conti

Conti

also known as: Wizard Spider GOLD BLACKBURN ITG23 Grim Spider FIN12 UNC1878 DEV-0193 Periwinkle Tempest TEMP.MixMaster

Conti was one of the most prolific and destructive Ransomware-as-a-Service (RaaS) operations in history, recording $180 million in extortion revenue in 2021 alone and claiming over 1,000 victims worldwide. Operated by the Russia-based cybercriminal group Wizard Spider, Conti pioneered aggressive double-extortion tactics and wage-based affiliate models before dissolving in May 2022 and splintering into successor operations including Black Basta, BlackByte, Karakurt, and Royal.

attributed origin Russia (Saint Petersburg)

suspected sponsor Cybercriminal / Suspected Russian gov ties

first observed December 2019

primary motivation Financial / Extortion

primary targets Healthcare, Government, Critical Infrastructure

known campaigns 1,000+ confirmed

mitre att&ck group G0102

target regions N. America, Europe, Asia-Pacific, Latin America

threat level HIGH (legacy — defunct since 2022)

Overview

Conti was a Ransomware-as-a-Service (RaaS) operation active from December 2019 through May 2022, operated by the Russia-based cybercriminal organization known as Wizard Spider (also tracked as ITG23, GOLD BLACKBURN, and Periwinkle Tempest by Microsoft). The group is widely considered the successor to Ryuk ransomware, sharing significant code similarities and operational infrastructure. Conti became the dominant ransomware threat of 2021, recording $180 million in extortion revenue and claiming more victims than any other ransomware group that year.

Unlike typical RaaS affiliate models where operators receive a percentage of ransom payments, Conti employed a wage-based structure, paying its deployers fixed salaries while the core team retained the majority of proceeds. The group ran a sophisticated, corporate-like organization with dedicated teams for development, negotiation, HR, and operations. This structure was revealed in detail through the "ContiLeaks" of February-March 2022, when a pro-Ukraine insider leaked approximately 60,000 internal XMPP chat messages, source code, training documents, and operational playbooks.

Conti gained notoriety for ruthlessly targeting healthcare institutions, emergency services, and critical infrastructure. High-profile attacks included the May 2021 shutdown of Ireland's Health Service Executive (HSE), attacks on New Zealand's Waikato District Health Board, and the devastating April 2022 attack on the Costa Rican government that took 27 ministries offline and prompted President Rodrigo Chaves to declare a national emergency. The FBI connected Conti to over 400 attacks against U.S. organizations alone, with ransom demands reaching $25 million.

In February 2022, Conti publicly pledged support for Russia's invasion of Ukraine, a decision that proved catastrophic. The ContiLeaks followed almost immediately, and the group's revenue collapsed as victims refused to pay a Russia-aligned operation. In May 2022, the U.S. government offered a $10 million reward for information identifying Conti leadership and an additional $5 million for information leading to arrests. The Costa Rica attack was the group's final major operation; by late May 2022, Conti's infrastructure went offline. However, security researchers assess the dissolution was a calculated rebrand rather than a true shutdown. Conti members dispersed into successor groups including Black Basta, BlackByte, Karakurt, Royal (now BlackSuit), Akira, BlackCat (ALPHV), and Hive, ensuring the group's tradecraft and talent continue to pose significant threats under new identities.

Target Profile

Conti employed a "big game hunting" approach, preferring large organizations with high revenue and critical operational dependencies that would increase the likelihood of ransom payment. The group opportunistically targeted organizations across virtually every sector, with the United States experiencing the highest concentration of attacks, followed by the UK, Canada, and Western Europe.

