{ "id": "40965ae7-3468-4d1b-b083-1fb73c93bb13", "created_at": "2026-04-06T00:06:48.163262Z", "updated_at": "2026-04-10T13:12:24.585107Z", "deleted_at": null, "sha1_hash": "a29e11bbdd4cca2835a373f8fbeb139341e1f30b", "title": "Conti Ransomware: Inside One of the World’s Most Aggressive Ransomware Groups", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 69429, "plain_text": "Conti Ransomware: Inside One of the World’s Most Aggressive\r\nRansomware Groups\r\nBy Flashpoint Intel Team\r\nPublished: 2022-10-04 · Archived: 2026-04-05 21:47:18 UTC\r\nThe Conti ransomware group has become one of the most notorious cybercrime collectives in the world, known\r\nfor its aggressive tactics and large scale attacks against a wide range of public and private organizations. Along\r\nwith other prominent ransomware groups, Conti has underlined the importance of preparing a strong response\r\nplan to mitigate the effects of what could be an incredibly damaging blow to a company’s assets, personnel, and\r\nreputation.\r\nBut while it maintains its place as one of the most prolific ransomware gangs to exist in the cyber threat\r\nlandscape, Conti has also gained a significant amount of attention in 2022 for activity related to potential internal\r\ndivisions. Leaked private chats between Conti members and a fracture of the group have left observers\r\nquestioning the future of the ransomers, prompting a look back on how it became such a fixture in the ransomware\r\nlandscape.\r\nUnderstanding this background is not only critical to your organization’s knowledge of Conti specifically, but also\r\ngives important context to ransomware threats as a whole. \r\nRecommended Reading: The Great Cyber Exit: Why the Number of Illicit Marketplaces Is Dwindling\r\nThe formation of Conti\r\nLed by Russia-based threat actors, the Conti ransomware variant was first observed in or around February 2020,\r\nand the collective quickly became one of the most active groups in the ransomware space. In August 2020, months\r\nafter its initial debut, the threat actors distributing Conti launched a data leaks site to post confidential documents\r\nobtained by attackers. By the end of 2020 the site had leaked the data of more than 150 companies, making them\r\nthe third most active ransomware leaker group that year, behind only “Maze” and “Egregor.”\r\nConti operates using a Ransomware-as-a-Service (RaaS) attack model, paying affiliates for successfully deploying\r\nthe malware into an organization’s system and opening the door for the primary threat actors to further exploit and\r\ncoerce the victim during the second stage of the attack. Their attack model and structure was exposed in August\r\n2021, when a former Conti affiliate leaked Conti training documents. The threat actor claimed that Conti exploits\r\ntheir affiliates for cheap labor, offering only a small share of the profits.\r\nAlthough not confirmed, there are several indications that the threat actors behind Conti also operate “Ryuk”\r\nransomware—a group of Russia-based threat actors frequently referred to as “Wizard Spider.” Security company\r\nCrowdStrike, which refers to the threat actors behind Ryuk as “Wizard Spider,” has stated that it “is clear that\r\nWIZARD SPIDER is now running multiple [Conti and Ryuk] ransomware operations.” Security researcher Brian\r\nhttps://flashpoint.io/blog/history-of-conti-ransomware/\r\nPage 1 of 6\n\nKrebs and news site BleepingComputer, among others, have also claimed that the two ransomware strains must be\r\noperated by the same group because of code reuse and other similarities in their operating structure. \r\nAlthough the similarities between the two ransomware strains are notable and the strains may well be run by the\r\nsame group, Flashpoint has not yet observed definitive proof of dual attribution.\r\nTactics, techniques, and procedures: A Conti attack in action\r\nAlthough Conti is officially considered a RaaS variant, it differs slightly in how it structures its model and the\r\npayment of its affiliates who are responsible for gaining access to a victim’s network. It is believed that rather than\r\ngiving these initial deployers a percentage of whatever ransom is taken from the victim, affiliates are paid a set\r\nwage. Once the affiliates have gained access, the ransomware operators move into the execution phase of the\r\nattack using techniques that have become notoriously aggressive.\r\nRecommended Reading: Ransomware-as-a-service: The new face of industrialized cybercrime\r\nStage 1: Gaining access to the victim’s infrastructure\r\nSeveral methods to infiltrate a victim’s network have been observed in Conti attacks.