S0575: Conti

Conti matters because ATT&CK describes it as Windows ransomware-as-a-service associated with data theft, extortion pressure, and encryption for impact. For leaders, the decision value is not simply “detect Conti,” but to validate whether the organization can see and contain the behaviors ATT&CK links to it: discovery of systems, shares, files, processes, network connections, lateral movement over SMB/admin shares, service stopping, recovery inhibition, and data encryption.

Executive priority

Prioritize Conti as a resilience and incident-readiness scenario. The supplied ATT&CK context ties it to ransomware intrusions, major corporations and government agencies, deployment via TrickBot, and use in campaign C0015 with Bazar and Cobalt Strike. Executives should ask whether backups are recoverable, whether sensitive-file exposure can be investigated quickly, whether Windows lateral movement is constrained, and whether SOC/IR teams have evidence to reconstruct a 5-day ransomware intrusion pattern if needed.

Technical view

ATT&CK provides no official detection text for Conti, so defenders should validate coverage through the related behaviors rather than a single malware signature. On Windows, focus on command-shell execution, native API/process activity, DLL injection indicators, network and share discovery, file/directory enumeration, SMB/Windows admin share use, tainted shared content, service stop activity, recovery inhibition, and encryption-impact patterns. Relationship context to C0015 suggests detections should also be tested in intrusion chains involving other tooling, not only the final ransomware payload.

Likely telemetry

Windows endpoint process creation and command-line telemetry
Parent/child process relationships around cmd.exe and administrative utilities
Windows service control events and service stop/disable activity
File creation, modification, rename, and high-volume encryption-like activity on local and shared storage
SMB, Windows admin share, and network share access logs

Detection direction

Do not rely on a Conti-specific alert alone; ATT&CK supplies no official detection guidance for this object.
Map detections to the related ATT&CK techniques: discovery, SMB/admin share lateral movement, stealth through obfuscation or DLL injection, command-shell/native API execution, service stopping, recovery inhibition, and data encryption for impact.
Tune for ransomware-stage clustering: rapid discovery plus share access plus service-stop or recovery-inhibition activity is more meaningful than any single administrative command.
Account for false positives from administrators, backup tools, software deployment, vulnerability scanners, and file indexing systems that may perform discovery or high-volume file access.
Validate file-server and endpoint visibility together; shared-content tainting, network share discovery, and SMB lateral movement can be missed if only workstation telemetry is reviewed.

Mitigation priorities

Confirm offline or otherwise resilient backups and test restoration procedures before relying on them as ransomware mitigation.
Restrict and monitor SMB/admin share usage, especially where valid accounts can access many Windows systems.
Reduce unnecessary shared-write locations and monitor changes to shared content that could support lateral movement.
Harden identity and privilege paths used for remote administration; Conti-related techniques depend heavily on discovery and movement through accessible systems and shares.
Protect recovery mechanisms from routine administrative compromise, including controls around backup catalogs, recovery services, and shadow copy management where applicable.

Analyst notes and limits

This take is based on the supplied ATT&CK S0575 object, its external references, and relationships. ATT&CK describes Conti as RaaS first observed in December 2019, deployed via TrickBot, used against major corporations and government agencies particularly in North America, and associated with theft of sensitive files plus ransom publication threats. ATT&CK also links the software to campaign C0015 and group G0102 Wizard Spider.

The official object does not provide detection text, aliases, labels, or object-level tactics. Platform support for the malware object is Windows, although several related techniques list broader platforms. Local validation is required to determine actual exposure, telemetry quality, control coverage, and whether any Conti-related activity exists in a specific environment.

