Conti Ransomware
What is Conti Ransomware?
Conti RansomwareA Russian-speaking ransomware operation active 2020-2022 that ran one of the highest-volume double-extortion programmes before disbanding after major internal leaks.
Conti emerged in early 2020 as a successor to Ryuk and was operated by the cybercrime cluster tracked as Wizard Spider / TrickBot / UNC1878. It ran a corporate-style structure with HR, payroll, R&D, and 24/7 negotiation, hitting healthcare, manufacturing, government and critical-infrastructure targets. High-profile incidents include the May 2021 attack on Ireland's Health Service Executive (HSE), the May 2021 attack on US food distributor JBS-linked operations, and the April 2022 attack on the Costa Rican government, which prompted a national emergency declaration. After Conti publicly backed the Russian invasion of Ukraine, a Ukrainian researcher leaked Conti's chats and source code in 2022. The brand was retired and members regrouped into Royal/BlackSuit, Black Basta, Karakurt, and other operations.
● Examples
- 01
The Conti attack on Ireland's HSE in May 2021 disrupted healthcare nationwide for weeks.
- 02
The April 2022 Conti attack on Costa Rica's government triggered the first state-level cyber emergency declaration.
● Frequently asked questions
What is Conti Ransomware?
A Russian-speaking ransomware operation active 2020-2022 that ran one of the highest-volume double-extortion programmes before disbanding after major internal leaks. It belongs to the Defense & Operations category of cybersecurity.
What does Conti Ransomware mean?
A Russian-speaking ransomware operation active 2020-2022 that ran one of the highest-volume double-extortion programmes before disbanding after major internal leaks.
How does Conti Ransomware work?
Conti emerged in early 2020 as a successor to Ryuk and was operated by the cybercrime cluster tracked as Wizard Spider / TrickBot / UNC1878. It ran a corporate-style structure with HR, payroll, R&D, and 24/7 negotiation, hitting healthcare, manufacturing, government and critical-infrastructure targets. High-profile incidents include the May 2021 attack on Ireland's Health Service Executive (HSE), the May 2021 attack on US food distributor JBS-linked operations, and the April 2022 attack on the Costa Rican government, which prompted a national emergency declaration. After Conti publicly backed the Russian invasion of Ukraine, a Ukrainian researcher leaked Conti's chats and source code in 2022. The brand was retired and members regrouped into Royal/BlackSuit, Black Basta, Karakurt, and other operations.
How do you defend against Conti Ransomware?
Defences for Conti Ransomware typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Conti Ransomware?
Common alternative names include: Conti gang, Conti RaaS.
● Related terms
- defense-ops№ 901
Ransomware Gang
A financially motivated cybercriminal group that develops, operates, or distributes ransomware to extort organisations through file encryption and data leak threats.
- malware№ 902
Ransomware-as-a-Service (RaaS)
A criminal business model in which ransomware operators rent their malware and infrastructure to affiliates who carry out attacks and share the proceeds.
- defense-ops№ 624
LockBit
A Russian-speaking ransomware-as-a-service operation that became the most prolific ransomware brand globally between 2022 and 2024 before being heavily disrupted by Operation Cronos.
- defense-ops№ 099
BlackCat / ALPHV
A Rust-based ransomware-as-a-service operation active from late 2021 to 2024, notable for cross-platform encryptors and aggressive multi-stage extortion.
- defense-ops№ 928
REvil / Sodinokibi
A Russian-speaking ransomware-as-a-service operation active 2019-2021, known for double extortion and the high-impact Kaseya VSA supply-chain attack.
- defense-ops№ 536
Initial Access Broker (IAB)
A cybercrime specialist who obtains unauthorised access to corporate networks and sells that access to other criminals, especially ransomware affiliates.
● See also
- № 040Akira Ransomware