Credential Theft
- Mimikatz
- ProcDump
- Router Scan
- SharpChrome
Conti was a highly prolific ransomware operation active primarily from 2020 to 2022 and widely associated with the TrickBot criminal ecosystem.
Profile source: Mallory opens in a new tabConti
Conti was a highly prolific ransomware operation active primarily from 2020 to 2022 and widely associated with the TrickBot criminal ecosystem. It conducted large-scale double-extortion attacks in which victim networks were breached, files were encrypted, and stolen data was used to pressure organizations into paying ransoms. The operation targeted more than 1,000 organizations worldwide, including healthcare providers, government entities, educational institutions, and businesses across dozens of countries. By early 2022, Conti had generated at least $150 million in ransom payments.
The malware and its operators were linked to a broader Russian-speaking cybercrime milieu that overlapped with TrickBot and, through personnel and infrastructure relationships, with Ryuk and later Black Basta and other successor groups. Public reporting and criminal cases indicate that Conti used supporting malware components including loaders to facilitate attacks, and that members of earlier ransomware crews, including Ryuk, transitioned into the Conti operation. Internal leaks in 2022 exposed the group’s structure, management, and operational practices, after which the brand ceased operating under its original name and its members dispersed into other ransomware and cybercrime ventures.
Conti’s codebase had lasting downstream impact after its source code leaked, with later ransomware developers and operators reportedly reusing or adapting portions of it. The malware is also noted for process-termination behavior used to remove obstacles to encryption. Conti is regarded as one of the defining ransomware families of its period because of its scale, organizational maturity, and influence on subsequent ransomware ecosystems.
Ransomware.live
Reported operators
Devman, a ransomware operator believed to be based in Russia and utilizing code derived from the leaked Conti source.
The sample analyzed in this report was identified as DragonForce ransomware developed based on Conti ransomware.
A longtime former member of Conti, a ransomware group that attacked more than 1,000 organizations globally before it disbanded in 2022, pleaded guilty ... The defendant and his conspirators used the Conti ransomware to terrorize people and businesses in the United States and around the world, causing millions of dollars in damage.
Waseem Ahmed, head of engineering at Secure.com, explained that SGR is a Conti offshoot now running pure data-theft extortion.
Waseem Ahmed, head of engineering at Secure.com, explained that SGR is a Conti offshoot now running pure data-theft extortion.
The crypto-locking malware first emerged around the middle of 2018 and seemed to have its heyday largely in 2019, before rebranding as Conti around May 2020, and appearing to merge with TrickBot - aka Wizard Spider - by the end of 2021.
Emsisoft threat analyst Brett Callow previously told The Record that the group has been active since the middle of 2021 and is believed to be a spin-off of the Conti ransomware group. Several other security companies ... have released reports this year showing concrete ties between the infrastructure used by Conti and Karakurt.
Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload.
Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload.
Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload.
The State Department on Thursday announced a $10 million reward for information related to five specific individuals associated with the Conti ransomware group.
Garda sources said the force’s involvement would become a substantive criminal investigation when a profile of the malware, called Conti, and its likely origins had been compiled during the work to contain and reverse its spread. The Conti ransomware, or malware, first appeared in December 2019...
Garda sources said the force’s involvement would become a substantive criminal investigation when a profile of the malware, called Conti, and its likely origins had been compiled during the work to contain and reverse its spread. The Conti ransomware, or malware, first appeared in December 2019...
Looking at the indicators of compromise in the report, Valery Marchive of LegMagIT found several IP addresses related to Conti ransomware, indicating Lockean’s affiliation to additional RaaS operations and targeting of businesses in other regions.
The group started using stolen code from Conti in 2024 to build its own custom attack tools to hit Windows and VMware server environments.
Devman declined by 70%, from 82 victims to 25. The ransomware’s operator “Tramp”, a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026.
...used open-source and leaked builders from other operators, including LockBit, Babuk and Conti.
"...FIN7... known to collaborate with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware gangs..."
Conti was a prolific ransomware strain for a few years... Conti responded by announcing its closure in May, but soon after, much of the Conti team split up into smaller groups and continued their activity.
The following analytic detects the execution of suspicious command-line arguments commonly associated with Conti ransomware, specifically targeting local drives and network shares for encryption.
...multiple overlaps with Conti ransomware.
Exploited software
MITRE ATT&CK
Reporting
The most notable revelation comes from the EU designation of Vitaly Nikolayevich Kovalev, also known as “Stern,” the administrator of the Trickbot criminal syndicate behind some of the most notorious ransomware strains, including Conti.
The sanctions also swept up key developers behind prolific malware strains like Trickbot, Conti, and LummaC2.
...as the Conti leaks show, but it always belonged to the state rather than to the criminals who observed it.
Many Ryuk members later joined the Conti ransomware operation.
Law enforcement agencies and cybersecurity researchers have connected it with other major cybercrime operations such as Conti and Trickbot.
Following its shutdown in 2020, many of its members transitioned to the Conti ransomware operation, which quickly became one of the most prolific hacker groups.
Earlier leaks involving the Conti ransomware group provided comparable insight into how attackers negotiate payments behind the scenes.
Devman, a ransomware operator believed to be based in Russia and utilizing code derived from the leaked Conti source.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.