start all over again.
  • Resuming services is the first priority; however, preserving application logs, memory snapshots, or even whole disk dumps is necessary for a thorough and successful IR investigation. The scorched earth approach could aid you in getting clean faster; however, it also hinders you and the IR team in answering some of the more important questions: What was the initial access point? How did the attackers remain undetected? How long were they in your system? What endpoints did the attackers have access to? Are any of your partners in your supply chain affected?
  • Prioritize your remediation policy according to the importance of the endpoints or assets.
  • Endpoints that do not contain sensitive data should still be carefully isolated until remediation is completed to prevent further diffusion. Keeping the endpoints on, as opposed to off, could help with providing a more thorough and detailed IR report.
  • Simply shutting down an endpoint is not an effective method as the ransomware could have hooked onto the system shutdown procedure, allowing the ransomware to clean up after itself and remove related artifacts to increase its stealth.

4. Continuous Incident Response

Everything Starts From Security

Engage with CyCraft

Meet your cyber defense needs in the 2020s by engaging CyCraft at

Additional Resources

  • Out of the 47 Representative AI Startups listed in Gartner’s AI Market Guide, 7 are based in Taiwan, and 5 are based in Hong Kong. But only 1 of the 47 Representative AI Startups focused on cybersecurity products and services — CyCraft.
  • Read our latest white paper to learn what threat actors target Taiwan, their motivations & how Taiwan organizations retain resilience against some of the most sophisticated and aggressive cyber attacks in the world.
  • Is your SOC prepared for the next decade of cyber attacks? Read our latest report on building effective SOCs in the 2020s, the challenges to overcome, and the stressors to avoid — includes research from Gartner, Inc. on why Midsize enterprises are embracing MDR providers.
  • Learn more about cybersecurity in our CyCraft Classroom Series. Our latest article, “What is Managed Detection and Response (MDR)?” teaches the benefits of MDR, its unique selling points, and how to make better-informed decisions when choosing an MDR service or vendor.
  • New to the MITRE Engenuity ATT&CK Evaluations? START HERE for a fast, accurate, simple, thorough introductory guide to understanding the results.
  • Our CyCraft AIR security platform achieved 96.15% Signal-to-Noise Ratio with zero configuration changes and zero delayed detections straight out of the box.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
CyCraft Technology Corp

CyCraft Technology Corp

CyCraft automates SOC ops for the Fortune Global 500, national govs, & SMEs with MDR, IR, & threat hunting solutions. Learn more at