Healthcare and emergency services: Conti gained infamy for deliberately targeting hospitals, emergency medical services, 911 dispatch centers, and public health systems. The attack on Ireland's HSE in May 2021 shut down the entire national healthcare IT network, cancelling appointments, disabling X-ray systems, and delaying COVID-19 testing for weeks.
Government: Targeted local, state, and national government agencies worldwide. The April-May 2022 Costa Rica campaign was the group's largest government attack, encrypting systems across 27 ministries and prompting a national emergency declaration. Also targeted municipalities, law enforcement agencies, and government boards in Scotland and New Zealand.
Critical infrastructure: Energy organizations, telecommunications providers, and industrial firms targeted for maximum operational disruption and ransom leverage.
Manufacturing and construction: Among the top targeted sectors per Sophos analysis. Attacked companies reliant on operational technology and just-in-time supply chains where downtime translates directly to financial losses.
Retail and financial services: Retail was identified as the primary target sector by overall attack volume. Banking, finance, and insurance companies targeted for both ransom payment capacity and data sensitivity.
Education: Schools, universities, and educational institutions targeted for weak security postures and sensitivity of student/staff data.
Technology: Japanese electronics manufacturer JVCKenwood attacked in September 2021. IT companies targeted both directly and as vectors for downstream access to client networks.

Tactics, Techniques & Procedures

Documented TTPs based on observed campaigns, CISA advisory AA21-265A, and leaked Conti training materials. Conti operations featured human-operated attacks with a speed-over-stealth methodology, using up to 32 concurrent encryption threads for rapid deployment.

mitre id	technique	description
T1566.001	Phishing: Spearphishing Attachment	Primary initial access vector. Phishing emails deliver malicious documents containing embedded scripts that download TrickBot, BazarLoader/BazarBackdoor, or Cobalt Strike loaders. Increasingly sophisticated lures with target-specific research.
T1133	External Remote Services	Exploits stolen, weak, or brute-forced RDP credentials for initial access. Purchases network access from initial access brokers (IABs) who have already compromised target environments.
T1190	Exploit Public-Facing Application	Exploits unpatched vulnerabilities in public-facing services including Microsoft Exchange (ProxyShell), Fortinet FortiGate, and Log4j for initial access. Rapidly weaponizes newly disclosed vulnerabilities.
T1486	Data Encrypted for Impact	Core ransomware function. Conti uses custom AES-256 encryption with up to 32 logical threads for extremely rapid file encryption. Selectively encrypts files based on extension while skipping system files to keep machines bootable for ransom note display.
T1048	Exfiltration Over Alternative Protocol	Double extortion: exfiltrates sensitive data before encryption using Rclone command-line tool to cloud storage. Threatens to publish stolen data on Conti's Tor-hosted leak site if ransom is not paid.
T1021.002	Remote Services: SMB/Windows Admin Shares	Lateral movement via SMB using stolen credentials. Deploys Cobalt Strike beacons and ransomware payloads across network shares. Uses PsExec for remote execution on domain-joined systems.
T1003.001	OS Credential Dumping: LSASS Memory	Uses Mimikatz and Cobalt Strike for credential harvesting from LSASS. Targets domain admin credentials for maximum network access before encryption deployment.
T1490	Inhibit System Recovery	Deletes Volume Shadow Copies using vssadmin to prevent data recovery without payment. Disables backup services and corrupts backup infrastructure as standard pre-encryption procedure.
T1562.001	Impair Defenses: Disable or Modify Tools	Disables Windows Defender, endpoint protection, and security monitoring tools before deploying ransomware. Uses batch scripts and Group Policy Objects (GPOs) to push disable commands across domain environments.
T1219	Remote Access Software	Installs AnyDesk and other legitimate remote access tools for persistent backdoor access and to sell access to victim environments to other threat actors when ransom is not paid.

Known Campaigns

Confirmed or highly attributed operations linked to this threat actor.

U.S. Healthcare & Emergency Services Targeting 2020-2021

Sustained campaign targeting U.S. hospitals, 911 dispatch centers, emergency medical services, and law enforcement agencies. The FBI issued a flash alert connecting Conti to over 400 attacks on U.S. organizations. Universal Health Services (UHS), one of the largest healthcare systems in the U.S., was a notable victim. Ransom demands reached up to $25 million.

