Pressemitteilungen | Press releases

05 Apr 2022

Conti’s Hacker Manuals — Read, Reviewed & Analyzed

Akamai Stand: E152

Conti is a ransomware gang with revenues projected at almost 200 million dollars and is considered one of the most successful ransomware gangs in the world.


The analysis reveals a list of concrete techniques and procedures (TTPs) and indicators of compromise (IoC) employed by the group, as well as potential mitigation techniques that can be utilized by blue teams.

These attack scenarios are multifaceted and detail-oriented. They have found a formula that continues to work: harvest credentials, propagate, repeat.

The attack documentation shows a strong focus on “hands on keyboard” network propagation — hinting at the need for strong protections against lateral movement, and its critical role in defending against ransomware.

These TTPs are well-known, but highly effective techniques. It is a sobering reminder of the arsenal that is at the disposal of attack groups like Conti, and may hint at the tools often used by other groups. Studying these TTPs offers security teams an “inside scoop” into the attackers’ modus operandi in an effort to be better prepared against them.

The group’s emphasis in their documentation on hacking and hands-on propagation, rather than encryption, should drive network defenders to focus on those parts of the kill chain as well, instead of focusing on the encryption phase.

Conti is a notorious ransomware group that targets high-revenue organizations. They were first detected in 2020, and appear to be based in Russia. It is believed that the group is the successor to Ryuk ransomware group. According to Chainalysis, the ransomware group was the highest grossing of all ransomware groups in 2021, with an estimated revenue of at least 180 million dollars. 

On February 27, 2022, the Twitter handle @contileaks was created and began leaking internal documents and chat logs of the group, as well as the addresses of some of their internal servers and source code. It is widely accepted in the community that it was an internal member who leaked the documents after a dispute over the group’s public support of the Russian government during the Russian–Ukrainian conflict, but the person behind the contileaks Twitter account claims to be an independent Ukrainian researcher.


Although leaks like this have happened in the past (usually due to personal interests of the operators), what makes this one particularly interesting is the sheer amount of information leaked. Regardless of the circumstances, these documents give the community a rare glimpse into how these attack groups operate on a grand scale, what they use, and how they think in general. 

There has, understandably, been a significant amount of news coverage on these documents, particularly the chat logs, which have opened a window into the human connections inside a cybercrime group. However, not much has been written so far about the tools, techniques, and procedures of the group. 

In an effort to glean this information, we decided to focus on internal documentation, which includes guidelines for operators on target selection, hacking, and using their tools. We believe that these TTPs and methodologies should also give insight into other ransomware operators, allowing us to put ourselves in the shoes of these attackers, understand their ways of operating, and prepare our defenses accordingly.

In this blog post, we discuss the attack methodology and tools used by the Conti ransomware group, as gleaned from their leaked documentation. If you’d just like to know how to defend yourself and your network, or just want a quick list of their TTPs, you can skip to our Mitigations or summary sections.

Conti’s attack methodology

Like many modern cybercrime groups, Conti operates like a business. As outlined in this article from Wired, the group is capable of making profits (some operators have claimed personal gains of almost US$100 thousand), growing their operation, and adding new operators — and even has a CEO. As part of their business operation, Conti employs an “onboarding process” for new operators, governed by manuals detailing their methodology and modus operandi. In these manuals, we find important information on how Conti propagates inside networks, what targets they select, and what tools they use.

Interestingly, Conti is known for being a double-extortion attack group — Conti both exfiltrates and encrypts data in order to ensure payment. The exfiltrated data is either used to blackmail a company into paying the ransom or sold to the highest bidder. In this way, even if backups are available, companies are pressured to pay in order to avoid the damage that may be caused by a leak. This method was first popularized by the Maze ransomware group, which was supposedly shut down in 2020, and from which many members were recruited into Conti.

As shown in the screenshots below, taken from Conti’s site, Conti operates on a release timeline of sorts: Once they’ve alerted the organization of the extortion, they release more and more of the data they’ve exfiltrated, the longer the victim takes to pay them. The group does not appear to have a predefined ransom price guideline, with some leaked chat logs showing group members discussing the ransom price for victims.


 Conti's leak website, front page

The leak features two documents that overview Conti’s network attack methodology and their propagation goals. These documents are directed at the hacking operators/associates of the group. We haven’t seen documentation or manuals regarding initial access practices, only design documents for various internet crawlers. We think this might indicate that this vector is somewhat automated. The operator guidelines are used after the initial breach has been made. 

Both documents describe the same methodology, which can be summarized as “harvest credentials, propagate, repeat.” As mentioned, an operator is assumed to have access to a machine in the network. Their goal then is to begin propagating through the network, first either by attempting to dump and decrypt passwords or by brute force. Then, the operator is instructed to use credentials on the next machine, expanding their reach, then repeat step one. Likewise, operators are taught that encryption doesn’t start until network dominance has been reached, which ensures the impact is maximized. 

Conti’s attack doctrine is not a novel one. The use of effective tools and persistence seems to do the trick. The process appears to be mostly “hands on keyboard” — while some functions can be scripted or automated, operators are generally expected to do the work of stealing credentials and making cognizant decisions on spreading in the network. 

Network propagation goals

First and foremost, Conti’s goal is to reach the domain controller (DC). Operators are instructed to work their way to the DC via the aforementioned process of stealing credentials and expanding. Since the process seems to be largely manual, this allows Conti operators a level of discretion in choosing targets. Once the domain admin credentials are found, Conti operators will have gained access to a number of critical assets: 

  • Login logs for most of the network to analyze user behavior

  • DNS records for most of the domain, which can be used to infer usage

  • Password hashes

  • Focal points for lateral movement

This focus on the DC bolsters the idea that the network propagation phase is crucial to the attack. From the DC, the attackers can extract most (if not all) the credentials they need to access the entire network. Also, as more domain configuration is usually stored there, the attackers usually gain a lot of intel about the network itself and its crown jewels.

  • Interestingly, Conti discourages leaving backdoors and persistence on the DC, and instead encourages backdooring outward-facing servers since a DC is often much more heavily monitored. Although reaching the DC is pivotal to their success, it could also entirely thwart their efforts if detected.

Conti defines crown jewels as network file shares and other machines that hold data that can be exfiltrated. This data includes:

  • Emails, address lists, contact information

  • Databases

  • Source code

  • Accounting information

  • Design documents

  • Passwords/credentials for other networks

  • Digital wallets

To read more:

View all Pressemitteilungen | Press releases

Speakers 2022