Conti Team

Threat Actor updated 23 days ago (2024-11-29T14:37:50.892Z)
Download STIX
Preview STIX
The Conti team, a threat actor group known for its malicious activities in the cyber realm, has seen significant developments and transformations over recent years. In September 2022, a splinter group from Conti Team One resurfaced under the name Royal Ransomware, conducting callback phishing attacks with tactics, techniques, and procedures (TTPs) similar to those previously used by the original Conti team. Some researchers suspect that this new group may consist of former Conti members who compromised Conti Team One. Another individual, Akira, was observed to have close ties with the Ryuk side of post-Conti, leading to a relationship with Zeon - formerly Conti Team One, which ran TrickBot, further illustrating the complex web of relationships within these threat actor groups. In response to perceived threats from Western nations, the Conti Team announced their intention to retaliate against any cyber warfare attempts targeting critical infrastructure in Russia or Russian-speaking regions. This aggressive stance demonstrates the group's readiness to leverage their cyber capabilities in geopolitical conflicts. Meanwhile, another threat actor group named Monti emerged, deliberately emulating the TTPs of the Conti team, incorporating many of their tools, and even using Conti’s leaked source code. This suggests an ongoing influence of Conti's methods on emerging cybercriminal activities. By 2024, LockBitSupp, a sub-group largely drawn from the Zeon group (formerly known as Conti Team 1), had become a significant player, serving "as a mere distraction for actual operations." They pretended LockBit was still a Ransomware-as-a-Service (RaaS) group, drawing attention to its data-leak blog, while most of its profits came from small teams of pentesters. This indicates the evolution and diversification of strategies employed by these threat actors, highlighting the need for continuous vigilance and adaptive countermeasures in the cybersecurity landscape.
Description last updated: 2024-05-04T16:45:31.105Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Zeon is a possible alias for Conti Team. Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Conti Malware is associated with Conti Team. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personaUnspecified
6
The Monti Malware is associated with Conti Team. Monti is a malicious software, or malware, specifically a member of the Linux ransomware family. Ransomware is designed to infiltrate computer systems, often without the user's knowledge, through suspect downloads, emails, or websites. Once inside, it can cause significant damage by stealing personais related to
2
The Ryuk Malware is associated with Conti Team. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
2
The TrickBot Malware is associated with Conti Team. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,Unspecified
2
The Akira Malware is associated with Conti Team. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims gloUnspecified
2
The Royal Ransomware Malware is associated with Conti Team. Royal Ransomware is a form of malware that was active from September 2022 through June 2023. This malicious software, designed to exploit and damage computers or devices, would infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it could steais related to
2