Ireland HSE Attack 2021

In May 2021, Conti attacked Ireland's Health Service Executive (HSE), forcing the shutdown of the entire national healthcare IT network. The attack cancelled patient appointments, disabled X-ray systems, and delayed COVID-19 testing for weeks. Ireland refused to pay the ransom. Conti eventually provided a decryption key but maintained its threat to publish stolen data. Recovery took months and cost an estimated EUR 100 million.

Global Big Game Hunting Operations 2020-2022

Continuous high-volume campaign against large corporations worldwide. By end of 2020, Conti's leak site had published data from over 150 companies, making them the third most active ransomware leaker. Notable victims included JVCKenwood (September 2021), New Zealand's Waikato District Health Board, and a Scottish government agency. Conti recorded $180 million in extortion revenue in 2021 alone, more than twice the next highest group.

ProxyShell Exploitation Wave 2021

Conti rapidly weaponized Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) for initial network compromise. Used web shells on exploited Exchange servers for foothold, then followed standard Conti playbook of credential harvesting, lateral movement, and double-extortion ransomware deployment.

Costa Rica Government Attack 2022

Conti's final and most politically significant operation. Beginning in April 2022, the group encrypted systems across 27 Costa Rican government ministries, starting with the Ministry of Finance and spreading through interlinked government networks over several weeks. The attack caused an estimated $125 million in losses, forced government workers to use pen and paper, and prompted President Chaves to declare a national emergency, describing the situation as an "act of terrorism." Initial ransom demand was $10 million, later doubled to $20 million. Costa Rica refused to pay. The U.S. offered a $15 million bounty for Conti intelligence. Security researchers assess the attack was deliberately designed as a publicity spectacle to cover Conti's ongoing rebrand into successor groups.

ContiLeaks & Dissolution 2022

Following Conti's public support for Russia's invasion of Ukraine in February 2022, a pro-Ukraine insider leaked approximately 60,000 internal XMPP chat messages, the group's source code, training manuals, and operational toolkits. The leaks exposed Conti's corporate structure, member identities, and operational playbooks. Combined with plummeting ransom revenue, the leaks accelerated the group's dissolution. By May 2022, Conti's infrastructure went offline. Members dispersed into successor groups including Black Basta, BlackByte, Karakurt, Royal/BlackSuit, Akira, BlackCat (ALPHV), and Hive.

Tools & Malware

Known custom and commodity tools associated with this actor. Conti leveraged a mature ecosystem of loaders, post-exploitation frameworks, and custom ransomware.

Conti ransomware: Custom ransomware using AES-256 encryption with up to 32 concurrent threads for extremely fast file encryption. Can be executed with command-line options for targeted encryption of specific drives or IP addresses. Supports both automated and human-operated deployment modes. Source code leaked publicly in March 2022.
TrickBot: Banking trojan turned modular malware delivery platform, core to Wizard Spider operations since 2016. Used as initial access loader to deploy Cobalt Strike and ultimately Conti ransomware. Infected over one million devices globally before disruption efforts.
BazarLoader / BazarBackdoor: Stealthy loader and backdoor used for initial access in high-value targets. Delivered via phishing campaigns. Served as a more targeted, evasive alternative to TrickBot for deploying Conti.
Emotet: Botnet and malware loader used as initial access vector. Following its disruption and revival, Emotet resumed serving as an access broker for Conti deployments in late 2021.
Cobalt Strike: Commercial adversary simulation framework extensively abused as post-exploitation tool. Beacons deployed via TrickBot or BazarLoader for C2 communication, lateral movement, credential extraction, and ransomware staging.
Mimikatz: Credential harvesting tool for LSASS memory dumping and domain credential extraction. Standard component of Conti's lateral movement playbook.
Rclone: Open-source command-line tool for cloud storage sync. Used for data exfiltration to attacker-controlled cloud accounts before encryption, enabling the double-extortion model.
AnyDesk: Legitimate remote desktop application installed for persistent remote access. Also used to sell access to victim environments when ransom was not paid.
PsExec: Microsoft Sysinternals tool used for remote command execution across domain-joined systems during lateral movement and ransomware deployment.
Net Support Manager: Legitimate remote access tool dropped for additional persistence and access resale capabilities.

