# [HIGH] Ukrainian national pleads guilty to role in Conti ransomware operation **Source:** BleepingComputer **Published:** 2026-06-12 **Article:** https://www.bleepingcomputer.com/news/security/ukrainian-national-pleads-guilty-to-role-in-conti-ransomware-operation/ ## Threat Profile Ukrainian national pleads guilty to role in Conti ransomware operation By Lawrence Abrams June 12, 2026 01:54 PM 0 A Ukrainian national extradited from Ireland to the United States last year has pleaded guilty to conspiracy charges tied to the Conti ransomware operation. The U.S. Department of Justice announced Thursday that 44-year-old Oleksii Oleksiyovych Lytvynenko pleaded guilty to conspiracy to commit wire fraud for his role in Conti ransomware attacks conducted between 2021 and 2022. Ac… ## Indicators of Compromise (high-fidelity only) - _No high-fidelity IOCs in the RSS summary._ If the source publishes a technical write-up with defanged IOCs in the body, those would be picked up automatically on the next pipeline run. ## MITRE ATT&CK Techniques - **T1486** — Data Encrypted for Impact - **T1003.001** — LSASS Memory - **T1003** — OS Credential Dumping - **T1021.002** — SMB/Windows Admin Shares - **T1569.002** — Service Execution ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Ransomware-style mass file rename / extension change `UC_RANSOM_ENCRYPT` · phase: **actions** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, dc(Filesystem.file_name) AS files from datamodel=Endpoint.Filesystem where Filesystem.action IN ("modified","renamed") by Filesystem.dest, Filesystem.user, _time span=1m | `drop_dm_object_name(Filesystem)` | where files > 200 | sort - files ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(1d) | where InitiatingProcessAccountName !endswith "$" | where ActionType in ("FileRenamed","FileModified") | summarize files = dcount(FileName) by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 1m) | where files > 200 // empirical: > 200 unique-file renames in 1m by one account on one host // is well above the P99 of legitimate bulk-tooling | order by files desc ``` ### LSASS process access / dump (credential theft) `UC_LSASS` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*lsass*" OR Processes.process="*sekurlsa*" OR Processes.process="*MiniDump*" OR Processes.process="*comsvcs.dll*MiniDump*" OR Processes.process="*procdump*lsass*") OR (Processes.process_name="rundll32.exe" AND Processes.process="*comsvcs*MiniDump*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where ActionType == "OpenProcessApiCall" | where FileName =~ "lsass.exe" | where InitiatingProcessFileName !in~ ("MsSense.exe","MsMpEng.exe","csrss.exe", "svchost.exe","wininit.exe","services.exe", "lsm.exe","SearchProtocolHost.exe") | project Timestamp, DeviceName, ActionType, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, AccountName | order by Timestamp desc ``` ### Remote service execution — PsExec / SMB lateral movement `UC_LATERAL_PSEXEC` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") OR (Processes.process_name="wmic.exe" AND Processes.process="*/node:*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") or (FileName =~ "wmic.exe" and ProcessCommandLine has "/node:") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc ``` ## Why this matters Severity classified as **HIGH** based on: 3 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.