AA21-265A Conti Ransomware
Indicators
This STIX file provides indicators of compromise (IOCs) associated with malicious activity reported in Joint Cybersecurity Advisory AA21-265A Conti Ransomware.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.
Conti cyber threat actors remain active and reported Conti ransomware attacks against U.S. and international organizations have risen to more than 1000. Notable attack vectors include Trickbot and Cobalt Strike. While there are no specific or credible cyber threats to the U.S. homeland at this time, CISA, FBI, NSA, and the United States Secret Service (USSS) encourage organizations to review this advisory and apply the recommended mitigations.
//node() | //@*
DISCLAIMER: This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is distributed as TLP:WHITE: Disclosure is not limited. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
2022-03-08T00:00:00Z
Malicious FQDN Indicator
xekezix.com
Malicious FQDN Indicator
xegogiv.com
Malicious FQDN Indicator
wuvidi.com
Malicious FQDN Indicator
wuvici.com
Malicious FQDN Indicator
wuvehus.com
Malicious FQDN Indicator
wudepen.com
Malicious FQDN Indicator
wezeriw.com
Malicious FQDN Indicator
tifiru.com
Malicious FQDN Indicator
tepiwo.com
Malicious FQDN Indicator
tafobi.com
Malicious FQDN Indicator
sujaxa.com
Malicious FQDN Indicator
suhuhow.com
Malicious FQDN Indicator
sufebul.com
Malicious FQDN Indicator
solobiv.com
Malicious FQDN Indicator
sidevot.com
Malicious FQDN Indicator
rusoti.com
Malicious FQDN Indicator
rinutov.com
Malicious FQDN Indicator
pazovet.com
Malicious FQDN Indicator
paxobuy.com
Malicious FQDN Indicator
nerapo.com
Malicious FQDN Indicator
nawusem.com
Malicious FQDN Indicator
nagahox.com
Malicious FQDN Indicator
movufa.com
Malicious FQDN Indicator
moduwoj.com
Malicious FQDN Indicator
modasum.com
Malicious FQDN Indicator
mihojip.com
Malicious FQDN Indicator
kidukes.com
Malicious FQDN Indicator
kelowuh.com
Malicious FQDN Indicator
jegufe.com
Malicious FQDN Indicator
jecubat.com
Malicious FQDN Indicator
hoguyum.com
Malicious FQDN Indicator
hewecas.com
Malicious FQDN Indicator
hesovaw.com
Malicious FQDN Indicator
hepide.com
Malicious FQDN Indicator
fecotis.com
Malicious FQDN Indicator
dubacaj.com
Malicious FQDN Indicator
dohigu.com
Malicious FQDN Indicator
dirupun.com
Malicious FQDN Indicator
dihata.com
Malicious FQDN Indicator
dawasab.com
Malicious FQDN Indicator
codasal.com
Malicious FQDN Indicator
cilomum.com
Malicious FQDN Indicator
cajeti.com
Malicious FQDN Indicator
vonavu.com
Malicious FQDN Indicator
vojefe.com
Malicious FQDN Indicator
vizosi.com
Malicious FQDN Indicator
vipeced.com
Malicious FQDN Indicator
vigave.com
Malicious FQDN Indicator
vegubu.com
Malicious FQDN Indicator
vafici.com
Malicious FQDN Indicator
tubaho.com
Malicious FQDN Indicator
tiyuzub.com
Malicious FQDN Indicator
rimurik.com
Malicious FQDN Indicator
ragojel.com
Malicious FQDN Indicator
raferif.com
Malicious FQDN Indicator
radezig.com
Malicious FQDN Indicator
pofifa.com
Malicious FQDN Indicator
pilagop.com
Malicious FQDN Indicator
pihafi.com
Malicious FQDN Indicator
masaxoc.com
Malicious FQDN Indicator
lujecuk.com
Malicious FQDN Indicator
lipozi.com
Malicious FQDN Indicator
kuyeguh.com
Malicious FQDN Indicator
kuxizi.com
Malicious FQDN Indicator
kozoheh.com
Malicious FQDN Indicator
kogasiv.com
Malicious FQDN Indicator
kirute.com
Malicious FQDN Indicator
kipitep.com
Malicious FQDN Indicator
hejalij.com
Malicious FQDN Indicator
hakakor.com
Malicious FQDN Indicator
guvafe.com
Malicious FQDN Indicator
gucunug.com
Malicious FQDN Indicator
gerepa.com
Malicious FQDN Indicator
ganobaz.com
Malicious FQDN Indicator
fulujam.com
Malicious FQDN Indicator
fofudir.com
Malicious FQDN Indicator
fipoleb.com
Malicious FQDN Indicator
bupula.com
Malicious FQDN Indicator
bumoyez.com
Malicious FQDN Indicator
buloxo.com
Malicious FQDN Indicator
bujoke.com
Malicious FQDN Indicator
bimafu.com
Malicious FQDN Indicator
basisem.com
Malicious FQDN Indicator
barovur.com
Malicious FQDN Indicator
balacif.com
Malicious FQDN Indicator
badiwaw.com
Malicious FQDN Indicator
wuluxo.com
Malicious FQDN Indicator
mebonux.com
Malicious FQDN Indicator
hireja.com
Malicious FQDN Indicator
pipipub.com
Malicious FQDN Indicator
derotin.com
Malicious FQDN Indicator
newiro.com
Malicious FQDN Indicator
sazoya.com
Malicious FQDN Indicator
joxinu.com
Malicious FQDN Indicator
comecal.com
Malicious FQDN Indicator
rexagi.com
Malicious FQDN Indicator
hidusi.com
Malicious IPv4 Indicator
IP Watchlist
82.118.21.1
Malicious IPv4 Indicator
IP Watchlist
185.141.63.120
Malicious IPv4 Indicator
IP Watchlist
85.93.88.165
Malicious IPv4 Indicator
IP Watchlist
162.244.80.235
Malicious FQDN Indicator
wideri.com
T1078 - Valid Accounts - Initial Access
T1566.001 - Phishing: Spearphishing Attachment - Initial Access
T1566.002 - Phishing: Spearphishing Link - Initial Access
T1059 - Command and Scripting Interpreter - Execution
T1059.003 - Command and Scripting Interpreter: Windows Command Shell - Execution
T1106 - Native API - Execution
T1078 - Valid Accounts - Persistence
T1133 - External Remote Services - Persistence
T1027 - Obfuscated Files or Information - Defense Evasion
T1140 - Deobfuscate/Decode Files or Information - Defense Evasion
T1110 - Brute Force - Credential Access
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting - Credential Access
T1016 - System Network Configuration Discovery - Discovery
T1049 - System Network Connections Discovery - Discovery
T1057 - Process Discovery - Discovery
T1083 - File and Directory Discovery - Discovery
T1135 - Network Share Discovery - Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares - Lateral Movement
T1080 - Taint Shared Content - Lateral Movement
T1486 - Data Encrypted for Impact - Impact
T1489 - Service Stop - Impact
T1490 - Inhibit System Recovery - Impact