Skip to content
Ransomware group Windows

Conti

Conti was a highly prolific ransomware operation active primarily from 2020 to 2022 and widely associated with the TrickBot criminal ecosystem.

Profile source: Mallory opens in a new tab

Conti

Family profile

Conti was a highly prolific ransomware operation active primarily from 2020 to 2022 and widely associated with the TrickBot criminal ecosystem. It conducted large-scale double-extortion attacks in which victim networks were breached, files were encrypted, and stolen data was used to pressure organizations into paying ransoms. The operation targeted more than 1,000 organizations worldwide, including healthcare providers, government entities, educational institutions, and businesses across dozens of countries. By early 2022, Conti had generated at least $150 million in ransom payments.

The malware and its operators were linked to a broader Russian-speaking cybercrime milieu that overlapped with TrickBot and, through personnel and infrastructure relationships, with Ryuk and later Black Basta and other successor groups. Public reporting and criminal cases indicate that Conti used supporting malware components including loaders to facilitate attacks, and that members of earlier ransomware crews, including Ryuk, transitioned into the Conti operation. Internal leaks in 2022 exposed the group’s structure, management, and operational practices, after which the brand ceased operating under its original name and its members dispersed into other ransomware and cybercrime ventures.

Conti’s codebase had lasting downstream impact after its source code leaked, with later ransomware developers and operators reportedly reusing or adapting portions of it. The malware is also noted for process-termination behavior used to remove obstacles to encryption. Conti is regarded as one of the defining ransomware families of its period because of its scale, organizational maturity, and influence on subsequent ransomware ecosystems.

Capabilities

  • Defense Evasion
  • Exfiltration
  • Extortion

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Mimikatz
  • ProcDump
  • Router Scan
  • SharpChrome

Defense Evasion

  • GMER
  • PCHunter

Discovery Enum

  • AdFind
  • Bloodhound
  • PowerView
  • Seatbelt
  • ShareFinder
  • SharpView
  • SoftPerfect NetScan

Exfiltration

  • Dropfiles
  • MEGA
  • Qaz[.]im
  • RClone
  • Sendspace
  • WinSCP

LOLBAS

  • BITSAdmin
  • NTDS Utility (ntdsutil)
  • PsExec
  • WMIC

Offsec

  • Cobalt Strike
  • Metasploit
  • Meterpreter
  • PowerShell Empire
  • PowerSploit
  • Rubeus

RMM Tools

  • AnyDesk
  • Atera
  • Splashtop

Reported operators

Threat actors

21 named in public reporting
Devman

Devman, a ransomware operator believed to be based in Russia and utilizing code derived from the leaked Conti source.

DragonForce

The sample analyzed in this report was identified as DragonForce ransomware developed based on Conti ransomware.

Conti

A longtime former member of Conti, a ransomware group that attacked more than 1,000 organizations globally before it disbanded in 2022, pleaded guilty ... The defendant and his conspirators used the Conti ransomware to terrorize people and businesses in the United States and around the world, causing millions of dollars in damage.

Silent Ransom Group

Waseem Ahmed, head of engineering at Secure.com, explained that SGR is a Conti offshoot now running pure data-theft extortion.

SRG

Waseem Ahmed, head of engineering at Secure.com, explained that SGR is a Conti offshoot now running pure data-theft extortion.

WIZARD SPIDER

The crypto-locking malware first emerged around the middle of 2018 and seemed to have its heyday largely in 2019, before rebranding as Conti around May 2020, and appearing to merge with TrickBot - aka Wizard Spider - by the end of 2021.

Karakurt

Emsisoft threat analyst Brett Callow previously told The Record that the group has been active since the middle of 2021 and is believed to be a spin-off of the Conti ransomware group. Several other security companies ... have released reports this year showing concrete ties between the infrastructure used by Conti and Karakurt.

DEV-0230

Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload.

DEV-0506

Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload.

DEV-0216

Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload.

Trickbot

The State Department on Thursday announced a $10 million reward for information related to five specific individuals associated with the Conti ransomware group.

Russian Spider

Garda sources said the force’s involvement would become a substantive criminal investigation when a profile of the malware, called Conti, and its likely origins had been compiled during the work to contain and reverse its spread. The Conti ransomware, or malware, first appeared in December 2019...

NC1878

Garda sources said the force’s involvement would become a substantive criminal investigation when a profile of the malware, called Conti, and its likely origins had been compiled during the work to contain and reverse its spread. The Conti ransomware, or malware, first appeared in December 2019...

Lockean

Looking at the indicators of compromise in the report, Valery Marchive of LegMagIT found several IP addresses related to Conti ransomware, indicating Lockean’s affiliation to additional RaaS operations and targeting of businesses in other regions.

Nitrogen

The group started using stolen code from Conti in 2024 to build its own custom attack tools to hit Windows and VMware server environments.

Tramp

Devman declined by 70%, from 82 victims to 25. The ransomware’s operator “Tramp”, a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026.

