{ "id": "28a0dc98-cb93-4ec9-8dcd-78ed67c1568e", "created_at": "2026-04-06T00:07:52.232214Z", "updated_at": "2026-04-10T03:36:11.276966Z", "deleted_at": null, "sha1_hash": "dba4bc8a02c4f70f6225af7114d3ef49d6ef9045", "title": "Conti vs. Monti: A Reinvention or Just a Simple Rebranding?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44959, "plain_text": "Conti vs. Monti: A Reinvention or Just a Simple Rebranding?\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 21:03:08 UTC\r\nIt’s a familiar sounding story. A young organization with a hot software product and skyrocketing revenues,\r\nemployee hiring fairs, lucrative salaries, bonuses and team recognition programs. But this story is not about a\r\nvibrant tech company in Silicon Valley or Austin; rather it is a real story of a criminal organization that manages\r\nand supports the insidious Conti ransomware.\r\nConti is advanced ransomware that first emerged in early 2020. It uses a bespoke encryption routine to identify\r\nand encrypt files quickly and efficiently, making it especially dangerous. The Conti gang uses a “double-extortion” technique, which encrypts victims’ data and demands payment. They also take copies of the victims’\r\ndata, permitting them to expose or sell the data if the victim refuses to pay.\r\nThe operators behind the malware are a high-profile ransomware group responsible for multiple high-impact\r\nattacks. They are otherwise known as Wizard Spider and may be part of the wider Trickbot cybercrime syndicate.\r\nReportedly, they are based in Russia and support the Russian government’s agenda, including the war in Ukraine.\r\nThe malware is distributed under a Ransomware as a Service (RaaS) model. The Conti gang distributes access to\r\nits malware to “affiliates” in exchange for a share of collected ransom payments. This aspect allows them to scale\r\noperations. Some reports cite the Conti gang operates as a modern start-up with salaries, bonuses and employee\r\nrecognition awards.\r\nIn just a few years, the Conti ransomware has caused damage and disruption globally. Conti has targeted hospitals,\r\ngovernments, financial institutions and enterprises including Snapon, Shutterfly, the Irish healthcare system and\r\nseveral agencies of the Costa Rican government. The FBI describes the Conti ransomware as “the costliest strain\r\nof ransomware ever documented.” It estimates more than 1,000 victims have suffered Conti-associated attacks and\r\ntotal victim payouts exceed USD $150 million as of early 2022.\r\nThe end of Conti\r\nAs with any organization, disgruntled employees sometimes turn against their employers. In March 2022, a\r\nUkrainian researcher working for the Conti gang went rogue. Thought to be unhappy with the Conti gang’s\r\nRussian government affiliation and its support for the war in Ukraine, the researcher leaked 393 files containing\r\nover 60,000 internal messages from the Conti gang's private chat server. The leaked information has been dubbed\r\nthe Conti Leaks and includes other sensitive data about the gang's operations, tools, and costs.\r\nSince then, infosec researchers everywhere have been sifting through this massive data treasure trove. The internal\r\nbreach has proved tremendously costly for the Conti gang, leaving them terribly exposed.\r\nTo add to their pain, in May 2022 the Rewards for Justice group within the US State Department announced new\r\nbounties of up to USD $10 million for anyone who provides useful information about individual members of\r\nhttps://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding\r\nPage 1 of 2\n\nConti. Specifically, the agency wants to know about five specific gang members: actors using the handles\r\nProfessor, Reshaev, Tramp, Dandis, and Target.\r\nOn May 19, 2022, the admin panel of the Conti ransomware gang's official website shut down. Shortly thereafter,\r\nin the wake of the Conti Leaks and (perhaps) the Rewards for Justice announcement, the gang shut down its attack\r\ninfrastructure.\r\nOut with the old…the emergence of Monti\r\nIn recent months, Conti’s activities have quieted. Some researchers have suggested that Conti’s diminished actions\r\nresult from a rebranding exercise like many ransomware strains have done before, with a number of Conti gang\r\nmembers likely involved. Other reports indicate that other RaaS operations have employed ex-Conti operators\r\nincluding Karakurt and BlackByte.\r\nThough there is no iron-clad evidence of Conti rebranding as Monti, Conti source was leaked publicly in March\r\n2022. Consequently, it is possible that anybody could use the publicly available source code to create their own\r\nransomware based on Conti. This could be the case with Monti from our analysis of the disassembled code.\r\nMonti's entry point is very similar to Conti's, as seen below. As such, Monti could be a rebrand of Conti or simply\r\na new ransomware variant that has been developed using the leaked source code mentioned above.\r\n[Image: Image 4]\r\nWhether this is Conti being rebranded as Monti, in a bid to mock the former strain, or it is just another new\r\nransomware variant on the block, it is likely we will continue to see this new variant impact businesses globally.\r\nNevertheless, using publicly available binaries to create a new ransomware or relaunch an old one will hopefully\r\ngive defenders an edge when dealing with Monti as it evolves.\r\nSource: https://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding\r\nhttps://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding" ], "report_names": [ "conti-vs-monti-a-reinvention-or-just-a-simple-rebranding" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434072, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dba4bc8a02c4f70f6225af7114d3ef49d6ef9045.pdf", "text": "https://archive.orkl.eu/dba4bc8a02c4f70f6225af7114d3ef49d6ef9045.txt", "img": "https://archive.orkl.eu/dba4bc8a02c4f70f6225af7114d3ef49d6ef9045.jpg" } }