Conti
Conti is a ransomware family and former ransomware-as-a-service operation active primarily from 2020 to 2022, closely linked to the TrickBot ecosystem and described in the content as developed by members of the TrickBot gang. It was one of the most prolific ransomware variants of its period and was used against more than 900 to over 1,000 victims worldwide, including organizations across 47 U.S. states, the District of Columbia, Puerto Rico, and about 31 foreign countries. The FBI stated that in 2021 Conti was used against more critical infrastructure victims than any other ransomware variant, and reporting in the content says the operation generated at least $150 million in ransom payments by January 2022.
Conti attacks involved compromising victim computers and networks, encrypting files and systems, stealing data, and extorting victims both for restoration of access and to prevent public disclosure of stolen information, i.e., double extortion. The content associates Conti with attacks on healthcare organizations, government agencies, educational institutions, businesses, hospitals, schools, local governments, police departments, sheriff’s offices, emergency medical services, and other critical infrastructure. A cited incident attributed to Conti affected Spencer’s Gifts’ employer-sponsored health plan in 2021, where ransomware encrypted servers containing protected health information and the gang later claimed responsibility on its dark web site.
The malware and operation are interlinked with TrickBot and related tooling. Court filings cited in the content state that a Conti conspirator directed development of a loader malware component used to load programs necessary for other malicious attacks. Separate reporting notes that threat actors associated with Conti-based or successor activity used tools such as Cobalt Strike, and that Conti and TrickBot were operationally connected. The content also notes a Linux/ESXi variant, Conti ESXi, which emerged in April 2022; research cited there found overlaps between Linux Conti variants, leaked Windows Conti code, and Babuk-derived ESXi locker functionality.
Conti is also significant as a code lineage source for later ransomware. The content states that DragonForce samples were assessed as developed based on Conti ransomware, and that DragonForce and other actors used leaked Conti source code. Black Basta is repeatedly described as a rebrand or successor emerging from the remnants of the Conti operation, and other successor or splinter groups mentioned include Royal/BlackSuit, Zeon, Quantum, Hive, BlackByte, Karakurt, and Silent Ransom Group.
The operation ceased under the Conti name in 2022 after internal leaks and fallout related to its support for the Russian government following the invasion of Ukraine. Multiple indictments and guilty pleas cited in the content tie named operators and developers to the Conti conspiracy, including roles such as crypter development, infrastructure administration, management, and loader development.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Activists have reportedly leaked the contents of internal chats from the Russia-affiliated Conti ransomware gang... Both Conti and another criminal crew called Karma hit the unidentified org through the ProxyShell exploit... Conti was deploying its own malware.
Groups observed using it
22 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The sample analyzed in this report was identified as DragonForce ransomware developed based on Conti ransomware.
A longtime former member of Conti, a ransomware group that attacked more than 1,000 organizations globally before it disbanded in 2022, pleaded guilty ... The defendant and his conspirators used the Conti ransomware to terrorize people and businesses in the United States and around the world, causing millions of dollars in damage.
Waseem Ahmed, head of engineering at Secure.com, explained that SGR is a Conti offshoot now running pure data-theft extortion.
Waseem Ahmed, head of engineering at Secure.com, explained that SGR is a Conti offshoot now running pure data-theft extortion.
The crypto-locking malware first emerged around the middle of 2018 and seemed to have its heyday largely in 2019, before rebranding as Conti around May 2020, and appearing to merge with TrickBot - aka Wizard Spider - by the end of 2021.
Emsisoft threat analyst Brett Callow previously told The Record that the group has been active since the middle of 2021 and is believed to be a spin-off of the Conti ransomware group. Several other security companies ... have released reports this year showing concrete ties between the infrastructure used by Conti and Karakurt.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
Galochkin was a “crypter” for Conti, modifying the ransomware so that it would not be detected by anti-virus programs
Discovery
3 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Lateral Movement
1 technique
Lateral Movement
Collection
1 technique
Collection
Command and Control
1 technique
Command and Control
Exfiltration
4 techniques
Exfiltration
Some ransomware operators do not allow targeting (encrypting and exfiltrating data) of non-profit organizations, healthcare, and government entities...
According to prosecutors, Lytvynenko and his co-conspirators deployed Conti ransomware on victim networks in the United States and abroad, stealing data and encrypting devices to extort Bitcoin ransom payments.
Court filings allege the conspirators hacked into victims’ computers and networks, encrypted data, and demanded a ransom to restore the victims’ access to their files and to avoid public disclosure of the stolen information.
On top of client applications such as those provided by Mega, many ransomware families may use other software or built-in operating system utilities to exfiltrate data. We’ll use Mega as the example here... you can look for execution of any process that is not chrome.exe ... initiating a network connection to the domains mega.io or mega.co.nz .
Impact
4 techniques
Impact
One of the most prolific ransomware groups half a decade ago, Conti was used in attacks against over 1,000 organizations in the US and abroad between 2020 and 2022.
Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.
The ransomware attack has prevented the government from effectively collecting taxes, and some public employees’ salaries are either being overpaid or underpaid, Chaves said.
He analyzed stolen data and used sensitive information to intensify extortion tactics. When the ransom demand was not met, he allegedly encouraged co-conspirators to leak or sell the data. Court documents reveal he distributed a bulk set of sensitive records to hundreds of patients, aiming to amplify fear and force compliance.
IOCs tracked for this family
14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conti is identified as the ransomware used in the 2021 attack against Spencer's Gifts, where an unauthorized actor accessed the network, deployed ransomware, encrypted data on company systems including servers storing PHI, and demanded a ransom.
Ransomware used by the Conti operation to extort victims and steal their data; it was deployed in widespread attacks against organizations in the US and internationally.
Ransomware operation that breached victim networks, encrypted files, and used stolen data to pressure organizations into paying ransoms.
Ransomware used to hack victim networks, encrypt files, steal data, and demand Bitcoin ransom payments in exchange for restoring access and not leaking stolen data.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.