top of page
  • Writer's pictureFYEO

Ransomware Group Deep Dive: Conti


In recent years, one of the greatest cyber threats to businesses has been so-called “ransomware groups” or “ransomware gangs.” These are organized networks of cybercriminals who collaborate to commit sophisticated ransomware attacks.

The proliferation of ransomware gangs is largely due to the growth of the “ransomware as a service” (RaaS) business model, which has dramatically lowered the technical barriers to entry. RaaS customers pay developers for access to ransomware tools and kits, which they can use to launch their own attacks.

The Conti ransomware group is a RaaS gang that IT security analysts have called “one of the most aggressive ransomware groups.” So what should you know about Conti ransomware and the threats it poses to you? This article will take a deep dive into the Conti ransomware group.

What Is the Conti Ransomware Group?

Conti is a ransomware group that has been linked to over 1,000 ransomware attacks around the world, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). First detected in February 2020, the Conti ransomware group is believed to be the successor of Ryuk and the Russian gang Wizard Spider from Saint Petersburg who was the group behind the creation of ransomware such as Conti, Trickbot and others.

Like several other ransomware groups, Conti uses a “double extortion” strategy. Victims of Conti ransomware face not only the permanent loss of their data but also the data’s exposure on the Dark Web if they refuse to pay the ransom.

Conti has also earned a reputation as an aggressive ransomware gang, often reneging on its promises to victims. For example, the group has threatened organizations that their files will be published on the Dark Web if their payment negotiations with Conti are leaked to the media. If an organization releases these messages after rescuing its files, Conti has warned that it will release the data of another business in retaliation.

The Conti ransomware group has targeted a number of businesses across a variety of sectors and industries. Below are just a few of the highest-profile Conti ransomware attacks:

  • May 2021: Ireland’s Health Service Executive was hit by a Conti ransomware attack, causing widespread disruption within the country’s healthcare system. Nine months later, Ireland had spent $48 million recovering from the attack.

  • May 2021: The city of Tulsa, Oklahoma, suffered a Conti ransomware attack and subsequent data breach. Websites and systems for bill payments, utilities, and email were disrupted, and documents such as police citations were leaked.

  • April–May 2022: More than 20 government institutions in Costa Rica were affected by a Conti ransomware attack. Hackers threatened to release sensitive data from the Ministry of Finance, and the Costa Rican government was forced to declare a state of emergency.

IT security researchers suggest that the Conti ransomware group may no longer be a threat—for now. In June 2022, threat intelligence analyst Ido Cohen reported that most of the group’s servers and infrastructure had been taken down. However, with the ransomware threat landscape constantly in flux, it’s likely that many of the members of the Conti group have joined other ransomware gangs, posing the same menace under different names.

How Does Conti Ransomware Work?

Conti ransomware can initially spread through multiple attack vectors. These include:

  • Phishing emails that fool users into downloading malware attachments.

  • Tricking users into revealing credentials through social engineering techniques.

  • Exploiting security flaws in the Windows Remote Desktop Protocol (RDP) software.

  • Buying access to an organization’s network from other malicious actors (so-called “network access brokers”).

Once inside the network, Conti ransomware uses reconnaissance and lateral movement techniques to observe the IT ecosystem and silently move from one machine to another.

One popular tool used by the Conti ransomware group is Cobalt Strike, a penetration testing tool that helps detect network vulnerabilities. Conti ransomware is sophisticated enough to use legitimate tools and applications—such as software for remote monitoring and remote desktop—for its own nefarious purposes, helping reduce the risk of identification.

Rather than writing itself to disk, Conti loads itself into the computer’s memory, which helps it evade detection by anti-malware programs. This approach also has the advantage of leaving behind no trace for IT analysts to study after the attack.

Conti uses the AES-256 algorithm to encrypt files, with a unique key pair used for each victim. Researchers have also observed the Conti ransomware using the open-source Rclone tool to exfiltrate the victim’s data to cloud storage services such as Mega, enabling the Conti group to pursue its “double extortion” strategy.

How To Protect Yourself Against Conti Ransomware

As with other forms of ransomware, the best way to defend against Conti ransomware is by preventing it from reaching your network in the first place. The tips below will help protect against Conti ransomware:

  • Teach users how to recognize phishing emails and attacks.

  • Patch security flaws in Remote Desktop Protocol (RDP) and other software.

  • Install antivirus and anti-malware tools and keep them up-to-date.

  • Create regular backups of important data and files.

  • Engage in regular Dark Web threat monitoring to understand the ransomware threat landscape.


Here’s what you need to know about the Conti ransomware group:

  • The Conti ransomware group is responsible for more than 1,000 ransomware attacks, including high-profile attacks on government targets in Ireland, the U.S., and Costa Rica.

  • Conti is known for its aggressive “double extortion” strategy and may leak victims’ data or refuse to restore access regardless of paying the ransom.

  • After shutting down critical infrastructure in June 2022, the Conti group currently appears to be dormant, with members likely joining other ransomware gangs.

Is your business worried about sensitive data being published on the Dark Web? FYEO's threat intelligence software contains a database of more than 23 billion leaked credentials—one of the largest in the world. When users’ sensitive information is leaked on the Dark Web, we issue an alert so that they can immediately protect themselves. Get in touch with us today to request a demo of FYEO Domain Intelligence.


bottom of page