Inactive ransomware operator
← All groupsConti
351 victims indexed · first seen 6 years ago · last activity 4 years ago
351
Victims indexed
#26 of 348 tracked operators
1y 11m
Active period
Jul 2020 → Jun 2022
10
Countries hit
top United States · 42
At a glance
- Status
- inactive
- First seen
- 6 years ago
- Last activity
- 4 years ago
- Onion sites
- 4 known endpoints
- Primary sector
- Finance · 7 hits
- Suspected origin
- 🇷🇺RU
About
Conti is a financially-motivated ransomware group that emerged in July 2020 and quickly became one of the most prolific and aggressive ransomware operations globally. The group is suspected to be of Russian origin and operated as a Ransomware-as-a-Service (RaaS) model, with documented ties to the TrickBot malware operation and suspected connections to other Russian cybercriminal enterprises. Conti primarily gained initial access through phishing emails, exploitation of vulnerabilities in internet-facing applications, and leveraging the TrickBot and Emotet botnets for distribution, employing double extortion tactics where they exfiltrated sensitive data before deploying their ransomware and threatening to publish stolen information if ransoms were not paid. Notable campaigns included attacks on Ireland's Health Service Executive (HSE) in May 2021 which severely disrupted healthcare services nationwide, numerous attacks against U.S. healthcare systems during the COVID-19 pandemic, and the breach of Costa Rica's Ministry of Finance and other government agencies in 2022, with the group demanding a $20 million ransom from the Costa Rican government. The Conti operation was significantly disrupted in 2022 following internal leaks of their communications and source code, leading to the group's dissolution, though many of its members are believed to have migrated to other ransomware operations including Black Basta and Karakurt.
References
195 linksExternal sources curated by the MISP threat-intel community.
- cyber.gov.au/acsc/view-all-content/advisories/2021-010-acsc-ransomware-profile-conti
- s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098
- symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines
- threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442
- unit42.paloaltonetworks.com/conti-ransomware-gang
- blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
- intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike
- media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
- query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v
- securelist.com/new-ransomware-trends-in-2022/106457/
- advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022
- esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru
- microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
- secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures
- threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again
- trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html
- youtube.com/watch?v=cYx7sQRbjGA
- chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/
- 0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74
- analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel
Timeline
21 months2020-07-01T00:00:00+00:002022-06-01T00:00:00+00:00
Top countries
🇺🇸 United States
42
🇩🇪 Germany
11
🇮🇹 Italy
8
🇬🇧 United Kingdom
8
🇳🇱 Netherlands
2
🇨🇦 Canada
2
🇫🇷 France
2
🇳🇴 Norway
2
Top sectors
Finance
7
Energy
6
Healthcare and Public Health
6
Manufacturing
6
Food & Agriculture
4
Healthcare
3
Transportation Systems
3
Government Facilities
3
MITRE ATT&CK
18 techniques · 10 tacticsTactics
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessLateral MovementCollectionExfiltrationImpact
Techniques
- T1566.001Spearphishing Attachment
- T1566.002Spearphishing Link
- T1078Valid Accounts
- T1059.003Windows Command Shell
- T1059.001PowerShell
- T1543.003Windows Service
- T1055Process Injection
- T1548.002Bypass User Account Control
- T1562.001Disable or Modify Tools
- T1070.004File Deletion
- T1003.001LSASS Memory
- T1021.002SMB/Windows Admin Shares
- T1021.001Remote Desktop Protocol
- T1135Network Share Discovery
- T1083File and Directory Discovery
- T1041Exfiltration Over C2 Channel
- T1486Data Encrypted for Impact
- T1490Inhibit System Recovery
Detection · YARA rules
1 ruleransom_conti
YARA rule from ATR/Trellix: ransomware/Ransom_Conti.yar
source: ATR/Trellix
Recent victims
Loading…
Onion infrastructure
4 known- http://continews.bz
- http://continews.click
- http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion
- http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/
Source
Updated 4 years agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.