Backup “Removal” Solutions - From Conti Ransomware With Love

Updated: Oct 8, 2021

By Vitali Kremez & Yelisey Boguslavskiy

This redacted report is based on our actual proactive victim breach intelligence and subsequent incident response (not a simulated or sandbox environment) identified via unique high-value Conti ransomware collections at AdvIntel via our product “Andariel.”

Key Takeaways

  • Backups are a major obstacle for any ransomware operation as they allow the victim to resume business by performing data recovery instead of paying ransom to the criminals.

  • Cyber groups specifically target backup solutions in order to ensure that the victim has no other option except for paying the ransom. Conti group is particularly methodical in developing and implementing backup removal techniques.

  • Conti’s tactics are based on utilizing the skills of their network intruders or “pentesters” in order to ensure to target on-premise and cloud backup solutions. Conti hunts for Veeam privileged users and services and leverages to access, exfiltrate, remove and encrypt backups to ensure ransomware breaches are un-”backupable”. This way, Conti simultaneously exfiltrated the data for further victim blackmailing, while leaving the victim with no chances to quickly recover their files as the backups are removed.

  • Maintaining developed protocols of access rights hierarchy, network security, and password hygiene, as well as systemic network monitoring aimed at spotting abnormal network behavior may significantly reduce the chances of Conti successfully removing backups. Secure backup solutions and mitigations listed will enable any possible victims to leave Conti without their demanded ransom money.


Conti is a top-tier Russian-speaking ransomware group specializing in double extortion operations of simultaneous data encryption and data exfiltration. Though Conti does utilize the blackmailing aspect of data exfiltration, threatening the victims to publish stolen files, if the ransom is not paid, the main leverage in Conti negotiations is data encryption based on our deeper visibility.

According to AdvIntel sensitive source intelligence, Conti builds their negotiations strategies based on the premise that the majority of targets who pay the ransom are motivated primarily by the need to restore their data while preventing data publishing from being is their secondary goal. If the victim has the ability to restore the files via backups, the chances of successful ransom payment to Conti will be minimized, even despite the fact that the risk of data publishing persists.

As a result, in order to ensure payments, Conti became strategic in addressing this major obstacle and developed a methodology to remove backups in order to force ransomware payment.

Conti’s Holistic Vision for Attack Anatomy

Conti’s “backup removal solutions” begin on the team development level. While selecting network intruders for their divisions also known as “teams”, Conti is particularly clear that experience related to backup identification, localization, and deactivation is among their top priorities for a successful pentester. This backup focus implemented within the partnership-building process enables Conti to assemble teams, equipped with knowledge and skills aimed at backup removal.

The most novel tactics developed by such teams are centered around Veeam backup software. Veeam is a backup, recovery, and data management solutions platform for cloud, virtual, and physical environments.

Weaponized Creativity

Cobalt Strike via Corporation Breach Study

Routinely, Conti initiates their attacks via spam messages with direct Cobalt Strike beacon backdoor delivery. The targeted spam campaigns are meticulously designed on selective research of the prospective target, adverse media about them, their executives, and employees. These campaigns are set to ensure that the spam emails are being opened and Cobalt Strike beacons are executed.

Conti maintains their approach and attack methods during the next step of attack when they leverage the Atera module as well as Ngrok application to establish persistence. As previously reported by AdvIntel Conti is leveraging a legitimate remote management agent Atera to survive possible Cobalt Strike detections from the endpoint detection and response platform. Relying on the legitimate tool to achieve persistence is a core idea leverage by the ransomware pentesting team. The same can be applied to Ngrok, which Conti leverages in order to establish a tunnel to the localhost which will serve as a path for data exfiltration.

The data exfiltration itself is typically done via