Threat Profile: Conti Ransomware Group

Sept. 30, 2025, 8:41 a.m.

Description

Conti, a notorious ransomware operation identified in 2019, quickly gained infamy for its advanced encryption, rapid lateral movement, and double extortion tactics. Operated by the Russia-based Wizard Spider group, Conti evolved from Ryuk ransomware and maintained suspected ties to Russian state interests. Between 2019 and 2022, Conti targeted healthcare providers, governments, educational institutions, critical infrastructure, and private businesses, earning an estimated $180 million in 2021. Their aggressive tactics highlighted the urgent need for strong cybersecurity defenses. In 2022, internal divisions arose following leaked private chats. Conti's operations mimicked legitimate businesses, showcasing the industrialization of cybercrime and its devastating impact on critical sectors.

External References

https://darkatlas.io/blog/threat-profile-conti-ransomware-group
https://otx.alienvault.com/pulse/68db677b189fbc5307a5a270
Tags
ransomware
cobalt strike
government
healthcare
conti
ryuk
double extortion
critical infrastructure
education
trickbot
2025-09-30
wizard spider
russia-based

Date

  • Created: Sept. 30, 2025, 5:15 a.m.
  • Published: Sept. 30, 2025, 5:15 a.m.
  • Modified: Sept. 30, 2025, 8:41 a.m.

Indicators

  • http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/
  • contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion
Download all indicators here!

Attack Patterns

  • Conti - S0575
  • TSPY_TRICKLOAD
  • Ryuk - S0446
  • Totbrick
  • TrickBot - S0266
  • Cobalt Strike - S0154
  • Conti

Additional Informations

  • Healthcare
  • Energy
  • Education
  • Finance
  • Government
  • Ukraine
  • Russian Federation