Conti Ransomware Gang

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

The Conti ransomware gang, a notorious threat actor in the cybersecurity landscape, has been responsible for extorting at least $180 million globally. The gang is infamous for the HSE cyberattack in 2021 and has been sanctioned by the National Crime Agency (NCA). In late 2021, experts suggested that the development of Trickbot, a powerful malware, was "acquired" by the Conti gang, further increasing its capabilities. This situation prompted the U.S. Department of State to offer a reward of $15 million to identify co-conspirators and provide information about anyone planning or attempting to participate in a Conti ransomware attack. In early 2022, a new group named Royal Ransomware emerged, composed of veterans from the Conti gang. This group has been launching attacks on US-based healthcare organizations, with a recent focus on Linux systems. However, the situation took a dramatic turn when Russia invaded Ukraine. On February 24, 2022, the day after the invasion began, the Conti gang declared its full support for the Russian government, pledging to use all possible resources to strike back at the critical infrastructures of any enemy. Although the group later condemned the war, the damage had already been done. A significant blow to the Conti gang came when their internal communications were leaked by a Ukrainian researcher following their declaration of support for Russia, an event known as the Conti Leaks. Additionally, in March 2023, the FBI reported that LockBit, another ransomware group, had assembled a team of experts for their research and development efforts, particularly after separating from the Conti gang. These developments indicate a shifting landscape in the world of cyber threats, with the potential for new actors and alliances to emerge.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Wizard Spider	1	Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a significant threat actor in the cybercrime landscape. This group has been continually analyzed by IBM Security X-Force researchers for its use of several crypters and is credited with creating the notorious, ev

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Cybercrime

Russia

Botnet

Phishing

Linux

Malware Loader

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Conti	Unspecified	3	Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Black Basta	Unspecified	2	Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
TrickBot	Unspecified	2	TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
QakBot	Unspecified	2	Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
Royal Ransomware	Unspecified	1	Royal Ransomware is a type of malware that has been causing significant disruptions in various sectors, particularly in the United States. Originating from the now-defunct Conti ransomware operation, Royal Ransomware was notorious for its multi-threaded encryption and ability to kill processes withi
Blackbasta	Unspecified	1	BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
Ryuk	Unspecified	1	Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
Monti	Unspecified	1	The Monti group, a malicious cyber entity, has been active since June 2022, shortly after the Conti ransomware gang shut down its operations. The group is known for its malware, Monti, which is a particularly harmful program designed to exploit and damage computer systems. It infiltrates systems thr
REvil	Unspecified	1	REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
Lockbit	Unspecified	1	LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Bazarbackdoor	Unspecified	1	BazarBackdoor is a type of malware developed by ITG23, first identified in April 2020. It is commonly distributed via contact forms on corporate websites, bypassing regular phishing emails, which makes it harder to detect. The malware is often associated with BazarLoader, both of which were used ext
Anchor	Unspecified	1	Anchor is a type of malware, short for malicious software, that infiltrates systems to exploit and cause damage. It can access systems through various methods such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can disrupt operations, steal personal info
Domino	Unspecified	1	The Domino malware, a harmful program designed to exploit and damage computer systems, has been identified as the culprit behind a series of high-profile cyber attacks. The first notable incident occurred when a hacker claimed to have accessed Domino's India's massive 13 TB database on the Dark Web,
Bazarloader	Unspecified	1	BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used B

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Sandworm	Unspecified	1	Sandworm, a threat actor linked to Russia, has been implicated in numerous high-profile cyber attacks. This group's activities have primarily targeted Ukraine, compromising the country's critical infrastructure and telecommunications providers. The Sandworm group is known for its fileless attack met
Evil Corp	Unspecified	1	Evil Corp, a threat actor group based in Russia, has been identified as a significant cybercrime entity responsible for the execution of malicious actions. The alleged leader of this group is Maksim Yakubets, who is notably associated with Dridex malware operations. The U.S. Treasury imposed sanctio
FIN7	Unspecified	1	FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Conti Ransomware Gang Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	10 months ago	OSINT Round-Up of Russia-Based High-Profile Cybercriminals
Krebs on Security	a year ago	U.S. Hacks QakBot, Quietly Removes Botnet Infections
CSO Online	a year ago	Russian hacktivists deploy new AresLoader malware via decoy installers
Krebs on Security	a year ago	U.S., U.K. Sanction 7 Men Tied to Trickbot Hacking Group
CERT-EU	a year ago	4 Recent Ransomware Attack Examples \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware - National Cyber Security Consulting
CERT-EU	a year ago	Warning issued over ransomware attacks targeting VMware ESXi servers globally
CERT-EU	a year ago	Russian cybercrime alliances upended by Ukraine invasion
CERT-EU	a year ago	Russian cybercrime alliances upended by Ukraine invasion
CERT-EU	a year ago	Apple M1 Chips face LockBit Ransomware threat in development - Cybersecurity Insiders
CERT-EU	a year ago	The U.S. Looks to Direct Cyber Engagement to Reestablish Its Leadership Position
CERT-EU	10 months ago	US, Latin America Seek to Boost Cybersecurity
CERT-EU	10 months ago	Hackers threaten to dump data stolen from Auckland University of Technology \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	10 months ago	Bumblebee Loader Resurfaces in New Campaign
Securityaffairs	a year ago	UK and US sanctioned 11 members of Russia-based TrickBot gang
CERT-EU	a year ago	Russians who deployed ransomware against hospitals are charged \| #ransomware \| #cybercrime \| National Cyber Security Consulting
Securityaffairs	a year ago	The intricate relationships between the FIN7 group and members of the Conti gang
CERT-EU	a year ago	3 Malware Loaders Detected in 80% of Attacks: Security Firm
CERT-EU	a year ago	A secondhand account of the worst possible timing for a scammer to strike
CERT-EU	a year ago	UK, US sanction Conti and Trickbot ransomware gang members \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	The Conti Ransomware Gang and the Trickbot Cybercrime Enterprise XMPP's and Jabber Account IDs \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting