Conti Team

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
The Conti team, a threat actor group known for its malicious activities in the cyber realm, has seen significant developments and transformations over recent years. In September 2022, a splinter group from Conti Team One resurfaced under the name Royal Ransomware, conducting callback phishing attacks with tactics, techniques, and procedures (TTPs) similar to those previously used by the original Conti team. Some researchers suspect that this new group may consist of former Conti members who compromised Conti Team One. Another individual, Akira, was observed to have close ties with the Ryuk side of post-Conti, leading to a relationship with Zeon - formerly Conti Team One, which ran TrickBot, further illustrating the complex web of relationships within these threat actor groups. In response to perceived threats from Western nations, the Conti Team announced their intention to retaliate against any cyber warfare attempts targeting critical infrastructure in Russia or Russian-speaking regions. This aggressive stance demonstrates the group's readiness to leverage their cyber capabilities in geopolitical conflicts. Meanwhile, another threat actor group named Monti emerged, deliberately emulating the TTPs of the Conti team, incorporating many of their tools, and even using Conti’s leaked source code. This suggests an ongoing influence of Conti's methods on emerging cybercriminal activities. By 2024, LockBitSupp, a sub-group largely drawn from the Zeon group (formerly known as Conti Team 1), had become a significant player, serving "as a mere distraction for actual operations." They pretended LockBit was still a Ransomware-as-a-Service (RaaS) group, drawing attention to its data-leak blog, while most of its profits came from small teams of pentesters. This indicates the evolution and diversification of strategies employed by these threat actors, highlighting the need for continuous vigilance and adaptive countermeasures in the cybersecurity landscape.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Zeon
2
Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ContiUnspecified
6
Conti is a malware program known for its disruptive capabilities, including stealing personal information and holding data hostage for ransom. It gained notoriety as part of the arsenal of ITG23, a cybercrime group that used it in conjunction with other malicious software like Trickbot, BazarLoader,
Montiis related to
2
Monti is a prominent Linux ransomware family known for its harmful activities aimed at exploiting and damaging computer systems. The malware first gained attention in 2022, following the implosion of another notorious ransomware group, Conti. Monti repurposed Conti's leaked source code and even mimi
RyukUnspecified
2
Ryuk is a type of malware, specifically ransomware, that has been used extensively by the group ITG23. The group has been encrypting their malware for several years, using crypters with malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware investigations were linked to
TrickBotUnspecified
2
TrickBot is a notorious malware that has been linked to numerous cybercrimes. This malicious software, designed to exploit and damage computers or devices, can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal informat
AkiraUnspecified
2
Akira is a notorious malware, specifically a ransomware, that has been causing significant damage and disruptions across various industries. It operates by infiltrating systems often without the user's knowledge, stealing sensitive information, and holding data hostage for ransom. Over time, Akira h
Royal Ransomwareis related to
2
Royal Ransomware, a harmful malware created by former members of the Conti group, was involved in multiple high-profile attacks against critical infrastructure. Its operations were characterized by multi-threaded encryption and it often left a ransom note after infecting systems. Notably, the Royal
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Conti Team Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
3 months ago
No Big Reveal: Cops Don't Unmask LockBit's LockBitSupp
CERT-EU
a year ago
Royal Ransomware Gang adds BlackSuit Encryptor to their Arsenal | IT Security News
BankInfoSecurity
3 months ago
Who is LockBitSupp? Police Delay Promise to Reveal Identity
Unit42
a year ago
Threat Assessment: Royal Ransomware
BankInfoSecurity
2 months ago
Ransomware Talent Surges to Akira After LockBit's Demise
Trend Micro
9 months ago
Monti Ransomware Unleashes a New Encryptor for Linux
Trend Micro
a year ago
Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers
CERT-EU
9 months ago
Monti Ransomware’s Linux Variant Attacks the Financial & Healthcare Industries
Securelist
a year ago
Reassessing cyberwarfare. Lessons learned in 2022
CERT-EU
2 months ago
Ransomware Talent Surges to Akira After LockBit's Demise
Pulsedive
5 months ago
Pulsedive Blog | 2023 in Review
CERT-EU
a year ago
Royal Ransomware Group Builds Its Own Malware Loader | #ransomware | #cybercrime – National Cyber Security Consulting