Bl00Dy

...used open-source and leaked builders from other operators, including LockBit, Babuk and Conti.

FIN7

"...FIN7... known to collaborate with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware gangs..."

Stern

Conti was a prolific ransomware strain for a few years... Conti responded by announcing its closure in May, but soon after, much of the Conti team split up into smaller groups and continued their activity.

Scattered Spider

The following analytic detects the execution of suspicious command-line arguments commonly associated with Conti ransomware, specifically targeting local drives and network shares for encryption.

Exploited software

Vulnerabilities linked to Conti

2 CVEs

MITRE ATT&CK

Conti in ATT&CK

57 distinct techniques

Techniques

57 techniques
T1486 Data Encrypted for Impact T1489 Service Stop T1105 Ingress Tool Transfer T1005 Data from Local System T1083 File and Directory Discovery T1016 System Network Configuration Discovery T1140 Deobfuscate/Decode Files or Information T1588.001 Malware T1567.002 Exfiltration to Cloud Storage T1041 Exfiltration Over C2 Channel T1027 Obfuscated Files or Information T1567 Exfiltration Over Web Service T1537 Transfer Data to Cloud Account T1057 Process Discovery T1059.003 Windows Command Shell T1657 Financial Theft T1490 Inhibit System Recovery T1565 Data Manipulation T1021.001 Remote Desktop Protocol T1078 Valid Accounts T1074 Data Staged T1071 Application Layer Protocol T1204.002 Malicious File T1608.006 SEO Poisoning T1189 Drive-by Compromise T1204 User Execution T1566.001 Spearphishing Attachment T1562 Impair Defenses T1190 Exploit Public-Facing Application T1566 Phishing T1213 Data from Information Repositories T1018 Remote System Discovery T1222 File and Directory Permissions Modification T1529 System Shutdown/Reboot T1218.010 Regsvr32 T1485 Data Destruction T1135 Network Share Discovery T1055.001 Dynamic-link Library Injection T1021.002 SMB/Windows Admin Shares T1049 System Network Connections Discovery T1106 Native API T1080 Taint Shared Content T1078.002 Valid Accounts: Domain Accounts T1047 Windows Management Instrumentation T1059.001 Command and Scripting Interpreter: PowerShell T1136.002 Create Account: Domain Account T1547.001 Boot or Logon Autostart Execution: Registry Run Keys T1068 Exploitation for Privilege Escalation T1218.011 Signed Binary Proxy Execution: Rundll32 T1562.001 Disable or Modify Tools T1003.001 OS Credential Dumping: LSASS Memory T1003.003 OS Credential Dumping: NTDS T1046 Network Service Discovery T1482 Domain Trust Discovery T1560.001 Archive Collected Data: Archive via Utility T1071.001 Application Layer Protocol: Web Protocols T1219 Remote Access Software

Reporting

Research mentioning Conti

Jul 14
Chainalysis

“Stern” Ransomware Operator Sanctioned by EU

The most notable revelation comes from the EU designation of Vitaly Nikolayevich Kovalev, also known as “Stern,” the administrator of the Trickbot criminal syndicate behind some of the most notorious ransomware strains, including Conti.

Jul 14
Occrp

Spies, Malware, and Blackouts: EU Blames Secret FSB Unit for Decade of Cyber Sabotage | OCCRP

The sanctions also swept up key developers behind prolific malware strains like Trickbot, Conti, and LummaC2.

Jul 13
Flareio

Arrest and Sentencing Disparities Across Russian-Speaking Threat Actors - Flare | Identity First Threat Intelligence | Unmatched Visibility into Cybercrime

...as the Conti leaks show, but it always belonged to the state rather than to the criminals who observed it.

Jul 10
Scworld

Armenian man pleads guilty to deploying Ryuk ransomware | brief | SC Media

Many Ryuk members later joined the Conti ransomware operation.

Jul 10
The Record Media

Ryuk operator pleads guilty; Blackcat/AlphV conspirator gets nearly 6-year sentence | The Record from Recorded Future News

Law enforcement agencies and cybersecurity researchers have connected it with other major cybercrime operations such as Conti and Trickbot.

Jul 10
Bleeping Computer

Ryuk ransomware member pleads guilty in the US, faces 15 years in prison

Following its shutdown in 2020, many of its members transitioned to the Conti ransomware operation, which quickly became one of the most prolific hacker groups.

Jul 5
Cysecurity News

Report Details Alleged $1 Million Payment to Kairos After Data Theft - CySecurity News - Latest Information Security and Hacking Incidents

Earlier leaks involving the Conti ransomware group provided comparable insight into how attackers negotiate payments behind the scenes.

Jul 1
Scworld

Huntress CEO addresses insider threat claims amid employee-cybercriminal communication | brief | SC Media

Devman, a ransomware operator believed to be based in Russia and utilizing code derived from the leaked Conti source.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.