Conti
Conti is a Russian government-linked ransomware-as-a-service (RaaS) operation and ransomware group widely associated with Russia-based actors. The group publicly declared support for the Russian government after the 2022 invasion of Ukraine, later softened its statement, and has been described in reporting as Russia-linked, with at least some actors assessed to be based in Russia. Conti was responsible for more than 400 attacks between spring 2020 and spring 2021, mostly against U.S. organizations, and by January 2022 had reportedly victimized more than 1,000 organizations with over $150 million in payouts. Reported targeting included U.S. healthcare and first-responder networks, Ireland’s Health Service Executive, hospitals in New Zealand, Costa Rican government agencies, and other U.S. public-sector entities. The group used double extortion, stealing data before encrypting systems and threatening to publish or sell exfiltrated data via its leak site and negotiation portals. Conti operated as a business-like RaaS ecosystem with core operators and affiliates. Leaked internal chats exposed organizational structure, bitcoin addresses, law-enforcement evasion, attack methods, and a toxic internal culture. Additional leaks exposed the source code for Conti’s administrative panel, BazarBackdoor API, TrickBot command-and-control source code, and the Conti ransomware encryptor, decryptor, and builder. The leaks followed the group’s pro-Russia stance and were a major operational and reputational blow. The group is linked in the content to Ryuk, Diavol, TrickBot, and BazarBackdoor/BUMBLEBEE-related activity, including overlap noted by Google TAG and Proofpoint. Conti members and affiliates later dispersed into or were linked to other operations including Black Basta, Royal, Quantum, Hive, ALPHV/BlackCat, and Karakurt. Black Basta is described as a successor to Conti from February 2022, and Royal is described as a direct successor composed in part of former Conti members. The group appears to have disbanded or taken much of its infrastructure offline in 2022 after the leaks and fallout from its political stance, though former members continued operating under other banners.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
34 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
16 malware families attributed to this actor across reporting.
11 additional families tracked in Mallory.
Observables
10 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as the predecessor ransomware group to BlackBasta.
Referenced as a ransomware group whose operators used BazarCall campaigns; mentioned as part of the historical lineage connected to SRG before Conti's 2022 breakup.
Referenced as a criminal organization whose leaked internal communications provided insight into hidden criminal-side threat analysis.
Referenced as an example of a typical RaaS program revenue-sharing model; also cited as a prior collapse analogous to later ecosystem fragmentation events.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.