Conti can utilize command line options to allow an attacker control over how it scans and encrypts files.^[2][4]

Conti can useCreateIoCompletionPort(),PostQueuedCompletionStatus(), andGetQueuedCompletionPort() to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim.Conti can use "Windows Restart Manager" to ensure files are unlocked and open for encryption.^{[1][2][3][5][4]}

Conti has decrypted its payload using a hardcoded AES-256 key.^[1][2]

Conti can discover files on a local system.^[2]

Conti can delete Windows Volume Shadow Copies usingvssadmin.^[2]

Conti has used API calls during execution.^[1][2]

Conti can enumerate remote open SMB network shares usingNetShareEnum().^[2][5]

Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls.^[2][1][5]

Conti can enumerate through all open processes to search for any that have the string "sql" in their process name.^[2]

Conti has loaded an encrypted DLL into memory and then executes it.^[1][2]

Conti can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.^[1][2]

Conti has the ability to discover hosts on a target network.^[5]

Conti can stop up to 146 Windows services related to security, backup, database, and email solutions through the use ofnet stop.^[2]

Conti can retrieve the ARP cache from the local system by using theGetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-Internet, systems.^[2]

Conti can enumerate routine network connections from a compromised host.^[2]

Conti can spread itself by infecting other remote machines via network shared drives.^[1][2]

^[5][6][7]

^[4]