What Is Conti Ransomware?

Conti ransomware is a ransomware as a service (RaaS) operation that has been known to be active since 2020. It is believed to be operated by a gang of cybercriminals based in Russia and is notorious for aggressive attacks on a broad range of public and private organizations. These include attacks on healthcare organizations, educational institutions, governments, critical infrastructure, emergency services, and a wide variety of businesses. Also known as Wizard Spider, the Conti ransomware gang is thought to have emerged from an earlier ransomware variant — Ryuk ransomware — and is believed to have close ties to the Russian government. The Conti ransomware group was primarily active between December 2019 and May 2022, and recorded revenue of $180 million in 2021.

Conti ransomware operates on a RaaS model, where the developers of the malware lease it to other cybercriminals. “Affiliates” deploying the ransomware use it to mount attacks on victims and pay the Conti gang a percentage of ransoms they collect.

• Distribution. The Conti ransomware virus infects IT environments through various techniques, including phishing emails that contain a link to a Google Drive download that’s infected with malware called BazarLoader. Other infiltration techniques include exploitation of software vulnerabilities, such as those in the Microsoft Windows Server Message Block (SMB) protocol, and the use of malware like TrickBot or even legitimate adversary simulation tools such as Cobalt Strike. Conti ransomware operators also use backdoor malware that connects the victim’s devices to Conti’s command and control (C2) servers.
• Lateral movement. After gaining access to an IT environment, Conti ransomware operators disable security tools and move laterally to explore files and gain access to domain accounts.
• Exfiltration. Once attackers have located high-value files, they exfiltrate them to an external server for use in their extortion schemes.
• Encryption. Conti ransomware uses multi-threaded encryption to encrypt files quickly. Attackers may also delete file backups that could help victims recover data without paying a ransom.
• Double extortion. Conti operates a leak site where stolen data can be publicly revealed. In addition to demanding a ransom for decryption keys that restore access to the victim’s files, the Conti group may also demand ransom payment to not reveal sensitive information.

The Conti gang has gained a reputation for failing to keep its ransom negotiation promises — not providing decryption keys and publishing sensitive data even after the victim pays.

The 1,000+ reported Conti ransomware attacks include a number of notable infections:

• JVCKenwood: The Japanese electronics manufacturer was attacked in September 2021.
• Ireland’s Health Service Executive: The HSE was forced to shut down after a Conti ransomware attack in May 2021.
• Costa Rica: An attack in April 2022 prompted the Costa Rican government to declare a national emergency.
• The City of Tulsa: An attack in May 2021 forced the city to shut down its network and disrupted all online services for residents.

In February 2022, shortly after Russia’s invasion of Ukraine, Conti released a statement supporting the war. This declaration dissuaded most successive victims from paying ransom to the group, virtually eliminating its revenue source. Around the same time, a Conti insider expressing support for Ukraine leaked tens of thousands of pages of internal chats that revealed how the group worked and exposed its source code.

In September 2023, the U.S. Department of Justice indicted multiple foreign nationals for their involvement in the Conti ransomware schemes.

While the Conti group shut down their website and stopped ransomware attacks in 2022, experts believe that only the group’s brand has disappeared. Its members have likely changed their business model and will inevitably resurface as part of other types of ransomware attacks.

To mitigate the Conti ransomware cyberthreat and other similar cyberattacks, organizations are advised to follow best practices for ransomware protection that are recommended by law enforcement agencies like the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).

• Continuous monitoring: Detecting attacks like Conti ransomware requires continuous monitoring for unusual network traffic. This may include communication with known malicious IP addresses, anomalies in file access patterns, and unexpected lateral movement within the network.
• Anti-phishing technology: Organizations should deploy filtering and endpoint solutions that monitor and block potential phishing emails.
• Zero Trust: Adopting a Zero Trust approach to security that limits access to critical infrastructure and sensitive data can help prevent unauthorized access and lateral movement by attackers.
• Multi-factor authentication (MFA): Requiring MFA security for all remote access and internal systems — especially for Remote Desktop Protocol (RDP) — adds an additional layer of protection against unauthorized access.
• Optimal patching cadence: Regularly updating and patching systems helps to address the software and hardware vulnerabilities that may be exploited by threat actors.
• Security awareness training: Educating employees about the dangers of ransomware and phishing emails is one of the most effective ways of mitigating human error.
• Frequent backups: Backing up sensitive data regularly, and ensuring backups are isolated from network connections can help organizations to recover quickly from a Conti ransomware attack.

Security teams may also adopt anti-ransomware technology as a part of a multilayered defense against a wide range of cyberthreats. Ransomware removal tools can help to eradicate malicious code from infected machines and servers.