Conti Team

Threat Actor updated 4 months ago (2024-05-04T20:20:04.900Z)
Download STIX
Preview STIX
The Conti team, a threat actor group known for its malicious activities in the cyber realm, has seen significant developments and transformations over recent years. In September 2022, a splinter group from Conti Team One resurfaced under the name Royal Ransomware, conducting callback phishing attacks with tactics, techniques, and procedures (TTPs) similar to those previously used by the original Conti team. Some researchers suspect that this new group may consist of former Conti members who compromised Conti Team One. Another individual, Akira, was observed to have close ties with the Ryuk side of post-Conti, leading to a relationship with Zeon - formerly Conti Team One, which ran TrickBot, further illustrating the complex web of relationships within these threat actor groups. In response to perceived threats from Western nations, the Conti Team announced their intention to retaliate against any cyber warfare attempts targeting critical infrastructure in Russia or Russian-speaking regions. This aggressive stance demonstrates the group's readiness to leverage their cyber capabilities in geopolitical conflicts. Meanwhile, another threat actor group named Monti emerged, deliberately emulating the TTPs of the Conti team, incorporating many of their tools, and even using Conti’s leaked source code. This suggests an ongoing influence of Conti's methods on emerging cybercriminal activities. By 2024, LockBitSupp, a sub-group largely drawn from the Zeon group (formerly known as Conti Team 1), had become a significant player, serving "as a mere distraction for actual operations." They pretended LockBit was still a Ransomware-as-a-Service (RaaS) group, drawing attention to its data-leak blog, while most of its profits came from small teams of pentesters. This indicates the evolution and diversification of strategies employed by these threat actors, highlighting the need for continuous vigilance and adaptive countermeasures in the cybersecurity landscape.
Description last updated: 2024-05-04T16:45:31.105Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Zeon
2
Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
ContiUnspecified
6
Conti is a notorious malware and ransomware operation that has caused significant damage to computer systems worldwide. The Conti group, believed to have around 200 employees, operated like a regular business, with internal communications revealing the organization's structure and operations. It was
Montiis related to
2
Monti is a malicious software, or malware, specifically a member of the Linux ransomware family. Ransomware is designed to infiltrate computer systems, often without the user's knowledge, through suspect downloads, emails, or websites. Once inside, it can cause significant damage by stealing persona
RyukUnspecified
2
Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware inves
TrickBotUnspecified
2
TrickBot is a notorious malware that has been used extensively by cybercriminals to exploit and damage computer systems. It operates as a crimeware-as-a-service platform, infecting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can stea
AkiraUnspecified
2
Akira is a malicious software or malware that has been causing significant damage to various organizations and systems worldwide. The ransomware, known for its persistent and harmful attacks, has successfully infiltrated numerous systems, often without the knowledge of the users, disrupting operatio
Royal Ransomwareis related to
2
The Royal Ransomware, a harmful malware program designed to exploit and damage computer systems, operated from September 2022 through June 2023. It employed multi-threaded encryption to disrupt operations and hold data hostage for ransom. The ransomware was primarily disseminated through suspicious
Source Document References
Information about the Conti Team Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
2 years ago
Reassessing cyberwarfare. Lessons learned in 2022
CERT-EU
6 months ago
Ransomware Talent Surges to Akira After LockBit's Demise
BankInfoSecurity
6 months ago
Ransomware Talent Surges to Akira After LockBit's Demise
CERT-EU
a year ago
Monti Ransomware’s Linux Variant Attacks the Financial & Healthcare Industries
Unit42
a year ago
Threat Assessment: Royal Ransomware
BankInfoSecurity
7 months ago
Who is LockBitSupp? Police Delay Promise to Reveal Identity
Trend Micro
a year ago
Monti Ransomware Unleashes a New Encryptor for Linux
CERT-EU
a year ago
Royal Ransomware Group Builds Its Own Malware Loader | #ransomware | #cybercrime – National Cyber Security Consulting
Trend Micro
2 years ago
Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers
CERT-EU
a year ago
Royal Ransomware Gang adds BlackSuit Encryptor to their Arsenal | IT Security News
Pulsedive
9 months ago
Pulsedive Blog | 2023 in Review
BankInfoSecurity
6 months ago
No Big Reveal: Cops Don't Unmask LockBit's LockBitSupp