\r\nSpearphishing campaigns target individual users with tailored emails that contain malware, either in\r\nmalicious links or malicious attachments which distribute the malware onto the victim’s device.\r\nAttachments, like documents, often also contain embedded scripts that download other malware, like\r\nTrickBot or Cobalt Strike, which are used in later stages of the attack and to assist with deeper network\r\ninfiltration. The eventual goal is to deploy Conti ransomware.\r\nRemote Desktop Protocol exploitation uses stolen or weak RDP credentials in order to directly gain\r\naccess to an organization’s device, giving the malware access to data and files it can encrypt.\r\nPurchasing access from “network access brokers” allows Conti ransomers to buy their way into a\r\nnetwork by paying other groups that have already obtained access in a previous breach or attack.\r\nStage 2: Lateral movement into the victim network\r\nOnce the initial malware has been deployed and the threat actors are in, the goal is to continue moving deeper into\r\nthe network in order to access more data and files, giving attackers better leverage against the victim\r\norganization. \r\nAlong with the malware that is downloaded onto a victim’s device, regardless of which technique is used during\r\nthe first stage, backdoor malware that connects the device to Conti’s command-and-control (C2) server is also\r\ndownloaded. Second-stage C2 malware and file encryption tools are downloaded and penetration tools like Cobalt\r\nStrike beacon and AdFind, a command line tool to query active directory,  are employed remotely, spreading\r\nthrough the network. It is also possible for Conti to spread via Server Message Block (SMB), and SMB\r\nexploitation is one strategy used to encrypt data on other endpoints within the same network domain. \r\nhttps://flashpoint.io/blog/history-of-conti-ransomware/\r\nPage 2 of 6\n\nAs it spreads, Conti detects security tools and will attempt to disable them in order to protect its malware, also\r\nscanning the environment it is in to determine if it is a sandbox environment used specifically for malware\r\nanalysis.\r\nThe threat actors also launch Kerberos attacks meant to obtain credentials and conduct brute force attacks, further\r\nescalating the access it has to a network and allowing for more lateral movement within the domain. They will\r\noften employ backdoors to allow them to re-enter at a later time and commit further espionage and monitor\r\nactivity. This may include monitoring email correspondence that gives information about how victims are\r\nplanning to address the attack, which gives them yet another advantage when it comes time to negotiate.\r\nStage 3: Encryption and deletion\r\nOnce attackers have located and compromised high-value data, it is exfiltrated to a server controlled by Conti, and\r\nmulti-threaded encryption is used to encrypt files quickly.\r\nOther components of Conti ransomware’s encryption method and overall design make it very difficult to detect an\r\nattack. Security programs that would normally be able to automatically detect an attack are no longer able to do\r\nso, and signs of infection are minimized so that days or weeks may go by before the encryption is organically\r\nnoticed by a user trying to access the affected data and files.\r\nStage 4: Exfiltration and extortion\r\nIt is standard for Conti attackers to delete file backups that might help victims lessen the damage done to their\r\nencrypted data. But before doing so, it is also common for these backups to be exfiltrated and saved for later,\r\nwhen they can be used as blackmail to threaten data leaks. As a result, victims are left with no quick way to\r\nrecover their lost files and are more likely to consider complying with demands to restore access.\r\nConti maintains a leak site that is used to publicly reveal stolen data and sensitive information about an\r\norganization, and regularly posts about its victims as part of its extortion process. In recent times, the group has\r\nused these data leaks as a way to prevent victims from sharing private negotiation chats between Conti and its\r\nvictim with any outside party. \r\nIt has stated that any victim who releases its private messages with the collective will have its opportunity to\r\nnegotiate terminated, and all stolen data will be leaked automatically. It has also announced that in the event a\r\nvictim chooses to release private chats after the attack has ended and its files have been deleted from Conti\r\nservers, Conti will choose another victim’s data to publish as a form of collective punishment.