{
	"id": "f2c96ae5-a0b6-4c6c-bb31-07af092e38a2",
	"created_at": "2026-05-01T03:10:42.359095Z",
	"updated_at": "2026-05-01T03:10:50.797063Z",
	"deleted_at": null,
	"sha1_hash": "a3f91b7d7f0fed6afba6ee427471f16da9d8a94c",
	"title": "Ransomware gang Conti published data of 850 companies | Group-IB",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 368535,
	"plain_text": "Ransomware gang Conti published data of 850 companies | Group-IB\r\nArchived: 2026-05-01 02:36:05 UTC\r\nGroup-IB, one of the global leaders in cybersecurity and headquartered in Singapore, has today presented its\r\nfindings about ARMattack, one of the shortest yet most successful campaigns by the Russian-speaking\r\nransomware gang Conti. In slightly more than a month, the notorious ransomware collective compromised more\r\nthan 40 companies worldwide. The fastest attack took only three days according to Group-IB’s report “CONTI\r\nARMADA: ARMATTACK CAMPAIGN”. In two years, the ransomware operators attacked more than 850\r\nvictims including corporations, government agencies, and even a whole country. The research dives deep into the\r\nhistory and major milestones of one of the most aggressive and organized ransomware operations.\r\nDouble hit\r\nConti is considered one of the most successful ransomware groups. The gang’s existence first came to light\r\nin February 2020, when malicious files with the extension “.сonti” appeared on the radar of Group-IB researchers.\r\nHowever, the initial test versions of the malware date back to November 2019.\r\nSince 2020, Conti has been dominating the ransomware scene alongside Maze and Egregor in terms of the number\r\nof companies whose data has been encrypted. In 2020, Conti published data belonging to 173 victims on their\r\ndedicated leak site (DLS). By the end of 2021, Conti came out on top as one of the largest and most aggressive\r\ngroups, having published data belonging to 530 companies on its DLS. In just four months in 2022, the group\r\nposted information belonging to 156 companies, making for a total of 859 DLS victims in two years, including\r\n46 in April 2022. The actual number of victims is believed to be significantly higher.\r\nhttps://www.group-ib.com/media/conti-armada-report/\r\nPage 1 of 5\n\nOn a roll\r\nConti and their affiliates attack often and quickly. Group-IB experts analyzed one of the group’s lightning-fast and\r\nmost productive campaigns, codenamed “ARMattack”. The campaign lasted only about a month (from November\r\n17 to December 20, 2021), but it turned out to be extremely effective. The attackers compromised more than\r\n40 organizations worldwide. Most attacks were carried out in the US (37%), but the campaign also surged through\r\nEurope, with victims in Germany (3%), Switzerland (2%), the Netherlands, Spain, France, the Czech Republic,\r\nSweden, and Denmark (1% each). The group also attacked organizations in the UAE (2%) and India (1%).\r\nHistorically, the top five industries most frequently targeted by Conti are manufacturing (14%), real estate\r\n(11.1%), logistics (8.2%), professional services (7.1%), and trade (5.5%). After gaining access to a company’s\r\ninfrastructure, the threat actors exfiltrate specific documents (most often to determine what organization they are\r\ndealing with) and look for files containing passwords (both plaintext and encrypted). Lastly, after acquiring all the\r\nnecessary privileges and gaining access to all the devices they are interested in, the hackers deploy ransomware\r\nto all the devices and run it.\r\nAccording to the Group-IB Threat Intelligence team, the gang’s fastest attack was carried out in exactly three\r\ndays, from initial access to data encryption. Group-IB for the first time analyzed Conti’s “working hours”. Most\r\nlikely, the group members are located in different time zones; however, the schedule shows their high efficiency:\r\non average, Conti “works” 14 hours a day without holidays (except for “New Year holidays”) and weekends. The\r\ngroup starts working closer to noon (GMT+3) and its activity declines only after 9:00 PM.\r\nThe geography of Conti’s attacks is vast but does not include Russia. The group clearly adheres to the unspoken\r\nrule among Russian-speaking cybercriminals: do not attack Russian companies. Most attacks occur in the United\r\nStates (58.4%), followed by Canada (7%), the United Kingdom (6.6%), Germany (5.8%), France (3.9%), and Italy\r\n(3.1%).\r\nhttps://www.group-ib.com/media/conti-armada-report/\r\nPage 2 of 5\n\nAnother reason behind not targeting Russian companies is that key Conti members refer to themselves\r\nas “patriots”. This fact was the cause of an “internal conflict” in the group in February 2022, which resulted\r\nin some of Conti’s valuable information being leaked online. The published data included private chat logs, the\r\nservers they use, a list of victims, and details of Bitcoin wallets, which stored over 65,000 BTC in total. The\r\nleaked chats revealed that the group had faced serious financial difficulties and that their boss had gone off the\r\nradar. Yet its members were fully prepared to restart the project after 2 to 3 months.\r\nDespite the “stab in the back” and increased attention from law enforcement, Conti’s appetites continued\r\nto increase. They attacked not only large companies, but entire countries as well. Conti’s “cyber war” against\r\nCosta Rica in April 2022 led to a state of emergency being declared.