Conti
Conti is a ransomware-as-a-service (RaaS) malware family and operation launched around mid-2020, with reporting in the provided content also describing it as a rebrand from Ryuk around May 2020 and linking it to TrickBot/Wizard Spider. It became one of the most deployed RaaS ecosystems in 2021–2022, with multiple affiliates concurrently deploying its payload. U.S. government reporting cited in the content states Conti was involved in more than 400 attacks between spring 2020 and spring 2021, mostly against U.S. organizations, and later described it as the costliest ransomware strain on record, with more than 1,000 victims and over $150 million in payouts as of January 2022.
The malware encrypts victim systems and is used in double-extortion operations that steal data before encryption and threaten to publish or sell exfiltrated data. The content states Conti typically steals victims’ files and encrypts servers and workstations, instructing victims to contact the attackers through an online portal for ransom transactions. It uses a dark-web leak site to post threats and victim data. A specifically documented behavior is deletion of Windows Volume Shadow Copies using vssadmin to hinder recovery.
Observed infection vectors and deployment context in the provided material include phishing and broader post-compromise intrusion chains. In the Ireland Health Service Executive incident, the initial compromise began when a user opened a malicious Microsoft Excel attachment from a phishing email on 16 March 2021; the attackers then maintained access for roughly two months before deploying the final Conti v3 payload on 14 May 2021. That reporting attributes the intrusion to Wizard Spider and identifies the final payload as Conti v3, described as a 32-bit executable that encrypts files and systems. The content also notes Qakbot infections can progress to Black Basta- or Conti-associated ransomware activity.
Targets mentioned in the content include U.S. healthcare and first-responder networks, Ireland’s Health Service Executive, Costa Rican government agencies, hospitals in New Zealand, and U.S. public-sector and emergency-service entities. The FBI warning cited in the content says Conti conducted at least 16 attacks against U.S. healthcare and first-responder networks over a 12-month period. The attack on Ireland’s HSE disrupted medical procedures and shut down a COVID-19 vaccine portal. Conti also conducted a high-profile attack on Costa Rica, disrupting customs and tax platforms; the group claimed attacks on four government sectors and leaked 672.19GB of alleged stolen data.
The operation is repeatedly associated in the content with Russia. Researchers cited in the material assessed that at least some Conti actors are based in Russia, and the group publicly posted support for the Russian government after the invasion of Ukraine before revising its statement. The content also describes Conti as a Russian government-linked RaaS operation known for attacking vital U.S. and Western infrastructure, though some cited analysts were more cautious about the extent of direct alignment.
Conti suffered major internal leaks in 2022. A Ukrainian researcher leaked internal XMPP/Jabber chat logs containing more than 60,000 messages initially and later over 167,000 messages spanning June 2020 to February 27, 2022. The leaks exposed operational details including bitcoin addresses, organizational structure, law-enforcement evasion, attack methods, victim discussions, and links to Ryuk, TrickBot, BazarBackdoor, and Diavol. Additional leaked materials included the source code for Conti’s administrative panel, BazarBackdoor API, screenshots of storage servers, and a password-protected archive containing the ransomware encryptor, decryptor, and builder source code; another researcher reportedly cracked the archive password, making the source code publicly accessible. The content notes this leak was a major reputational and operational blow and raised the risk of code reuse by other threat actors.
The provided reporting states Conti shut down in 2022, with infrastructure taken offline in June 2022 and subsequent rebranding or successor activity tied to groups such as Black Basta, Royal, Karakurt, and smaller extortion-focused units including SRG/Luna Moth. High-confidence indicators and artifacts directly mentioned in the content include use of vssadmin for shadow copy deletion, dark-web leak and negotiation portals, Conti v3 as the payload identified in the HSE incident, and leaked bitcoin addresses and internal chat data associated with the operation.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Activists have reportedly leaked the contents of internal chats from the Russia-affiliated Conti ransomware gang... Both Conti and another criminal crew called Karma hit the unidentified org through the ProxyShell exploit... Conti was deploying its own malware.
Groups observed using it
21 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The crypto-locking malware first emerged around the middle of 2018 and seemed to have its heyday largely in 2019, before rebranding as Conti around May 2020, and appearing to merge with TrickBot - aka Wizard Spider - by the end of 2021.
SRG emerged after the Conti ransomware shutdown in March 2022, rebranding into smaller units focused on data theft and extortion.
Emsisoft threat analyst Brett Callow previously told The Record that the group has been active since the middle of 2021 and is believed to be a spin-off of the Conti ransomware group. Several other security companies ... have released reports this year showing concrete ties between the infrastructure used by Conti and Karakurt.
Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload.
Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload.
Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload.
The State Department on Thursday announced a $10 million reward for information related to five specific individuals associated with the Conti ransomware group.
Ireland's National Cyber Security Centre (INCSC) named the ultimate payload, executed two months after initial access was established, as Conti v3; a 32-bit executable that encrypts all within its grasp.
El grupo Conti afirmó que sustrajo información del servidor de correos electrónicos del IMN. El ataque sería parte del perpetrado con el ransomware que afectó al Ministerio de Hacienda y al Micitt.
Garda sources said the force’s involvement would become a substantive criminal investigation when a profile of the malware, called Conti, and its likely origins had been compiled during the work to contain and reverse its spread. The Conti ransomware, or malware, first appeared in December 2019...
Garda sources said the force’s involvement would become a substantive criminal investigation when a profile of the malware, called Conti, and its likely origins had been compiled during the work to contain and reverse its spread. The Conti ransomware, or malware, first appeared in December 2019...
Looking at the indicators of compromise in the report, Valery Marchive of LegMagIT found several IP addresses related to Conti ransomware, indicating Lockean’s affiliation to additional RaaS operations and targeting of businesses in other regions.
The group started using stolen code from Conti in 2024 to build its own custom attack tools to hit Windows and VMware server environments.
Devman declined by 70%, from 82 victims to 25. The ransomware’s operator “Tramp”, a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026.
...DragonForce ransomware group... using ... a modified version of Conti.
...used open-source and leaked builders from other operators, including LockBit, Babuk and Conti.
McMenamins suffered a Conti ransomware attack... Servers and workstations were encrypted as part of the attack...
"...FIN7... known to collaborate with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware gangs..."
Conti was a prolific ransomware strain for a few years... Conti responded by announcing its closure in May, but soon after, much of the Conti team split up into smaller groups and continued their activity.
The following analytic detects the execution of suspicious command-line arguments commonly associated with Conti ransomware, specifically targeting local drives and network shares for encryption.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesThe U.S. and German government’s action today addresses the abuse of virtual currency to launder ransom payments.
All of these networks use search engine optimization to put a “bait” webpage on the first page of results for search engine queries seeking “crack” versions of a variety of software products.
Initial Access
5 techniquesGTsSS cyber actors frequently collect credentials to gain initial access to target organizations... Russian state-sponsored APT actors have demonstrated their ability to maintain persistence using compromised credentials.
The sort of “watering hole” attack we saw here uses carefully cultivated search engine optimization to draw in a specific kind of victim: computer users seeking pirated software.
Both Conti and another criminal crew called Karma hit the unidentified org through the ProxyShell exploit...
...the WizardSpider criminal crew used the Conti ransomware to lock up the whole of Ireland's state-run health service... after a phishing email hit its mark...
"The Malware infection was the result of the user of the Patient Zero Workstation clicking and opening a malicious Microsoft Excel file that was attached to a phishing email sent to the user on 16 March 2021."
Execution
3 techniquesDuring the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
The download was a .zip archive file named after the alleged “cracked” product sought by the target.
Completing the download resulted in the delivery of a malware payload.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
3 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
GTsSS cyber actors frequently collect credentials to gain initial access to target organizations... Russian state-sponsored APT actors have demonstrated their ability to maintain persistence using compromised credentials.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Discovery
1 techniqueThe content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Lateral Movement
1 techniqueRDP exploitation is one of the top initial infection vectors for ransomware... notable initial access and persistence vectors for affiliated actors include Emotet, Cobalt Strike, spearphishing, and stolen or weak Remote Desktop Protocol (RDP) credentials.
Collection
1 techniqueBy covering as much ground as possible, attackers can harvest and leak data to their C2 (Command and Control Infrastructure) before deploying ransomware payloads on the network.
Command and Control
1 techniqueThe infrastructure commonly supports ransomware command and control (C2) servers, malware distribution, phishing campaigns, botnet management, and data exfiltration staging.
Exfiltration
4 techniquesBy covering as much ground as possible, attackers can harvest and leak data to their C2 (Command and Control Infrastructure) before deploying ransomware payloads on the network.
the perpetrators allegedly stole “non-critical” employee data... Conti... stated it stole approximately 14 GB (13.88 GB) worth of files.
When the ransom demand was not met, he allegedly encouraged co-conspirators to leak or sell the data.
the threat actors exfiltrated approximately 90 GB of data to various cloud storage providers including filetransfer.io, filemail.net, sendspace.com, and dropbox.com.
Impact
4 techniquesAccording to the investigation, he developed malware in January of this year to obtain illegal profits. The accused intended to use it to encrypt commercial organizations' data and demand a ransom for decryption, Russian prosecutors said.
Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.
The ransomware attack has prevented the government from effectively collecting taxes, and some public employees’ salaries are either being overpaid or underpaid, Chaves said.
He analyzed stolen data and used sensitive information to intensify extortion tactics. When the ransom demand was not met, he allegedly encouraged co-conspirators to leak or sell the data. Court documents reveal he distributed a bulk set of sensitive records to hundreds of patients, aiming to amplify fear and force compliance.
Other
1 techniqueIOCs tracked for this family
12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named ransomware family referenced as the predecessor to BlackBasta.
Conti is referenced as a ransomware operation that shut down in March 2022, after which elements reportedly rebranded into smaller extortion-focused units.
Ransomware family referenced as the suspected code lineage for Nitrogen variants via exposed Conti 2 code.
Conti is referenced as the ransomware family whose code and techniques were initially reused by Gunra before Gunra developed its own ransomware.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.