17 malware families

Conti

Also known asconti

Conti was a prolific and notoriously well-organized ransomware group active from 2020 until it ceased operating under its original name in 2022. The group conducted ransomware and double-extortion operations, breaching victim networks, encrypting files, stealing data, and threatening public disclosure unless ransoms were paid. Court documents and reporting in the provided content state that Conti targeted more than 1,000 victims worldwide between 2020 and 2022, including victims across 47 U.S. states, Puerto Rico, the District of Columbia, and 31 countries, and that the FBI estimated at least $150 million in ransom payments by January 2022. Reported victim sectors included healthcare organizations, government agencies, educational institutions, and businesses. The group was publicly noted for announcing full support for the Russian government in 2022, after which internal leaks contributed to its shutdown. The content describes Conti as closely linked to the TrickBot malware operation and notes reporting suggesting ties to Russian intelligence and political patrons, though those links are described as reporting and leaked-chat indications. Leaks also revealed an organizational structure resembling a legitimate company, including middle management and a human resources department. Observed or reported tradecraft in the provided content includes use of PsExec for ransomware propagation, use of Tor infrastructure, development of a malware loader by a member, and ESXi/Linux locker development with overlaps to leaked Babuk and Windows Conti code. The content also notes that former Conti members or core teams are believed to have moved into or influenced later operations including Black Basta, Royal/BlackSuit/3AM, and other cybercrime activity. Known alias in the provided content: conti.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

31 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics36 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

2 techniques

T1584

Compromise Infrastructure

T1588

Obtain Capabilities

T1588.001

Malware

TA0001

Initial Access

4 techniques

T1078×2

Valid Accounts

T1133

External Remote Services

T1190×2

Exploit Public-Facing Application

T1566×3

Phishing

T1566.001

Spearphishing Attachment

T1566.003

Spearphishing via Service

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1204

User Execution

T1204.002

Malicious File

TA0003

Persistence

3 techniques

T1078×2

Valid Accounts

T1133

External Remote Services

T1505

Server Software Component

TA0004

Privilege Escalation

1 technique

T1078×2

Valid Accounts

TA0005

Stealth

2 techniques

T1070

Indicator Removal

T1078×2

Valid Accounts

TA0007

Discovery

1 technique

T1083

File and Directory Discovery

TA0008

Lateral Movement

1 technique

T1021

Remote Services

T1021.002

SMB/Windows Admin Shares

TA0009

Collection

2 techniques

T1005×6

Data from Local System

T1074×2

Data Staged

TA0011

Command and Control

5 techniques

T1071×2

Application Layer Protocol

T1090

Proxy

T1090.003

Multi-hop Proxy

T1105×5

Ingress Tool Transfer

T1219×2

Remote Access Tools

T1573

Encrypted Channel

TA0010

Exfiltration

3 techniques

T1041×3

Exfiltration Over C2 Channel

T1537×4

Transfer Data to Cloud Account

T1567×4

Exfiltration Over Web Service

TA0040

Impact

4 techniques

T1486×38

Data Encrypted for Impact

T1529

System Shutdown/Reboot

T1565

Data Manipulation

T1657×9

Financial Theft

ARSENAL

Associated malware families

17 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

ContiA longtime former member of Conti, a ransomware group that attacked more than 1,000 organizations globally before it disbanded in 2022, pleaded guilty ... The defendant and his conspirators used the Conti ransomware to terrorize people and businesses in the United States and around the world, causing millions of dollars in damage.5Jun 12, 2026

AkiraIn 2024, the top 3 ransomware threats to Canada were: Akira... emerged in April 2023... operates 2 ransomware variants... exfiltrates victim data before encrypting... double extortion.4Mar 18, 2026

Black BastaConti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.2Jun 12, 2026

Cobalt StrikeAuthorities said Lytvynenko engaged in cybercrime after Conti disbanded and its members splintered off into new groups, adding that he “was asleep but within arms’ reach of an open laptop running Cobalt Strike” at the time of his arrest.2Jun 12, 2026

Emotet"The gang is believed to be behind the recent revival of the notorious Emotet botnet, which could lead to a massive new wave of ransomware infections."2Mar 18, 2026

12 additional families tracked in Mallory.

IOCS

Observables

12 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

12 IOCsView more in app

Domains

4 total

••••••.com•••••••.ru••••••••.com•••••••••.net

hash.sha256

3 total

•••••••••••••••••••••••••••

hash.sha1

2 total

•••••••••••••••••

uri

2 total

•••••••••••••••••

Email addresses

1 total

••••@•••••.•••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

codebyNews

Jun 23, 2026

Атаки на endpoint management: TTP 2026 и detection

Ransomware group referenced as using PsExec as a primary propagation mechanism for spreading ransomware.

bank info securityNews

Jun 19, 2026

No Joke: Gag Gift Store's Health Plan Pays $450K HIPAA Fine

Conducted a ransomware attack against Spencer's Gifts' employee health plan in 2021, accessing the company's network, deploying ransomware, encrypting data on company systems including servers storing protected health information, demanding a ransom, and later claiming responsibility on its dark website in January 2022.

security weekNews

Jun 16, 2026

Cybercrime Group Claims Novo Nordisk Hack - SecurityWeek

Referenced only in a headline about ransomware charges; no further operational detail is provided in the content.

security weekNews

Jun 15, 2026

Ukrainian Man Pleads Guilty in US to Conti Ransomware Charges - SecurityWeek

Prolific ransomware operation responsible for attacks against over 1,000 organizations in the US and abroad between 2020 and 2022, using ransomware to extort victims and steal data.

+194 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping31

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal17

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables12

Domains, IPs, and hashes tied to this actor, refreshed continuously.