Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Available Solution for Conti Ransomware

    • Updated:
    • 22 May 2021
    • Product/Version:
    • Apex One 2019
    • Deep Discovery Email Inspector 3.5
    • Deep Discovery Inspector 5.5
    • Deep Security 12.0
    • OfficeScan XG
    • ScanMail for Exchange 14.0
    • Worry-Free Business Security Advanced 10.0
    • Worry-Free Business Security Standard 10.0
    • Platform:
Summary

Conti Ransomware has been described as the successor to the popular Ryuk ransomware family. Increasingly, threat actors are now distributing the malware via the same method used to distribute Ryuk in the past.

Capabilities

  • Initial Access

    This ransomware may arrive in the system as a result of an infection of BazarLoader which is a result of a phishing email containing a link to Google Drive that downloads the malware.

  • Lateral Movement and Defense Evasion

    Attackers also used batch files to disable security tools. It is executed through a scheduled task. After gaining the credentials of the domain administrator, the attackers are now free to move laterally on the network.

  • Credential Access

    After gaining information on the domain accounts, attackers then dump the domain controller credentials using ntdsutil.

  • Exfiltration

    An attacker uses a tool named RClone tool to perform data exfiltration. This tool is an open-source tool use to sync files to specified cloud storage. In this case, Mega Cloud storage.

  • Impact

    After exfiltration and distribution of the ransomware to the targetted endpoints, files are not encrypted. It also inhibits system recovery by deleting shadow copies using WMI.

Infection Routine

Module state

Details
Public

File Reputation

DETECTION/POLICY/RULESPATTERN BRANCH/VERSIONRELEASE DATE
Backdoor.Win32.COBEACON.OSLJAE 16.311.00  2020-10-27 
Backdoor.Win64.C0BALT.AG 16.533.00 2021-02-12
Backdoor.Win64.C0BALT.AH 16.561.00 2021-02-26
Backdoor.Win64.C0BEACON.SMA 16.263.00 2020-10-03
Backdoor.Win64.COBALT.YABBL 16.617.00 2021-03-26
Backdoor.Win64.COBALT.YABBS 16.617.00 2021-03-26
Ransom.Win32.CONTI.E 16.109.00 2020-07-18
Ransom.Win32.CONTI.l 16.275.00  2020-10-09
Ransom.Win32.CONTI.YAAI-A 16.241.00 2020-09-22
Ransom.Win32.CONTI.YABAZ 16.617.00 2021-03-26
Ransom.Win32.CONTI.YXAGQ 16.617.00 2021-03-26
Ransom.Win32.CONTl.D 16.103.002020-07-15 
Ransom.Win32.CONTlJ 16.333.002020-11-06 
Ransom.Win64.CONTI.A 16.537.00 2021-02-14
Trojan. PSI.BAZALOADER.YXAK-A 16.323.00 2020-11-02
Trojan.BAT.COBALSTART.A 16.561.00 2021-02-26
Trojan.BAT.COBALSTART.YABBM 16.617.00 2021-03-26
Trojan.BAT.COBALSTART.YABBS 16.617.00 2021-03-26
Trojan.BAT.COBEACON.YABBL 16.617.00 2021-03-26
Trojan.BAT.CONTlSTART.YABBM 16.617.00 2021-03-26
Trojan.BAT.KILLAV.WLDS 16.653.00 2021-04-13
Trojan.BAT.KlLLAV.YABBS 16.617.00 2021-03-26
Trojan.BATCONTlSTART.YABBM 16.617.00 2021-03-26
Trojan.PS1.COBALT.YABBS 16.617.00 2021-03-26
Trojan.Win32.BAZALOADER.YXAK-A 16.323.00 2020-11-02
Trojan.Win64.BAZARLOADER.YABBM 16.617.00 2021-03-26
Trojan.XML.KlLLAV.YABBS 16.617.00 2021-03-26
Trojan.XMLKILLAV.AA 16.549.00 2021-02-20
Worm.BAT.COBALT.YABBS 16.617.00 2021-03-26
Worm.BAT.KlLLAV.YABBS 16.617.00 2021-03-26

Predictive Machine Learning

DETECTIONPATTERN BRANCH/VERSION
TROJ.Win32.TRX.XXPE50FFF042In-the-Cloud
TROJ.Win32.TRX.XXPE50FFF041In-the-Cloud

Behavior Monitoring

PATTERN BRANCH/VERSIONRELEASE DATE
FLS.IBT.4851TBehavior Monitoring OPR 2.187
RAN4056TBehavior Monitoring OPR 1.907

Web Reputation

URLCATEGORYBLOCKING DATE
URL ProtectionMalware Accomplice, Disease Vector, RansomwareIn-the-Cloud

 

PATTERN VERSIONRELEASE DATE
Email ProtectionAnti-Spam Pattern 6040

Solution Map - What should customers do?

Solution Map for Darkside

To update Trend Micro products, refer to the corresponding Online Help Center guides.

Recommendation

Make sure to always use the latest pattern available to detect the old and new variants of Nefilim ransomware.

Threat Report

Blogs

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000286405
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.