3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Conti

Conti

ID: 335248f18d8d9f97618415474cba59ba58085
Crimeware Ransomware
Threat types: Ransomware, Data Theft, Extortion
Russia USA
Updated: 2026-03-14
Created: 2025-10-24
Progress: 80% Completeness: 84% Freshness: 70%
Operation zone: United States
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Conti is a ransomware family and RaaS ecosystem historically active since 2019/2020, associated with enterprise-focused intrusions featuring credential abuse, discovery, lateral movement, data theft for extortion, recovery inhibition (shadow copy deletion), service disruption, and encryption for impact. Mapping emphasizes behaviors and pre-impact signals; affiliate infrastructure and tooling vary across incidents.


Technique Technique name Tactics Evidence
T1059.003 Windows Command Shell TA0002
  • 2025-04-16 — Windows command shell usage referenced as part of Conti execution controls. · ref
T1486 Data Encrypted for Impact TA0040
  • 2025-04-16 — Data encrypted for impact is a core behavior; encryption routine details described in ATT&CK entry references. · ref
T1490 Inhibit System Recovery TA0040
  • 2021-09-22 — Inhibit system recovery via shadow copy deletion (vssadmin) noted in joint CSA and ATT&CK entry. · ref
T1489 Service Stop TA0040
  • 2025-04-16 — Service stop behavior (net stop) to terminate security/backup/db services prior to encryption. · ref
T1135 Network Share Discovery TA0007
  • 2025-04-16 — Network share discovery capability described (NetShareEnum). · ref
T1021.002 SMB/Windows Admin Shares TA0008
  • 2025-04-16 — Remote services via SMB/admin shares used for spread and remote encryption. · ref
T1018 Remote System Discovery TA0007
  • 2025-04-16 — Remote system discovery capability described as part of targeting logic. · ref
T1083 File and Directory Discovery TA0007
  • 2025-04-16 — File and directory discovery used to enumerate targets for encryption. · ref
T1057 Process Discovery TA0007
  • 2025-04-16 — Process discovery used to identify processes relevant to file locking and service targeting. · ref
T1027 Obfuscated Files or Information TA0005
  • 2025-04-16 — Obfuscated/encrypted components and hidden API usage noted in ATT&CK entry references. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2021-09-22 — INFERENCE (confidence: medium): double extortion posture implies exfiltration over C2 prior to encryption; validate per incident telemetry. · ref
T1560 Archive Collected Data TA0009
  • 2021-09-22 — INFERENCE (confidence: medium): data theft workflows commonly include archiving/staging prior to exfiltration in ransomware intrusions. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-24T04:54:36+00:00

Conti — Human-operated ransomware & data-extortion program (ecosystem fragmentation post-2022 leaks)

Classification: TLP:WHITE — Open Source Intelligence (OSINT)

Category: Cybercrime / Ransomware & Extortion — Origin: INFERENCE (confidence: high): Russian-speaking cybercrime ecosystem

Author: iQBlack CTI Team



Executive Summary

Conti was one of the most prolific “human-operated” ransomware-and-extortion programs, characterized by rapid encryption capability, aggressive double-extortion pressure, and businesslike internal processes described in leaked internal materials from early 2022. A joint government advisory describes repeated use of phishing and credential-based access, post-exploitation frameworks (e.g., Cobalt Strike), credential theft tooling, lateral movement via SMB/admin shares, and exfiltration using rclone.

In late February 2022, a public pro-Russia statement preceded an unprecedented leak of Conti internal chats, documents, and code, which many analysts assess as a major inflection point leading to operational disruption and subsequent fragmentation/rebranding. Defenders should therefore model “Conti” as both (a) a historic brand and (b) a durable tradecraft bundle that persists across successor clusters.

  • Industries / Sectors: Broad, with significant victimization in healthcare, public sector, and large enterprises in open reporting; the joint CSA notes hundreds of attacks and a range of intrusion vectors.
  • Geography: Global exposure; advisory focus includes U.S. and international organizations.
  • Timeframe: Prominent activity from 2020–2022, with tactical legacy persisting in later ransomware ecosystems (INFERENCE, confidence: high).
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Conti — Ransomware/Extortion Program (historical flagship; ecosystem fragmentation post-2022 leaks)

Classification: TLP:WHITE — OSINT

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Conti


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-24T04:43:10+00:00

IOC Appendix (TLP:WHITE) — Conti


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/10
Address Verification SOCMINT
twitter.com/Con******* Restricted Not integrated
Address Verification SOCMINT
conti.news Restricted Not integrated
continews.click Restricted Not integrated
contirecovery.best Restricted Not integrated
contirecovery.top Restricted Not integrated
Address Verification SOCMINT
continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion Restricted Not integrated
htcltkjqoitnez5slo7fvhiou5lbno5bwczu7il2hmfpkowwdpj3q2yd.onion Restricted Not integrated
m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion Restricted Not integrated
contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion Restricted Not integrated
contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–1 of 1 images
Logo Free Preview
Logo