Indicators of Compromise

Publicly available IOCs from CISA, FBI, and security vendor reporting. Conti source code was publicly leaked in 2022, enabling detection signature development. Note that Conti is defunct but its code and techniques persist in successor groups.

warning

Conti-specific IOCs are largely historical. However, Conti source code powers derivative ransomware (Akira, Black Basta, Royal/BlackSuit), so behavioral detections remain critical. CISA provides IOCs in STIX format via advisory AA21-265A.

indicators of compromise — behavioral signatures

encryption AES-256 with up to 32 concurrent threads; .CONTI file extension appended

ransom note readme.txt dropped in encrypted directories with Tor payment URL

recovery inhibition vssadmin delete shadows /all /quiet (Volume Shadow Copy deletion)

exfiltration Rclone cloud sync to attacker-controlled storage prior to encryption

persistence AnyDesk / Net Support Manager remote access tools installed post-compromise

indicators of compromise — exploited vulnerabilities

cve CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 (ProxyShell)

cve CVE-2021-44228 (Log4Shell)

cve CVE-2020-1472 (ZeroLogon)

cve CVE-2017-0143 (EternalBlue / EternalRomance)

Mitigation & Defense

Recommended defensive measures based on CISA/FBI/NSA joint advisory AA21-265A. While Conti is defunct, its source code, techniques, and personnel persist in successor groups (Black Basta, Akira, Royal/BlackSuit), making these defenses broadly applicable to current ransomware threats.

Enforce multi-factor authentication (MFA): Apply MFA on all remote access points, VPN connections, email, and privileged accounts. Conti heavily relied on stolen and brute-forced credentials for initial access via RDP. MFA eliminates this attack vector.
Implement network segmentation: Segment networks to restrict lateral movement between business units and between IT and OT environments. Conti's speed-over-stealth approach means rapid lateral spread once inside the network. Segmentation limits blast radius.
Maintain and protect offline backups: Implement the 3-2-1 backup strategy with at least one offline, air-gapped copy. Conti systematically deletes Volume Shadow Copies and corrupts backup infrastructure before encryption. Isolated backups are the primary recovery path.
Patch public-facing systems immediately: Prioritize patching for Microsoft Exchange (ProxyShell), Fortinet, and Log4j vulnerabilities. Conti operators rapidly weaponized newly disclosed CVEs within days of public disclosure. Implement a centralized patch management system.
Detect and block phishing delivery chains: Deploy advanced email filtering to detect BazarLoader, TrickBot, and Emotet delivery documents. Block macro execution from internet-delivered Office files. Train users to recognize increasingly sophisticated phishing lures.
Monitor for Cobalt Strike activity: Deploy behavioral detection for Cobalt Strike beacon patterns, named pipes, malleable C2 profiles, and process injection. Cobalt Strike was the primary post-exploitation framework in virtually every Conti intrusion.
Restrict remote access software: Audit for unauthorized installations of AnyDesk, Net Support Manager, and other remote desktop tools. Implement application allowlisting. Conti installed legitimate remote access tools for persistence and access resale.
Monitor for data exfiltration: Detect Rclone and similar cloud sync tools on endpoints. Monitor for large outbound data transfers to cloud storage services. Double extortion means data theft occurs before encryption, so exfiltration detection provides an early warning opportunity.

note

Although Conti formally dissolved in May 2022, its legacy persists. The leaked source code has been adopted by derivative ransomware families including Akira, which MITRE ATT&CK tracks with "multiple overlaps with Conti ransomware." Black Basta, the most prominent successor, collected over $107 million in ransom payments across 90+ victims within its first two years. In September 2023, the U.S. DOJ indicted multiple foreign nationals for Conti-related schemes. Organizations should treat detections for Conti-derived techniques as indicators of active, current threats under successor brand names.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile