{ "id": "3937cf40-8afb-481d-8c8d-ad91bab90ae4", "created_at": "2026-04-06T00:13:44.997912Z", "updated_at": "2026-04-10T03:36:11.28783Z", "deleted_at": null, "sha1_hash": "a46d24f3fa90f5a89ab4e64e1c33ee55f579067a", "title": "Conti Ransomware Nets at Least $25.5 Million in Four Months", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75832, "plain_text": "Conti Ransomware Nets at Least $25.5 Million in Four Months\r\nBy Elliptic\r\nArchived: 2026-04-05 22:46:58 UTC\r\nElliptic’s analysis of newly-uncovered ransomware transactions has revealed that Conti’s illicit activities have\r\nnetted the group at least $25.5 million since July 2021, which includes one ransom payment of over $7 million in\r\nNovember 2021.\r\nIn a collaboration with threat intelligence company Prodaft, Elliptic has analysed Bitcoin addresses connected to\r\n14 ransomware attacks conducted by Conti between July 1st and  November 5th 2021. These addresses were\r\nidentified by Prodaft after they were able to access Conti’s management admin portal. \r\nConti ransomware was first observed in 2020 and is believed to be the successor to Ryuk, which has been active\r\nsince 2018. Both Conti and Ryuk are operated by the Russian cybercrime group, Wizard Spider. \r\nConti has attacked numerous high profile victims, including the Japanese electronics supplier JVCKenwood, and\r\nLondon-based high society jeweller Graff. In September 2021, Prodaft’s threat intelligence team observed a surge\r\nof ransomware attacks attributable to Conti, which is currently one of the most active ransomware strains. \r\nOf the 14 attacks analysed by Elliptic, 50% resulted in a payment to Conti, though the group’s overall success rate\r\nis likely to be considerably lower. Over the same time period, Conti’s public leak site listed more than 130\r\nvictims. \r\nConti uses the Ransomware-as-a-Service (RaaS) model. RaaS Bitcoin transactions characteristically split — as the\r\nproceeds of each ransom payment is distributed between the ransomware operator and the affiliate that infected\r\nthe victim — with the exact percentage split differing between RaaS groups. In most instances, the affiliates are\r\nawarded the majority of the ransom payment, with the ransomware operators taking a smaller percentage. \r\nAnalysing the ransom payment addresses identified by Prodaft resulted in the identification of a consolidation\r\ncluster, which has received a 22.5% split of several of the ransom payments, believed to represent the operator’s\r\nshare. In total, Conti received at least $25.5 million (more than 500 BTC) in ransom payments since July 2021,\r\n$6.2 million of which was kept by the Conti operator.\r\nhttps://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months\r\nPage 1 of 3\n\nIMG 1: Screenshot from Elliptic’s cryptocurrency investigations software, Forensics — showing the\r\ndestination of the Conti operator’s share of the ransom payments.\r\nApart from one outgoing payment of 0.07 Bitcoin which was sent from the consolidation cluster to a prominent\r\nexchange in August 2021, the Conti operator has not sent any of the Bitcoins in this wallet to services such as\r\nexchanges where they could cash-out their proceeds. Blockchain records indicate that the remaining 123.06\r\nBitcoin is currently held in an unhosted wallet. \r\nElliptic also tracked the ransomware proceeds received by Conti affiliates. One identified wallet has received\r\npayments from both Conti and DarkSide, which may indicate that an individual has worked as an affiliate for both\r\nof these groups. \r\nConti affiliates appear to conduct a sophisticated money laundering operation, avoiding obvious consolidation of\r\nfunds. Despite this, Elliptic has identified affiliate funds being sent to exchanges, coin swaps, privacy enhancing\r\nwallets including Wasabi, and the Russian-language darknet market Hydra. \r\nThe Importance of Countering Ransomware Groups and How Elliptic Can Help\r\nCountering ransomware has become a top priority for the world’s largest financial jurisdictions, with the United\r\nStates’ OFAC recently imposing sanctions on two cryptocurrency exchanges believed to be laundering\r\nransomware proceeds. The latest, against Latvia-based Chatex, coincided with an international law enforcement\r\noperation against REvil, another ransomware group.\r\nVirtual asset service providers and financial institutions have a legal and financial responsibility to ensure that\r\nthey have effective transaction screening tools in place to prevent the facilitation of ransomware-related money\r\nlaundering. Any attempt by Conti operators or affiliates to cash out presents a risk to VASPs.\r\nAt Elliptic, we provide blockchain analytics solutions to assist regulated cryptoasset businesses and financial\r\ninstitutions in preventing exposure to illicit actors such as ransomware groups. \r\nElliptic’s clients can visualise and investigate wallets and transactions, including ransomware payments, using\r\nElliptic Forensics, in order to ‘follow the money’ to its ultimate source or destination. Elliptic Lens and Navigator\r\nhttps://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months\r\nPage 2 of 3\n\nallow you to screen wallets and transactions to ensure you remain compliant with a regulatory landscape that is\r\nbecoming increasingly concerned with ransomware.\r\nContact us for a demo and to learn more about how Elliptic’s industry-leading blockchain analytics solutions can\r\nenable you to address the dual challenges of sanctions and ransomware.  \r\nSource: https://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months\r\nhttps://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months" ], "report_names": [ "conti-ransomware-nets-at-least-25.5-million-in-four-months" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434424, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a46d24f3fa90f5a89ab4e64e1c33ee55f579067a.pdf", "text": "https://archive.orkl.eu/a46d24f3fa90f5a89ab4e64e1c33ee55f579067a.txt", "img": "https://archive.orkl.eu/a46d24f3fa90f5a89ab4e64e1c33ee55f579067a.jpg" } }