\r\nIncentive program\r\nConti has worked closely with other ransomware operators such as Ryuk, Netwalker, LockBit, and Maze. They\r\neven tested Maze’s ransomware, reverse-engineered it, and thereby significantly improved their own. An analysis\r\nof the ARMattack campaign revealed that the group’s arsenal included not only previously described Windows\r\ntools, but also Linux ransomware: Conti and Hive.\r\nThat said, the group tends to create unique tools without reusing code snippets. This way, when compared, the\r\ncode for their tools will not help identify common patterns. Before the chat logs were leaked, cybersecurity\r\nresearchers could only assume that some RaaS (Ransomware-as-a-service) affiliate programs were in fact Conti\r\ndivisions. At the same time, the interaction was extensive. Sometimes Conti used network access from other initial\r\naccess brokers, other times the gang shared their own access for a modest 20% of the revenue.\r\nJust like a legitimate IT business, Conti has its own HR, R\u0026D, and OSINT departments. There are team leads,\r\nregular salary payments, and an incentive program.\r\nOne of Conti’s distinctive features is using new vulnerabilities, which helps the group gain initial access. For\r\ninstance, Conti was seen exploiting the recent CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105\r\nvulnerabilities in the log4j module. Less than a week later, Conti exploited these vulnerabilities to attack vCenter\r\nservers. The leaked chat logs also showed that the group monitors fresh vulnerabilities carefully. One of the tasks\r\nfrom Conti’s CEO to the technical team was to monitor Windows updates and analyze changes made with new\r\npatches — which once again highlights the need to install updates as soon as possible. In addition, the Conti crew\r\nincludes specialists with experience in discovering zero-days.\r\nConti’s increased activity and the data leak suggest that ransomware is no longer a game between average\r\nmalware developers, but an illicit RaaS industry that gives jobs to hundreds of cybercriminals worldwide with\r\nvarious specializations. In this industry, Conti is a notorious player that has in fact created an “IT company” whose\r\ngoal is to extort large sums. It is difficult to predict what will happen to Conti in the future: whether it will\r\ncontinue working after a large-scale rebranding or be divided into smaller sub-projects. It is clear, however, that\r\nthe group will continue its operations, either on its own or with the help of its “subsidiary” projects.\r\nhttps://www.group-ib.com/media/conti-armada-report/\r\nPage 3 of 5\n\nIvan Pisarev\r\nHead of Dynamic Malware Analysis Team at Group-IB’s Threat Intelligence department\r\nAs always, Group-IB’s analytical report entitled “CONTI ARMADA: THE ARMATTACK CAMPAIGN”\r\nprovides companies and technical specialists with indicators of compromise and information about Conti’s\r\ntechniques, tactics and tools mapped to the MITRE ATT\u0026CK® matrix.\r\nAbout Group-IB\r\nEstablished in 2003, Group-IB is a leading creator of predictive cybersecurity technologies to investigate, prevent,\r\nand fight digital crime globally. Headquartered in Singapore, and with Digital Crime Resistance Centers in the\r\nAmericas, Europe, Middle East and Africa, Central Asia, and the Asia-Pacific, Group-IB delivers predictive,\r\nintelligence-driven defense by analysing and neutralizing regional and country-specific cyber threats via its\r\nUnified Risk Platform, offering unparalleled defense through its industry-leading Cyber Fraud Intelligence\r\nPlatform, Cloud Security Posture Management, Threat Intelligence, Fraud Protection, Digital Risk Protection,\r\nManaged Extended Detection and Response (XDR), Business Email Protection, and External Attack Surface\r\nManagement solutions, catering to government, retail, healthcare, gaming, financial sectors, and beyond. Group-IB collaborates with international law enforcement agencies like INTERPOL, Europol, and AFRIPOL to fortify\r\ncybersecurity worldwide, and has been awarded by advisory agencies including Datos Insights, Gartner, Forrester,\r\nFrost \u0026 Sullivan, and KuppingerCole.\r\nFor more information, visit us at www.group-ib.com or connect with us on LinkedIn, X, Facebook, and Instagram.\r\nDiscover our podcasts to hear from leading voices on Masked Actors and Fraud Intel, where top cybersecurity\r\nexperts share real-world experiences, emerging trends, and practical insights to help you stay one step ahead in the\r\nfight against cyber crime.\r\nhttps://www.group-ib.com/media/conti-armada-report/\r\nPage 4 of 5\n\nSource: https://www.group-ib.com/media/conti-armada-report/\r\nhttps://www.group-ib.com/media/conti-armada-report/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/media/conti-armada-report/"
	],
	"report_names": [
		"conti-armada-report"
	],
	"threat_actors": [],
	"ts_created_at": 1777605042,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3f91b7d7f0fed6afba6ee427471f16da9d8a94c.pdf",
		"text": "https://archive.orkl.eu/a3f91b7d7f0fed6afba6ee427471f16da9d8a94c.txt",
		"img": "https://archive.orkl.eu/a3f91b7d7f0fed6afba6ee427471f16da9d8a94c.jpg"
	}
}