Conti

conti · primary source: MITRE · first observed 2020 · last observed 2022

RU · RussiaRansomwareModerate confidencelast cited Feb 26, 2022 · 4y ago

Russian-speaking ransomware operation that ran the dominant double-extortion brand of 2020-2022. After the group publicly declared support for the Russian invasion of Ukraine in February 2022, an insider leaked the operation's complete Jabber chat archive ('Conti Leaks', 27 February 2022), exposing operator identities, salaries, an org chart, and the Conti v2 builder source code. The Conti brand wound down by mid-2022; operators dispersed into Black Basta, Royal/BlackSuit, BlackByte, Karakurt, Quantum, and other successor operations.

Aliases

Wizard SpiderCrowdStrikeTrickBot GroupOtherGold UlrickOther

Motivations

financial gain

Target sectors

healthcaregovernmentmanufacturingfinancial

Target countries

USGBDEFRITCR

Lineage & relationships

full graph →

Predecessor of

Black Basta

Black Basta is the principal Conti spinoff

Predecessor of

BlackSuit

Royal/BlackSuit lineage via Quantum

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

Conti
Russia
financial gain

Capability

Infrastructure

badiwaw.com
185.141.63.120
162.244.80.235

Victim

healthcare
government
manufacturing
US
GB
+1 more

MITRE ATT&CK techniques

T1486 T1490 T1078 T1219

Tools & malware

5 entries

Timeline

1 event

ReportHigh2022-02-27·ContiLeaks (open-source, mirrored by vx-underground)
Conti Leaks expose 393 days of internal Jabber chat + v2 source
Days after the Conti operation publicly declared support for the Russian invasion of Ukraine, a pro-Ukraine insider (the 'ContiLeaks' account) published 393 days of the group's internal Jabber chat archive, an org chart, salary records, internal training materials, and source code for the Conti v2 builder. The leak directly mapped operator handles to real-world identities and provided the foundation for subsequent indictments and the Black Basta / Royal / BlackSuit successor-operation lineage.
leakinsider-threatopen-source-intelligence

Indicators of compromise

3 indicators

defangedcsv

Type	Value	First seen	Source
Domain	badiwaw[.]com family · Conti One of 98 lookalike domains sharing registration and naming characteristics of Conti-distribution infrastructure published by CISA in the February-March 2022 update to AA21-265A.	Mar 8, 2022	CISA
IPv4	185[.]141[.]63[.]120 family · Conti Cobalt Strike C2 server IP attributed to Conti operators in the leaked-playbook artifacts referenced in the March 2022 update to AA21-265A. Conti relied on Cobalt Strike alongside TrickBot for post-exploitation.	Sep 21, 2021	CISA
IPv4	162[.]244[.]80[.]235 family · Conti Cobalt Strike C2 server IP identified in artifacts leaked with the Conti 'playbook' and republished in the March 9, 2022 update to joint CISA/FBI/NSA/USSS advisory AA21-265A as previously used by Conti affiliates.	Sep 21, 2021	CISA

Related actors

shared ATT&CK techniques

?? · UnknownALPHV/BlackCat3 shared techniques
?? · UnknownBlack Basta3 shared techniques
?? · UnknownBlackSuit3 shared techniques
RU · RussiaDarkSide3 shared techniques
RU · RussiaINC Ransom3 shared techniques
RU · Russia8Base2 shared techniques
- T1486
- T1490

References

cite this page

Threat Intel Tracker. (2026-05-19). Conti — actor profile. Retrieved from https://threatintel.local/actors/conti

latest cited activity · 2022-02-27 · 3 cataloged indicators