\r\nExcessive aggression towards victims\r\nWhile Conti ransomware sets itself apart with its advanced capabilities and technical specifications, the behavior\r\nof the people behind Conti is equally challenging for its victims to deal with.\r\nWhere most ransomware groups make an effort to provide good “customer service” and hold up their end of the\r\nnegotiation, Conti has been observed on multiple occasions to blatantly disregard promises made to victims and\r\nhurt them even if the victim agrees to pay. The group does not seem to care about its reputation, meaning that\r\nhttps://flashpoint.io/blog/history-of-conti-ransomware/\r\nPage 3 of 6\n\nvictims of a Conti attack must consider the possibility that compliance may still result in leaked data or files to\r\nremain encrypted.\r\nNotable Conti attacks\r\nConti has had hundreds of victims, and some have gained particularly significant widespread attention because of\r\nthe tactics used or the scale of the attack.\r\nJVCKenwood\r\nIn September 2021, Conti targeted the Japanese electronics manufacturer JVCKenwood. The company, which is\r\nheadquartered in Yokohama, Japan and is known internationally for its car and home electronics, was demanded to\r\npay $7 million for the return of approximately 1.7 terabytes of stolen and encrypted data.\r\nDuring the attack, private chats between Conti and JVCKenwood were leaked to journalists, prompting Conti\r\nmembers to cease negotiations and leak the stolen data as a warning to future victims against publicizing\r\ncommunications with the ransomware group.\r\nIreland’s Health Service\r\nIn May 2021, Ireland’s Health Service was forced to shut down its IT systems after Conti attacked the nation’s\r\npublic healthcare system. The shutdown wreaked havoc on the entire healthcare infrastructure, limiting access to\r\nmedical and diagnostics records and slowing response times.\r\nConti alleged that members had network access for two weeks, gathering 700GB of unencrypted data including\r\nconfidential patient information and financial statements. The group asked for a ransom of $19,999,000 in order to\r\nprovide a decryptor and delete the stolen data.\r\nCosta Rican Government\r\nIn April 2022, Conti attacked the Costa Rican government’s network, prompting officials to declare a national\r\nemergency on May 8. The breach spread to multiple government bodies, taking 27 government agencies offline\r\nfor an extended period of time, and certain branches were unable to resume operations until early June. \r\nConti initially asked for a payment of $10 million, but increased its asking price to $20 million after the\r\ngovernment refused to cooperate with the group’s demands. \r\nShortly after the attack, Conti took part of its operation offline and announced that the Conti brand was over,\r\nsignaling the beginning of the end for this famous ransomware strain as the world knew it. There is speculation\r\nthat this final Conti attack against the Costa Rican government was in part a tactic to take attention away from the\r\ngradual shutdown of its operations.\r\nThe death of the Conti brand\r\nThe Russia-Ukraine war has played a major role in Conti members taking the ransomware group offline, though it\r\nis unclear if the war was the direct cause or simply a contributing factor. Signs of its impact began soon after the\r\nhttps://flashpoint.io/blog/history-of-conti-ransomware/\r\nPage 4 of 6\n\nwar officially began in February 2022. \r\nOn February 25, one day after Russia’s invasion of Ukraine started, Conti released a statement of pro-Russia\r\nsupport that proved to be unpopular with members and the outside world alike. “Conti” announced “full support”\r\nto the Russian government and added that cyberattacks or any kind of “war activities” would result in retaliation,\r\nincluding threats to critical infrastructure. The collective did not specify where the retaliation would be targeted.\r\nA dying business\r\nThis declaration of support and the group’s threat to essentially act on Russia’s behalf made the group untouchable\r\nto most would-be victim companies, with almost no payments made to the group in the months after its pledge of\r\nRussian allegiance. \r\nWhile potential payment to any ransomware group should be discussed with law enforcement to ensure it is\r\nlegally permissible, Conti positioning itself as an extension of Russia made financial support to the group\r\nespecially toxic. This cut off a significant portion of the group’s income, damaging its ability to operate.