Conti Team

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
The Conti team, a threat actor group known for its malicious activities in the cyber realm, has seen significant developments and transformations over recent years. In September 2022, a splinter group from Conti Team One resurfaced under the name Royal Ransomware, conducting callback phishing attacks with tactics, techniques, and procedures (TTPs) similar to those previously used by the original Conti team. Some researchers suspect that this new group may consist of former Conti members who compromised Conti Team One. Another individual, Akira, was observed to have close ties with the Ryuk side of post-Conti, leading to a relationship with Zeon - formerly Conti Team One, which ran TrickBot, further illustrating the complex web of relationships within these threat actor groups. In response to perceived threats from Western nations, the Conti Team announced their intention to retaliate against any cyber warfare attempts targeting critical infrastructure in Russia or Russian-speaking regions. This aggressive stance demonstrates the group's readiness to leverage their cyber capabilities in geopolitical conflicts. Meanwhile, another threat actor group named Monti emerged, deliberately emulating the TTPs of the Conti team, incorporating many of their tools, and even using Conti’s leaked source code. This suggests an ongoing influence of Conti's methods on emerging cybercriminal activities. By 2024, LockBitSupp, a sub-group largely drawn from the Zeon group (formerly known as Conti Team 1), had become a significant player, serving "as a mere distraction for actual operations." They pretended LockBit was still a Ransomware-as-a-Service (RaaS) group, drawing attention to its data-leak blog, while most of its profits came from small teams of pentesters. This indicates the evolution and diversification of strategies employed by these threat actors, highlighting the need for continuous vigilance and adaptive countermeasures in the cybersecurity landscape.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Zeon
2
Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B
LockBitSupp
1
LockBitSupp, also known as LockBit and putinkrab, is a notorious threat actor responsible for creating and operating one of the most prolific ransomware variants. The individual behind this persona, Dmitry Yuryevich Khoroshev, has been actively involved in ransomware attacks against organizations fo
Zeon Group
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Data Leak
Phishing
RaaS
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ContiUnspecified
6
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
RyukUnspecified
2
Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
TrickBotUnspecified
2
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
AkiraUnspecified
2
Akira is a malicious software, or malware, specifically a type of ransomware known for its disruptive and damaging effects. First surfacing in late 2023, it has continued to wreak havoc on various entities, including corporations and industries. This ransomware infects systems through suspicious dow
Royal Ransomwareis related to
2
Royal Ransomware is a type of malware that has been causing significant disruptions in various sectors, particularly in the United States. Originating from the now-defunct Conti ransomware operation, Royal Ransomware was notorious for its multi-threaded encryption and ability to kill processes withi
Montiis related to
2
The Monti group, a malicious cyber entity, has been active since June 2022, shortly after the Conti ransomware gang shut down its operations. The group is known for its malware, Monti, which is a particularly harmful program designed to exploit and damage computer systems. It infiltrates systems thr
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Quantum Groupis related to
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Conti Team Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securelist
a year ago
Reassessing cyberwarfare. Lessons learned in 2022
CERT-EU
4 months ago
Ransomware Talent Surges to Akira After LockBit's Demise
BankInfoSecurity
4 months ago
Ransomware Talent Surges to Akira After LockBit's Demise
CERT-EU
a year ago
Monti Ransomware’s Linux Variant Attacks the Financial & Healthcare Industries
Unit42
a year ago
Threat Assessment: Royal Ransomware
BankInfoSecurity
5 months ago
Who is LockBitSupp? Police Delay Promise to Reveal Identity
Trend Micro
a year ago
Monti Ransomware Unleashes a New Encryptor for Linux
CERT-EU
a year ago
Royal Ransomware Group Builds Its Own Malware Loader | #ransomware | #cybercrime – National Cyber Security Consulting
Trend Micro
a year ago
Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers
CERT-EU
a year ago
Royal Ransomware Gang adds BlackSuit Encryptor to their Arsenal | IT Security News
Pulsedive
7 months ago
Pulsedive Blog | 2023 in Review
BankInfoSecurity
5 months ago
No Big Reveal: Cops Don't Unmask LockBit's LockBitSupp