[1][2] It has since become a full-fledged ransomware-as-a-service (RaaS) operation used by numerous threat actor groups to conduct ransomware attacks.
[4] According to a leaked playbook, core team-members of a Conti operation manage the malware itself, while recruited affiliates are tasked with exploitation of victim networks and encryption of their devices.
[1] Conti has gained notoriety for targeting healthcare institutions, as seen in its attacks on organizations in Ireland and New Zealand.
[13] In April 2021 one member claimed to have an unnamed journalist who took a 5% share of ransomware payments by pressuring victims to pay up.
[9] The retail industry has been the primary target of Conti attacks, followed by insurance, manufacturing, and telecommunications sectors.
Healthcare, which was targeted in high-profile attacks by the Conti group, ranks sixth on the list of affected industries.
[9] During the 2022 Russian invasion of Ukraine, Conti Group announced its support of Russia and threatened to deploy "retaliatory measures" if cyberattacks were launched against the country.
[15][16][13] As a result, approximately 60,000 messages from internal chat logs were leaked by an anonymous person who indicated their support for Ukraine[17][18][19] along with source code and other files used by the group.
[22] Kimberly Goody, director of cybercrime analysis at Mandiant says that references to an unnamed external source in the logs that could be helpful to the gang.
[22] She points to mention in the leaks of Liteyny Avenue in Saint Petersburg, home to local FSB offices, as evidence that the external source could be the Russian government.
[24] A report from Recorded Future said that they did not think that the leak was not a direct cause of the dissolution, but that it had accelerated already existing tensions within the group.