{
	"id": "bfeccbac-c736-47a7-a3b9-1f66c68d5b6f",
	"created_at": "2026-04-06T00:15:15.710778Z",
	"updated_at": "2026-04-10T13:12:06.387225Z",
	"deleted_at": null,
	"sha1_hash": "a52fd1aced44125a8386f2577c71a86fdef52b8f",
	"title": "Conti vs. LockBit: A Comparative Analysis of Ransomware Groups",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1461836,
	"plain_text": "Conti vs. LockBit: A Comparative Analysis of Ransomware Groups\r\nPublished: 2022-06-27 · Archived: 2026-04-05 18:14:59 UTC\r\nRansomware\r\nWe compare the targeting and business models of the Conti and LockBit ransomware groups using data analysis\r\napproaches. This will be presented in full at the 34th Annual FIRST Conference on June 27, 2022.\r\nBy: Shingo Matsugaya, Matsukawa Bakuei, Vladimir Kropotov Jun 27, 2022 Read time: 5 min (1450 words)\r\nTrend Micro has been monitoring the leak sites of multiple ransomware groups since November 2019 and\r\ncontinuously looking at the number and composition of organizations that have been victimized and whose\r\ninformation has been publicized by these groups. As a result of our research thus far, Continews article and\r\nLockBitnews article stand out in terms of their total numbers of affected organizations. Our goal with our research\r\nis to show how applying data analysis approaches to this data can give powerful understanding on the operations\r\nand perhaps even decision-making of these cybercriminals groups — a topic we will also be presenting on this\r\nweek at the 34th Annual FIRST Conference in Dublin, with colleagues from Waratah Analytics. While some\r\nreports indicate the Conti brand is now offline, its scale continues to make it an excellent case study for these\r\napproaches.\r\nWhen we rank the top 10 ransomware groups in terms of the number of organizations that had their data leaked\r\n(from November 2019 to March 2022), we see two clear leaders. In fact, Conti and Lockbit between them account\r\nfor almost 45% of all incidents.\r\nRank Ransomware group Victim count\r\n1 Conti 805\r\n2 Lockbit 666\r\n3 Maze 330\r\n4 REvil/Sodinokibi 309\r\n5 Pysa 307\r\n6 DoppelPaymer 206\r\n7 Egregor 197\r\n8 Avaddon 184\r\n9 NetWalker 178\r\n10 Clop 119\r\nhttps://www.trendmicro.com/en_us/research/22/f/conti-vs-lockbit-a-comparative-analysis-of-ransomware-groups.html\r\nPage 1 of 7\n\nTable 1. The top 10 ransomware groups in terms of the number of victimized organizations from November 2019\r\nto March 2022\r\nHere, by comparative analysis of the characteristics of the organizations victimized by these two major\r\nransomware groups, we clarify their differences in attack tendencies. \r\nNumber of victimized organizations per month\r\nFigure 1. The monthly and cumulative numbers of organizations victimized by Conti and LockBit\r\nfrom August 2020 to March 2022\r\nSince August 2020, there has been a large, stable number of organizations victimized by Conti, albeit with\r\nmonthly increases and decreases. We have observed LockBit since September 2020, but the number of\r\norganizations victimized by the group per month has been very small, between one and three only. In addition,\r\nsince January 2021, its original leak sites have been suspended and no victimized organizations have been\r\nreported. However, since its resumption of activity in July 2021, with the so-called LockBit 2.0, its number of\r\nvictimized organizations has exceeded Conti’s, making it the most active ransomware group. As a result, LockBit\r\nhas been rapidly catching up in terms of the total number of victimized organizations, and as of March 2022, we\r\nhave predicted that it will overtake Conti around August 2022 to become the largest ransomware group in terms of\r\nthe total number of victimized organizations. However, with Conti likely having shut down in May 2022, or at\r\nleast rebranding, it is almost certain that LockBit will overtake Conti sooner than expected.\r\nFigure 2. A predictive trend of Conti and Lockbit’s future crossover point considering the numbers\r\nof organizations victimized by the two ransomware groups from July 2021 to March 2022 (prior to\r\nConti’s shutdown)\r\nVictimized organizations by region\r\nhttps://www.trendmicro.com/en_us/research/22/f/conti-vs-lockbit-a-comparative-analysis-of-ransomware-groups.html\r\nPage 2 of 7\n\nFigure 3. The regional distribution of organizations victimized by Conti (left) and LockBit (right)\r\nfrom November 2019 to March 2022\r\nLooking at the regions where their victimized organizations are located, we see that there is a big difference\r\nbetween Conti and LockBit. For Conti, 93% of its victims are in North America and Europe, very much\r\nconcentrated in these two regions. By comparison, 68% of LockBit’s victims are in the same two regions. On the\r\nother hand, the areas of the victimized organizations are more dispersed for LockBit. We have observed many\r\nvictimized organizations in Asia-Pacific, South/Latin America, and the Middle East, among others.\r\nComparing the regional distribution of organizations victimized by Conti and LockBit with the regional GDP\r\ndistribution, LockBit is closer to the regional GDP distribution except for Asia-Pacific. Therefore, LockBit seems\r\nto be attacking specific regions more indiscriminately than Conti.\r\nFigure 4. The regional distribution of organizations victimized by Conti (left) and LockBit (middle)\r\nfrom November 2019 to March 2022, and of GDP (right) as of March 2022\r\nA closer look at the countries and regions of the victimized organizations in Asia-Pacific reveals that Conti has\r\nmany victimized organizations in English-speaking countries such as Australia, India, New Zealand, and\r\nSingapore. LockBit’s, on the other hand, are again more distributed in various countries.