Conti Ransomware

Conti (ransomware)

Conti was both (1) a ransomware family and (2) the name commonly used for a ransomware-as-a-service (RaaS) operation that ran large-scale extortion campaigns, primarily against organizations running Microsoft Windows environments. It was first widely observed in December 2019 and became one of the most prolific ransomware operations of the early 2020s. (attack.mitre.org)

Overview

Conti is generally described by major threat-tracking sources as RaaS: a core group maintained the malware and operational infrastructure while other operators (often described as affiliates or deployers) carried out intrusions and deployments, alongside data theft and extortion. (attack.mitre.org)

The group is frequently linked in public reporting and government/industry analysis to the broader Russia-based cybercrime ecosystem associated with “Wizard Spider”, which is also connected to other malware operations (notably TrickBot) used for access and deployment. (attack.mitre.org)

Common tactics

Conti campaigns were widely characterized by:

• Network intrusion and lateral movement, followed by mass encryption of systems. (attack.mitre.org)
• “Double extortion”: stealing data and threatening to publish it if payment was not made, in addition to encrypting files. (attack.mitre.org)
• Use of a broad intrusion toolkit and techniques cataloged by MITRE ATT&CK for the Conti malware family. (attack.mitre.org)

Notable activity and impact

In September 2021, U.S. agencies (CISA, FBI, NSA) issued an advisory describing hundreds of observed Conti incidents, and provided mitigation guidance and indicators of compromise. (cisa.gov)

One of the most publicized incidents attributed to Conti was the 2022 ransomware crisis in Costa Rica, which severely disrupted government services and contributed to a national emergency declaration. (wired.com)

2022 leaks and decline of the “Conti” brand

In early 2022, after Conti publicly supported Russia during the invasion of Ukraine, a large set of internal communications and operational materials was leaked by a party claiming to support Ukraine. These leaks provided unusually detailed visibility into the group’s internal practices. (en.wikipedia.org)

After the leaks, reporting and threat analysis commonly described Conti as dissolving or rebranding, with members and tradecraft believed to have dispersed into other operations rather than disappearing outright. (en.wikipedia.org)