Conti Ransomware Syndicate Dismantles Brand and Splinters Into Smaller Operations
The Conti ransomware syndicate took key parts of its digital infrastructure offline, including sections of its leak site, victim negotiation portal, and internal systems, in what researchers described as a deliberate reorganization rather than a direct law-enforcement takedown. Security firms and reporting tied the move to mounting pressure after a pro-Ukraine insider leaked Conti’s internal chats and tools, exposing the group’s structure, workflows, and links to Russia. The leaks followed Conti’s public declaration of support for Russia after the invasion of Ukraine, a stance that triggered internal backlash and gave investigators an unusually detailed view into one of the world’s most prolific ransomware operations.
Researchers said Conti’s shutdown did not mark the end of its activity but a rebranding and dispersal of personnel into smaller, harder-to-track units and other extortion groups, including operations such as ALPHV/BlackCat. Subsequent reporting indicated former Conti members continued to repurpose the gang’s tooling in campaigns tied to Ukraine, including lures exploiting the Follina vulnerability and impersonation themes involving Elon Musk. The episode also underscored why sanctions and disruption efforts struggle to permanently dismantle ransomware groups: even when a major brand collapses, its operators, malware, and playbooks often persist across successor crews.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Google reports Conti tools repurposed for attacks on Ukraine
Google said actors tied to Conti had repurposed the gang's tooling for cyberattacks against targets in Ukraine, including lures exploiting the Follina vulnerability and impersonation themes involving Elon Musk. The report showed Conti-linked capabilities remained active after the group's apparent shutdown.
Researchers link Conti's transition to wider dispersal into other groups
Analysis published after the shutdown indicated Conti members were likely splitting into smaller independent teams, joining other ransomware and extortion operations such as ALPHV/BlackCat, or embedding into existing brands. Researchers also assessed that the ongoing Costa Rica attacks may have partly served as cover during the transition.
Conti starts dismantling its brand and infrastructure
By mid-May, Conti took much of its digital infrastructure offline, including parts of its leak site, negotiation platform, and internal communications systems. Researchers assessed the move as a deliberate restructuring and rebranding into smaller units rather than a sudden law-enforcement takedown.
Pro-Ukraine actor leaks Conti internal chats and files
A pro-Ukraine individual began leaking Conti's internal Jabber chats and other files, exposing the gang's structure, operations, and internal culture. The leaks gave researchers and law enforcement unprecedented visibility into the ransomware group.
Conti publicly backs Russia after invasion of Ukraine
After Russia's invasion of Ukraine, the Conti ransomware gang posted a statement declaring support for Russia and warning it would retaliate against Western cyberattacks targeting Russian infrastructure. The declaration drew unusual public attention to the group's political alignment.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Google: Conti repurposing tools for Ukraine attacks using Follina bug, Musk impersonation | The Record from Recorded Future News
therecord.media
Open sourceWhy It’s Hard to Sanction Ransomware Groups - ProPublica
propublica.org
Open sourceDid the Conti ransomware crew orchestrate its own demise? | Computer Weekly
computerweekly.com
Open sourceNotorious cybercrime gang Conti \'shuts down,\' but its influence and talent are still out there | The Record from Recorded Future News
therecord.media
Open sourceConti ransomware shuts down operation, rebrands into smaller units
bleepingcomputer.com
Open source‘I can fight with a keyboard’: How one Ukrainian IT specialist exposed a notorious Russian ransomware gang | CNN Politics
edition.cnn.com
Open sourceConti Ransomware Group Warns Retaliation if West Launches Cyberattack on Russia - CNET
cnet.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Conti Ransomware Gang Chats Leaked After Pro-Russia Threats
The **Conti** ransomware operation faced a major internal data leak after publicly backing Russia during the invasion of Ukraine and warning it would use its “full capacity” to retaliate against Western cyberattacks on Russian critical infrastructure. Researchers and media reports said activists released roughly **60,000 internal messages**, reportedly from the gang’s Jabber server, exposing more than a year of conversations and offering an unusually detailed view into one of the most prolific ransomware groups tied to Russia. The leaked chats were described as shedding light on Conti’s internal structure, tactics, and past operations, including activity linked to high-profile incidents such as the attack on Ireland’s public health service. Reporting also highlighted Conti’s use of the **ProxyShell** exploit in attacks against healthcare targets and the deployment of scripts to disable **Windows Defender** before encryption. The fallout appeared to ripple across the cybercrime ecosystem, with rival ransomware group **LockBit** publicly distancing itself from geopolitics and emphasizing that it was motivated by profit rather than allegiance to any state.
May 26, 2026
Conti Developer Pleads Guilty for Role in Global Ransomware Campaign
Ukrainian national **Oleksii Oleksiyovych Lytvynenko** pleaded guilty in U.S. federal court to **conspiracy to commit wire fraud** for his role in the **Conti** ransomware operation, one of the most prolific cybercrime campaigns tracked by U.S. authorities. Prosecutors said Lytvynenko joined Conti by September 2021, helped develop a malware loader used to gain initial access to victim networks, and possessed data stolen from 12 victims, including eight in the United States. He was arrested in Ireland in July 2023, extradited to the United States in October 2025, and now faces up to **20 years in prison**, with sentencing scheduled for September 2026. The Justice Department said Conti targeted more than **1,000 victims** across **47 U.S. states**, Puerto Rico, Washington, D.C., and about **31 countries**, extorting more than **$150 million** in ransom payments. In one part of the case, prosecutors said Lytvynenko and co-conspirators collected about **$634,000 in Bitcoin** from two Tennessee victims and leaked stolen data from another Tennessee organization after a **$3 million** ransom demand was rejected. The plea comes as U.S. authorities continue pursuing other alleged Conti members; earlier indictments also tied the group’s breakup to successor operations including **Black Basta**, **Quantum**, **Royal**, and **BlackSuit**.
Jun 15, 2026
ALPHV/BlackCat Takedown Disrupted Ransomware Network Before Suspected Exit Scam
The FBI and international partners disrupted the infrastructure of **ALPHV/BlackCat**, a major ransomware-as-a-service operation linked to more than 1,000 victims and attacks across U.S. critical infrastructure sectors including healthcare, manufacturing, government, emergency services, schools, and defense-related organizations. U.S. authorities seized multiple ALPHV-operated sites and said an FBI-developed decryptor was provided to more than 500 victims worldwide, helping dozens restore systems and avoid an estimated **$68 million** in ransom payments. Officials described ALPHV as one of the world’s most prolific ransomware groups, and said the investigation remained active even though no arrests were announced. Months later, ALPHV appeared to collapse amid allegations that its operators staged an **exit scam** after receiving a reported **$22 million** ransom tied to the Change Healthcare attack. A new seizure notice posted on the group’s leak site was disavowed by the U.S. Justice Department, Europol, and the U.K. National Crime Agency, while researchers said it reused elements from the legitimate law-enforcement takedown page. Reporting and affiliate claims indicated the group’s leaders kept the payment, cut off an affiliate, and then announced on a cybercrime forum that they were shutting down and planned to sell the malware source code, reinforcing assessments that affiliates may migrate and the operators could reappear under a new brand.
May 26, 2026