Conti

Background

Conti was a major ransomware-as-a-service operation run by the cybercriminal group known as Wizard Spider. The Conti operation launched in mid-2020 as the successor to the Ryuk ransomware, which itself had ties to the TrickBot malware operation. At its peak, Conti was one of the most prolific and damaging ransomware groups in the world, employing over 100 members organized in a corporate-like structure with distinct teams for development, negotiation, HR, and offensive operations.

Conti's organizational structure was dramatically exposed in February-March 2022 when a Ukrainian member of the group leaked approximately 170,000 internal chat messages and the ransomware's source code. This happened after Conti's leadership publicly declared support for the Russian government following the invasion of Ukraine. The "Conti Leaks" provided unprecedented insight into the inner workings of a major ransomware organization, revealing salary structures, organizational hierarchy, internal conflicts, and operational methods.

Following the leaks and declining trust among affiliates, Conti formally dissolved in May 2022. However, the group's members did not retire. They fractured into multiple successor operations including Royal (later rebranded as BlackSuit), Black Basta, Karakurt (data extortion-only), and Quantum ransomware, as well as contributing talent to existing operations like ALPHV/BlackCat and Hive. The U.S. State Department has offered up to $10 million for information on Conti leadership and $5 million for information leading to the arrest of affiliates.

Notable Campaigns

Costa Rica Government (April-May 2022): In one of the most audacious ransomware campaigns ever, Conti attacked multiple Costa Rican government agencies, including the Ministry of Finance, disrupting tax collection and customs operations for months. The group demanded $10 million (later raised to $20 million) and published 672GB of stolen government data. Costa Rica declared a national state of emergency, the first country to do so due to a ransomware attack. The attack was one of Conti's final major operations before dissolution.

Ireland's Health Service Executive (May 2021): Conti attacked Ireland's national public healthcare system, the HSE, causing the most significant cyberattack against a healthcare system in history at that time. The attack forced a nationwide shutdown of IT systems, disrupting hospital services, diagnostic systems, COVID-19 testing, and patient care for weeks. Recovery took months and cost an estimated $600 million. Conti eventually provided a decryptor for free (while still threatening to leak data).

JVCKenwood (September 2021): Japanese electronics manufacturer JVCKenwood was compromised by Conti, with 1.7TB of data stolen. The group demanded $7 million in ransom, threatening to release confidential product designs and business documents.

Fat Face (January 2021): UK fashion retailer Fat Face was breached by Conti, resulting in the theft of customer and employee personal data. The company reportedly paid a $2 million ransom and faced criticism for initially trying to keep the breach quiet.

U.S. Healthcare System Attacks (2020-2022): Conti was responsible for widespread attacks against U.S. healthcare organizations during the COVID-19 pandemic. In October 2020, the FBI, CISA, and HHS issued a joint advisory warning of imminent Conti attacks against the U.S. healthcare sector, citing intelligence indicating coordinated targeting of hospitals.

Tactics, Techniques & Procedures

Conti's attack chain typically began with phishing emails distributing TrickBot, BazarLoader, or Emotet malware. These initial access payloads would establish a foothold on the victim's network, after which Conti operators would deploy Cobalt Strike beacons for command and control. The group also purchased access from initial access brokers and exploited internet-facing vulnerabilities in ProxyShell (Microsoft Exchange), Log4Shell, and FortiGate VPN appliances.

Post-compromise operations were highly structured and followed documented playbooks (revealed in the Conti Leaks). Operators would harvest credentials using Mimikatz, Rubeus, and credential dumping techniques. They used BloodHound and AdFind for Active Directory reconnaissance, then moved laterally using PsExec, WMI, and RDP with stolen credentials. The group was meticulous about disabling security tools and deleting backups before deployment.

Conti's ransomware was notable for its speed, using up to 32 simultaneous encryption threads, and its support for both command-line and automated deployment. The group practiced "big game hunting," spending days to weeks inside networks to maximize impact. They exfiltrated large volumes of data using the Rclone tool to cloud storage before deploying ransomware, ensuring double extortion leverage. The Conti Leaks revealed that the group maintained detailed operational playbooks and training materials for new affiliates.

Tools & Malware

• Conti Ransomware: Multi-threaded ransomware using ChaCha20 for file encryption and RSA-4096 for key exchange. Supported command-line and network share encryption modes. Source code leaked in March 2022.
• TrickBot: A modular banking trojan turned multi-purpose malware platform, serving as a primary initial access vector for Conti operations.
• BazarLoader / BazarBackdoor: A stealthy backdoor used for high-value target access, communicating over HTTPS and leveraging blockchain-based DNS for resilience.
• Emotet: The infamous botnet that served as an initial access broker for Conti, distributing malicious email attachments at massive scale.
• Cobalt Strike: The primary post-exploitation framework used for C2, lateral movement, and payload delivery.
• Mimikatz / Rubeus: Credential harvesting tools for extracting passwords, hashes, and Kerberos tickets from Active Directory environments.
• Rclone: Open-source cloud storage synchronization tool used for large-scale data exfiltration to attacker-controlled cloud accounts.
• Anchor: A TrickBot module designed for targeting high-value networks, using DNS tunneling for covert C2.
• Atera / AnyDesk / Splashtop: Legitimate remote administration tools deployed for persistent access that blends with normal IT activity.

Indicators & Detection

Conti-encrypted files carry a .CONTI extension (or variant-specific extensions in successor operations), and ransom notes are named readme.txt. The ransomware modifies the desktop wallpaper and may create a mutex to prevent multiple instances. Conti's leaked source code enabled security researchers to develop comprehensive detection signatures, but successor groups have modified the codebase.

Detection should focus on the multi-stage attack chain. Monitor email gateways for TrickBot, BazarLoader, and Emotet delivery (typically Office documents with macros or password-protected ZIP attachments). Implement network detection for Cobalt Strike beacon traffic patterns, paying attention to both HTTP/HTTPS and DNS-based C2 channels.

On endpoints, watch for: Rclone execution (particularly with cloud storage configuration parameters); mass deletion of Volume Shadow Copies; stopping of backup-related services (Veeam, SQL Server, Exchange); and GPO modifications that disable Windows Defender across the domain. Monitor for unusual use of legitimate RMM tools (Atera, AnyDesk, Splashtop) that were not deployed by the IT team. The Conti Leaks playbooks provide a detailed roadmap of techniques that defenders can use to build detection rules. Network segmentation and offline, immutable backups remain the most effective mitigations against Conti-lineage attacks.