\r\nhttps://www.trendmicro.com/en_us/research/22/f/conti-vs-lockbit-a-comparative-analysis-of-ransomware-groups.html\r\nPage 3 of 7\n\nFigure 5. The distribution by country or region of organizations victimized by Conti (left) and\r\nLockBit (right) in Asia-Pacific from November 2019 to March 2022\r\nConsidering that the number of victimized organizations in Asia-Pacific is small for both Conti and LockBit\r\ncompared to the GDP of the region, this suggests that local languages or alphabets might have been a barrier to\r\nthese groups in attacking countries there, as in searching for confidential information to steal in an organization’s\r\nnetwork.\r\nLooking at changes in the distribution of victimized organizations over time in a simple moving average, we see\r\nthat Conti’s attacks on organizations in Europe are on the rise. \r\nFigure 6. A simple moving average of the number of organizations victimized by Conti in each\r\nregion from November 2020 to March 2022\r\nIn addition, closely looking at the regions other than the top two regions, we see that Conti’s attacks on\r\norganizations in Asia-Pacific have been gradually increasing.\r\nhttps://www.trendmicro.com/en_us/research/22/f/conti-vs-lockbit-a-comparative-analysis-of-ransomware-groups.html\r\nPage 4 of 7\n\nFigure 7. A simple moving average of the number of organizations victimized by Conti in each\r\nregion, except North America and Europe, from November 2020 to March 2022\r\nLockBit has also seen a slight increase in its attacks on organizations in Europe, but its distribution in each region\r\nhas remained largely stable.\r\nFigure 8. A simple moving average of the number of organizations victimized by LockBit in each\r\nregion from November 2021 to March 2022\r\nVictimized organizations by industry\r\nLooking at the number of victimized organizations by industry, we see that both Conti and LockBit are distributed\r\nalmost evenly across various industries (the top 15 industries are the same and in the same order), and it seems\r\nthat there is no difference in their attack tendencies against industries. This indicates that they are not targeting\r\nspecific industries.\r\nFigure 9. The distribution by industry of organizations victimized by Conti (left) and LockBit (right)\r\nfrom November 2019 to March 2022\r\nVictimized organizations by number of employees\r\nLooking at the number of victimized organizations by number of employees, we see LockBit has victimized more\r\nsmall organizations than Conti. \r\nhttps://www.trendmicro.com/en_us/research/22/f/conti-vs-lockbit-a-comparative-analysis-of-ransomware-groups.html\r\nPage 5 of 7\n\nFigure 10. The distribution by number of employees of organizations victimized by Conti (left) and\r\nLockBit (right) from November 2019 to March 2022\r\nAlso, looking at the monthly number of changes in the moving average, LockBit has a stable ratio by number of\r\nemployees, whereas Conti comparatively has a lot of variability and its attack tendency is not very stable.\r\nFigure 11. A simple moving average of the number of organizations victimized by Conti (top) from\r\nNovember 2020 to March 2022 and by LockBit (bottom) from November 2021 to March 2022 in\r\neach organization size in terms of number of employees\r\nConclusion\r\nThese characteristics visible from the data can be examined in greater depth by matching them with information\r\nprovided by different threat intelligence sources. Conti, for example, has vowed not to target Russia’s alliesnews\r\narticle, such as former Soviet Union countries and China. It has also been reported that Conti prefers to target\r\nlarge organizations with more revenue and therefore more money to spare to earn more ransom.\r\nLockBit, for its part, has stated that it selects targets only for financial motives without being influenced by\r\npolitical ties. It has also stated that its ringleader resides in Hong Kong. Since targeting an organization in one’s\r\nhttps://www.trendmicro.com/en_us/research/22/f/conti-vs-lockbit-a-comparative-analysis-of-ransomware-groups.html\r\nPage 6 of 7\n\ncountry or region of residence increases the risk of being investigated and arrested by the local police, it is\r\npractically a given that organizations in the country or region of residence should not be targeted from the\r\nviewpoint of the security of the attacker.\r\nBy applying data analysis approaches such as what we present here to other ransomware groups, and cross-checking the information from different threat intelligence sources with data leaks, it is possible to deeply analyze\r\neach group’s characteristics. Furthermore, it is possible to gain deep insight into an attacker’s targeting and\r\nbusiness model and to quickly notice changes in the attacker’s trends. This data, both current and predictive, can\r\nbe invaluable for a range of people including network defenders looking to know where to invest for their security,\r\ninsurers looking to understand risk, and law enforcement professionals.\r\nMore details and approaches about ransomware data analysis will be presented at the 34th Annual FIRST\r\nConference in Dublin on June 27 by Vladimir Kropotov of Trend Micro and Eireann Leverett of Waratah\r\nAnalytics.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/f/conti-vs-lockbit-a-comparative-analysis-of-ransomware-groups.html\r\nhttps://www.trendmicro.com/en_us/research/22/f/conti-vs-lockbit-a-comparative-analysis-of-ransomware-groups.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/f/conti-vs-lockbit-a-comparative-analysis-of-ransomware-groups.html"
	],
	"report_names": [
		"conti-vs-lockbit-a-comparative-analysis-of-ransomware-groups.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434515,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a52fd1aced44125a8386f2577c71a86fdef52b8f.pdf",
		"text": "https://archive.orkl.eu/a52fd1aced44125a8386f2577c71a86fdef52b8f.txt",
		"img": "https://archive.orkl.eu/a52fd1aced44125a8386f2577c71a86fdef52b8f.jpg"
	}
}