\r\nAn insider scorned\r\nJust four days after the official start of the Russia-Ukraine war, and in the wake of Conti’s announcement of its\r\nsupport for Russia, an insider leaked tens of thousands of internal chat logs to the public. Documents revealed the\r\ngroup’s size, its day-to-day activities, and how this cybercrime “company” was structured, showing that, in many\r\nways, Conti operated as any normal business would.\r\nChats about salary structures and HR recruitment procedures divulged that the group used legitimate Russian\r\nheadhunters to find new employees, and that performance reviews, training opportunities, and an “employee of the\r\nmonth” program were all part of the deal when working for Conti. Perhaps most surprisingly, there was evidence\r\nthat some employees were unaware that they were working for cybercriminals at all—instead, they were told that\r\nit was an ad company, or that they were creating penetration testing software and needed professionals who were\r\nable to work discreetly. If one of these unknowing employees learned who they were actually working for, they\r\nwere offered a bonus to stay and keep silent.\r\nThe leak also included the source code of Conti ransomware, possibly the most damaging part of this leak for the\r\ngroup. The whistleblower’s final message via their anonymous Twitter account was a message of support for\r\nUkraine, confirming that the leak stemmed from internal political disagreements.\r\nThere are indications from the chats that the end was near for Conti even before this leak put the final nail in the\r\ncoffin. Records show that salary payments stopped in January 2022, and some users that were significant to the\r\noperation became inactive. Activity on the Conti blog did eventually resume, so it is likely that these users moved\r\nto a new chat after the leak.\r\nThe hunt for Conti\r\nSince then, the U.S. Department of State’s Transnational Organized Crime Rewards Program has put out a reward\r\noffering of $10 million USD for information leading to the identification of key members of the Conti group. This\r\nhttps://flashpoint.io/blog/history-of-conti-ransomware/\r\nPage 5 of 6\n\nnotice is separate from events related to the group’s activity during the Russia-Ukraine war, and specifically\r\nmentions the group’s attack against Costa Rica, which wreaked havoc on the country’s foreign trade.\r\nThe future of Conti\r\nAt this point, it is unclear whether Conti is truly gone, or if the group (or certain members) are simply taking the\r\ntime to restructure and make a comeback in the future. There is doubt from many that Conti will stay closed\r\nforever, in part because of how sophisticated its technology was and how established it became. \r\nIt is possible that Conti will not return by name, but instead rebrand itself. For now, the group has stayed mostly\r\nsilent.\r\nA possible successor?\r\nThe world of ransomware is guarded by a revolving door, which means that when one group exits, a new one is\r\nnever far behind. First discovered in July 2021, Diavol ransomware has been observed to use some of the same\r\nattack components as Conti. With Conti now potentially out of the ransomware race, this begs the question of\r\nwhether Diavol could become the next notorious ransomware operation.\r\nIn October 2021 the FBI officially linked Diavol to WizardSpider, the malware developer also suspected to be\r\nbehind Conti. Although the relationship between WizardSpider and Conti is still unconfirmed by Flashpoint, this\r\npossible connection further solidifies the theory that Diavol may come more to the forefront as Conti takes a back\r\nseat.\r\nIdentify and mitigate cyber risks with Flashpoint\r\nNever miss a development across illicit communities and protect your assets, stakeholders, and infrastructure by\r\nidentifying emerging vulnerabilities, security incidents, and ransomware attacks. Get a free trial today and see\r\nFlashpoint’s extensive collections platform, deep web chatter, and dark web monitoring tools in action.\r\nSource: https://flashpoint.io/blog/history-of-conti-ransomware/\r\nhttps://flashpoint.io/blog/history-of-conti-ransomware/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://flashpoint.io/blog/history-of-conti-ransomware/" ], "report_names": [ "history-of-conti-ransomware" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434008, "ts_updated_at": 1775826744, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a29e11bbdd4cca2835a373f8fbeb139341e1f30b.pdf", "text": "https://archive.orkl.eu/a29e11bbdd4cca2835a373f8fbeb139341e1f30b.txt", "img": "https://archive.orkl.eu/a29e11bbdd4cca2835a373f8fbeb139341e1f30b.jpg" } }