Ransom:Win32/Conti.IPA!MTB - Windows Defender Threat Analysis

This is a concrete detection of Ransom:Win32/Conti.IPA, a highly dangerous variant of the notorious Conti ransomware family. It is designed to encrypt user and system files, potentially exfiltrate sensitive data for double extortion, and demand a ransom payment. The detection leverages machine learning behavioral analysis combined with a specific signature to identify this threat with low false positive risk.

No specific strings found for this threat

rule Ransom_Win32_Conti_IPA_2147811696_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Ransom:Win32/Conti.IPA!MTB"
        threat_id = "2147811696"
        type = "Ransom"
        platform = "Win32: Windows 32-bit platform"
        family = "Conti"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "1"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {0f b6 c0 2b c8 6b c1 ?? 99 f7 ff 8d 42 7f 99 f7 ff 88 94 35}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate any affected systems, remove the ransomware, and restore data from secure, untainted backups. Conduct a thorough forensic investigation to identify the initial compromise vector, reset all potentially compromised credentials, patch all systems for known vulnerabilities, and enhance security controls to prevent future infections.