{ "id": "5da82a5a-1f57-479c-a879-fb6a3003b6db", "created_at": "2026-04-06T01:31:13.36896Z", "updated_at": "2026-04-10T13:11:30.457015Z", "deleted_at": null, "sha1_hash": "50a4aef9b090a320d4b866a781a8921ea975f66e", "title": "An Inside Look at the Conti Group | Deep Instinct", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1538571, "plain_text": "An Inside Look at the Conti Group | Deep Instinct\r\nPublished: 2023-12-12 · Archived: 2026-04-06 00:33:53 UTC\r\nRansomware is big business. In 2023, the average data breach cost organizations $4.45 million, while the average\r\nransomware attack cost $4.54 million. For threat actor groups, there’s profit to be made. The most successful\r\nransomware groups feature sophisticated operational structures, running like a business with HR, finance, and all\r\nthe support teams you’d find in a legitimate enterprise.   \r\nOne of the most notable and well-documented threat groups is Conti, a Russian-affiliated organization formed in\r\nthe late 2010s. While just one of many active threat groups, it was unique in its size, success (some estimates peg\r\ntheir earnings in the billions), and structure.  \r\nThe now famous Conti Leaks in February 2022, which came from disaffected Ukrainian affiliates following the\r\nRussian invasion of Ukraine, exposed its organizational structure and techniques, which precipitated its demise.  \r\nHow did the Conti group come to be, and what made it so successful? In this blog post, we’ll take a brief look\r\ninside Conti – who they are, how they started, their notable successes, and ultimately, how they dissolved.  \r\nWho Was Conti? \r\nAlthough a direct link was never made explicit, Conti had clear ties to Russia. Group members corresponded in\r\nRussian and publicly supported Russian geopolitical interests, particularly after the initial invasion of Ukraine. \r\nAccording to the U.S. State Department, the group was responsible for more than a thousand attacks against the\r\nU.S. and international critical infrastructures. It targeted organizations and governments across the globe,\r\nincluding the Taiwanese chip manufacturer Advantech, Scotland’s Environmental Protection Agency, and Bank\r\nIndonesia, among others. \r\nEarly builds of Conti were observed in late 2019. However, the first public report of Conti’s ransomware didn’t\r\nappear until mid-2020. The group was born from what most would consider a natural progression of the “big\r\ngame hunting” methodology of the “TrickBot group” (a.k.a., ITG23, WizardSpider, FIN12, GOLD\r\nBLACKBURN, and DEV-0193). \r\nhttps://www.deepinstinct.com/blog/an-inside-look-at-the-conti-group\r\nPage 1 of 4\n\nFigure 1-Conti Timeline\r\nConti’s Tools and Techniques \r\nMost ransomware can be categorized as fully automated or semi-automated. Fully automated ransomware carries\r\nout the infection, lateral movement, encryption, and exfiltration autonomously. In contrast, semi-automated\r\nransomware requires an operator to carry out some of these steps using various tools. The Conti group belonged to\r\nthe latter category. \r\nConti group’s operators most often gained access to a victim’s networks post-infection through malware operated\r\nby other groups with “friendly” relations to Conti, such as TrickBot, BazarLoader, Emotet, and IcedID. \r\nConti group’s operators would hunt for and prioritize targets with elevated privileges, such as IT staff, system\r\nadministrators, security professionals, or executives. Once a network was sufficiently compromised and access\r\nwas obtained, Conti operators would shift their focus to data collection and exfiltration. After exfiltrating the data,\r\nthe group delivered and executed its own malware, encrypting the victim’s network. \r\nLeaks That Lead to Conti’s Eventual Downfall \r\nWhen the group publicly declared its support for Russia in its war with Ukraine in February 2022, its troubles\r\nbegan. Conti’s internal chat logs and source code were leaked by former Ukrainian affiliates after the breakout of\r\nhostilities between the two countries. \r\nThe published documents shed light on Conti’s day-to-day operations. While most don’t think of a ransomware\r\nthreat group as a fully operating enterprise, that’s exactly what the Conti Leaks showed. Based on research from\r\nDeep Instinct, Conti featured a robust organizational structure, with approximately 80-105 employees across HR,\r\nFinance, Reverse Engineering, Research, and OSINT teams. \r\nhttps://www.deepinstinct.com/blog/an-inside-look-at-the-conti-group\r\nPage 2 of 4\n\nThe average monthly salary was $1,800 to $2,500 USD. Overall spending amounted to $140,000 to $165,000 for\r\nsalaries and expenses per month, including transaction commissions and platform management (servers, proxy,\r\nrecruitment). The evidence even showed that Conti, despite massive revenues, still suffered from cash flow issues\r\nin the same way you might see in any small tech startup. \r\nNot only did the leaks reveal financials and team dynamics, but they also provided views into the group’s\r\n“operational philosophy” including codified employee guides and working policies. \r\nPressure, Pursuit, and Breakup \r\nDespite the leaks, Conti continued to orchestrate “numerous high-profile, high-impact incidents” after the onset of\r\nthe Russia-Ukraine war. Unfortunately for Conti, the leaks put a target on their back and galvanized global law\r\nenforcement agencies to hunt its members.  \r\nConti’s attack against the Costa Rican government in April 2022 was the tipping point. This attack, which\r\noccurred roughly two weeks after a change of leadership, crippled Costa Rica’s government and forced it to\r\ndeclare a state of emergency. \r\nOn August 11th, 2022, the U.S. State Department announced it had issued a $10 million USD reward for\r\ninformation that could lead to the identification of five key Conti members and their whereabouts.  \r\nWith the February 2022 leak of internal chats and malware source code, the high-profile attack on the government\r\nof Costa Rica, and the considerable “bounty” on their heads from law enforcement, the group’s leaders declared\r\ntheir “brand” had become “toxic” and ceased operations. \r\nThe Lessons from Conti \r\nWhile Conti has disbanded, the bad actors and operators behind the group remain as active as ever, using\r\nincreasingly sophisticated tools and techniques to attack vulnerable targets. Many of the group’s former leaders\r\nand affiliates set up operations under new monikers, including HIVE, BlackBasta, BlackByte, AlphV/BlackCat,\r\nAvosLocker, Quantum, and Zeon/Royal Ransomware. \r\nAs they find success, their newly formed threat groups will grow, likely with improvements to their own security\r\npolicies to prevent future leaks and stay under the radar from law enforcement authorities around the world. \r\nAs long as there is money to be made, threat actors will continue to build sophisticated operational structures to\r\nmaximize profits. Competing threat groups have learned from Conti how to operate in an organized fashion, at\r\nscale, using their proven techniques and methodologies. The biggest lesson is clear: the next Conti is already out\r\nthere.  \r\nWant to learn more about Conti, including member profiles and detailed internal chats? Check out our eBook,\r\nThreat Landscape Report Special Edition: Conti Group. In addition to an exploration of Conti’s rise and eventual\r\ndissolution, its key figures, and major attacks, the eBook examines the exact tools and techniques Conti used to\r\nfuel their rise. \r\nhttps://www.deepinstinct.com/blog/an-inside-look-at-the-conti-group\r\nPage 3 of 4\n\nSource: https://www.deepinstinct.com/blog/an-inside-look-at-the-conti-group\r\nhttps://www.deepinstinct.com/blog/an-inside-look-at-the-conti-group\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.deepinstinct.com/blog/an-inside-look-at-the-conti-group" ], "report_names": [ "an-inside-look-at-the-conti-group" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2d3f35f-3b29-4509-bff5-af2638140d39", "created_at": "2022-10-25T16:07:23.633982Z", "updated_at": "2026-04-10T02:00:04.695802Z", "deleted_at": null, "main_name": "FIN12", "aliases": [], "source_name": "ETDA:FIN12", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439073, "ts_updated_at": 1775826690, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/50a4aef9b090a320d4b866a781a8921ea975f66e.pdf", "text": "https://archive.orkl.eu/50a4aef9b090a320d4b866a781a8921ea975f66e.txt", "img": "https://archive.orkl.eu/50a4aef9b090a320d4b866a781a8921ea975f66e.jpg" } }