Official MITRE ATT&CK definition

Conti

Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been deployed via TrickBot and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 16 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1021.002	SMB/Windows Admin Shares Sub-technique	Conti can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.CitationCybereason Conti Jan 2021CitationCarbonBlack Conti July 2020
Enterprise	T1135	Network Share Discovery	Conti can enumerate remote open SMB network shares using `NetShareEnum()`.CitationCarbonBlack Conti July 2020CitationCrowdStrike Wizard Spider October 2020
Enterprise	T1140	Deobfuscate/Decode Files or Information	Conti has decrypted its payload using a hardcoded AES-256 key.CitationCybereason Conti Jan 2021CitationCarbonBlack Conti July 2020
Enterprise	T1489	Service Stop	Conti can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of `net stop`.CitationCarbonBlack Conti July 2020
Enterprise	T1083	File and Directory Discovery	Conti can discover files on a local system.CitationCarbonBlack Conti July 2020
Enterprise	T1016	System Network Configuration Discovery	Conti can retrieve the ARP cache from the local system by using the `GetIpNetTable()` API call and check to ensure IP addresses it connects to are for local, non-Internet, systems.CitationCarbonBlack Conti July 2020
Enterprise	T1486	Data Encrypted for Impact	Conti can use `CreateIoCompletionPort()`, `PostQueuedCompletionStatus()`, and `GetQueuedCompletionPort()` to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti can use “Windows Restart Manager” to ensure files are unlocked and open for encryption.CitationCybereason Conti Jan 2021CitationCarbonBlack Conti July 2020CitationCybleinc Conti January 2020CitationCrowdStrike Wizard Spider October 2020CitationDFIR Conti Bazar Nov 2021
Enterprise	T1018	Remote System Discovery	Conti has the ability to discover hosts on a target network.CitationCrowdStrike Wizard Spider October 2020
Enterprise	T1027	Obfuscated Files or Information	Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls.CitationCarbonBlack Conti July 2020CitationCybereason Conti Jan 2021CitationCrowdStrike Wizard Spider October 2020
Enterprise	T1490	Inhibit System Recovery	Conti can delete Windows Volume Shadow Copies using `vssadmin`.CitationCarbonBlack Conti July 2020
Enterprise	T1049	System Network Connections Discovery	Conti can enumerate routine network connections from a compromised host.CitationCarbonBlack Conti July 2020
Enterprise	T1055.001	Dynamic-link Library Injection Sub-technique	Conti has loaded an encrypted DLL into memory and then executes it.CitationCybereason Conti Jan 2021CitationCarbonBlack Conti July 2020
Enterprise	T1080	Taint Shared Content	Conti can spread itself by infecting other remote machines via network shared drives.CitationCybereason Conti Jan 2021CitationCarbonBlack Conti July 2020
Enterprise	T1059.003	Windows Command Shell Sub-technique	Conti can utilize command line options to allow an attacker control over how it scans and encrypts files.CitationCarbonBlack Conti July 2020CitationDFIR Conti Bazar Nov 2021
Enterprise	T1057	Process Discovery	Conti can enumerate through all open processes to search for any that have the string “sql” in their process name.CitationCarbonBlack Conti July 2020
Enterprise	T1106	Native API	Conti has used API calls during execution.CitationCybereason Conti Jan 2021CitationCarbonBlack Conti July 2020

Associated objects

Groups, software, and campaigns

G0102: Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]

C0015: C0015

C0015 was a ransomware intrusion during which the unidentified attackers used Bazar, Cobalt Strike, and Conti, along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated Conti ransomware playbook based on the observed pattern of activity and operator errors.[1]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.2
Created: Feb 17, 2021, 18:51 UTC (UTC+00:00)
Modified: Apr 16, 2025, 20:38 UTC (UTC+00:00)
Raw hash: 2179a763927663ae...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.2	Apr 16, 2025, 20:38 UTC (UTC+00:00)	Current bundle	`2179a7639276…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Cybereason Conti Jan 2021

Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.
Open source URL
[2]
CarbonBlack Conti July 2020

Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
Open source URL
[3]
Cybleinc Conti January 2020

Cybleinc. (2021, January 21). Conti Ransomware Resurfaces, Targeting Government & Large Organizations. Retrieved April 13, 2021.
Open source URL
[4]
Conti

(Citation: CarbonBlack Conti July 2020)(Citation: Cybereason Conti Jan 2021)
[5]
mitre-attack S0575
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams