Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Industry
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
WATCH ON-DEMAND: The BAS Summit: Redefining Attack Simulation through AI
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO
Huseyin Can YUCEEL | 1 MIN READ

LAST UPDATED ON OCTOBER 17, 2025

Conti Ransomware Group

By Huseyin Can YUCEEL & Picus Labs   August 22, 2022

Conti, the successor to Ryuk, became one of the most notorious ransomware groups due to large, coordinated campaigns and a mature affiliate program. The operation used a Ransomware as a Service model to scale quickly, enabling high profile attacks in 2022 against organizations such as Panasonic, Bank Indonesia, and Meyer. Conti popularized triple extortion, which adds two pressure points to classic encryption. Victims face data theft and public shaming on leak sites, and the group also threatens to sell network access or leak sensitive records if payment is refused. This playbook increases leverage during negotiations and drives faster decisions by impacted organizations.

Conti affiliates typically gained initial access through phishing, exploitation of internet facing services, stolen credentials purchased from initial access brokers, or delivery via loader families such as TrickBot and BazarLoader. Once inside, operators performed discovery, moved laterally, and escalated privileges using common administrative tools and Cobalt Strike beacons. Backups and shadow copies were removed, domain controllers were targeted, and large volumes of data were staged for exfiltration before encryption began. The Conti leaks, a trove of internal chat logs and playbooks, provided rare visibility into the group’s processes, tooling, and negotiation tactics. Organizations can reduce risk by enforcing multifactor authentication, rapidly patching exposed services, segmenting critical systems, maintaining tested offline backups, monitoring for data exfiltration, and continuously validating detection and response controls against real adversary techniques used by Conti and its successors.

Metadata

Associated Groups

Successor of the Ryuk Ransomware Group Aliases - Grim Spider, Wizard Spider

Associated Country

 Russia

Target Sectors

Healthcare, Insurance, Manufacturing, Technology, Telecommunications, Retail

Target Countries

United States, Ireland, Netherlands, New Zealand, Taiwan
Modus Operandi

Business Models

Ransomware-as-a-Service (RaaS) Multiple Extortion

Extortion Tactics

File Encryption

Data Leakage

Selling Access

Initial Access Methods

Exploit Public-Facing Application

Phishing

External Remote Services

Impact Methods

Data Encryption

Data Exfiltration
Exploited Applications and Vulnerabilities by Conti

Application

Vulnerability

CVE

CVSS
Microsoft Exchange ProxyShell RCE CVE-2021-34473 9.8 Critical
Utilized Tools and Malware by Conti
The Advantages of Going Purple: How BAS Works and Why It Matters
The Advantages of Going Purple: How BAS Works and Why It Matters A constantly evolving threat landscape demands cyber defenses that are equally adaptable. To achieve that, you... [read more]

Related Content

Table of Contents

Earth Krahang APT Group: Global Government Cyberespionage Campaigns (2022–2024) and TTP Analysis
Emerging Threat Earth Krahang APT Group: Global Government Cyberespionage Campaigns (2022–2024) and TTP Analysis
Learn More
WARMCOOKIE: A Technical Deep Dive into a Persistent Backdoor's Evolution
Emerging Threat WARMCOOKIE: A Technical Deep Dive into a Persistent Backdoor's Evolution
Learn More
Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks
Emerging Threat Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks
Learn More
Scattered LAPSUS$ Hunters: 2025's Most Dangerous Cybercrime Supergroup
Emerging Threat Scattered LAPSUS$ Hunters: 2025's Most Dangerous Cybercrime Supergroup
Learn More
F5 Confirms Breach of Internal Systems—Source Code, Customer Data at Risk
Emerging Threat F5 Confirms Breach of Internal Systems—Source Code, Customer Data at Risk
Learn More
Emerging Threat Oracle EBS CVE-2025-61882 Vulnerability: Pre-auth SSRF Leads to Remote Code Execution
Learn More
Shai-Hulud Worm: Inside the npm Supply Chain Attack
Emerging Threat Shai-Hulud Worm: Inside the npm Supply Chain Attack
Learn More
BRICKSTORM Malware: UNC5221 Targets Tech and Legal Sectors in the United States
Emerging Threat BRICKSTORM Malware: UNC5221 Targets Tech and Legal Sectors in the United States
Learn More
Malicious Listeners in Ivanti EPMM: How CVE-2025-4427 and CVE-2025-4428 Created Backdoors
Emerging Threat Malicious Listeners in Ivanti EPMM: How CVE-2025-4427 and CVE-2025-4428 Created Backdoors
Learn More