Threat Actor Profile
High
Cybercriminal
Description
Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'Conti is an extremely damaging ransomware due to the speed '
'with which it encrypts data and spreads to other systems. It '
'was first observed in 2020 and it is thought to be led by a '
'Russia-based cybercrime group that goes under the Wizard '
'Spider pseudonym. In early May 2022, the US government '
'announced a reward of up to $10 million for information on '
'the Conti ransomware gang.\n',
'firstseen': '2020-07-31T00:00:00+00:00',
'group': 'conti',
'has_negotiations': True,
'has_ransomnote': True,
'lastseen': '2022-06-07T18:40:06.936435+00:00',
'locations': [{'available': False,
'fqdn': 'continews.bz',
'slug': 'http://continews.bz',
'title': 'Error Response Page',
'type': 'DLS'},
{'available': False,
'fqdn': 'continews.click',
'slug': 'http://continews.click',
'title': 'Access Blocked',
'type': 'DLS'},
{'available': False,
'fqdn': 'continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion',
'slug': 'http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/',
'title': 'CONTI.News',
'type': 'DLS'}],
'negotiation_count': 32,
'ransomnotes_count': 4,
'tiaras_metadata': {'has_negotiations': True,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'continews.bz',
'slug': 'http://continews.bz',
'title': 'Error Response Page',
'type': 'DLS'},
{'available': False,
'fqdn': 'continews.click',
'slug': 'http://continews.click',
'title': 'Access Blocked',
'type': 'DLS'},
{'available': False,
'fqdn': 'continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion',
'slug': 'http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/',
'title': 'CONTI.News',
'type': 'DLS'}],
'negotiation_count': 32,
'ransomnotes_count': 4,
'ransomware_live_group': 'conti',
'tools': {'CredentialTheft': ['Mimikatz',
'ProcDump',
'Router Scan',
'SharpChrome'],
'DefenseEvasion': ['GMER', 'PCHunter'],
'DiscoveryEnum': ['AdFind',
'Bloodhound',
'PowerView',
'Seatbelt',
'ShareFinder',
'SharpView',
'SoftPerfect NetScan'],
'Exfiltration': ['Dropfiles',
'MEGA',
'Qaz[.]im',
'RClone',
'Sendspace',
'WinSCP'],
'LOLBAS': ['BITSAdmin',
'NTDS Utility (ntdsutil)',
'PsExec',
'WMIC'],
'Networking': [],
'Offsec': ['Cobalt Strike',
'Metasploit',
'Meterpreter',
'PowerShell Empire',
'PowerSploit',
'Rubeus'],
'RMM-Tools': ['AnyDesk', 'Atera', 'Splashtop']},
'url': 'https://www.ransomware.live/group/conti',
'victims': 351,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['Mimikatz',
'ProcDump',
'Router Scan',
'SharpChrome'],
'DefenseEvasion': ['GMER', 'PCHunter'],
'DiscoveryEnum': ['AdFind',
'Bloodhound',
'PowerView',
'Seatbelt',
'ShareFinder',
'SharpView',
'SoftPerfect NetScan'],
'Exfiltration': ['Dropfiles',
'MEGA',
'Qaz[.]im',
'RClone',
'Sendspace',
'WinSCP'],
'LOLBAS': ['BITSAdmin', 'NTDS Utility (ntdsutil)', 'PsExec', 'WMIC'],
'Networking': [],
'Offsec': ['Cobalt Strike',
'Metasploit',
'Meterpreter',
'PowerShell Empire',
'PowerSploit',
'Rubeus'],
'RMM-Tools': ['AnyDesk', 'Atera', 'Splashtop']},
'ttps': [],
'url': 'https://www.ransomware.live/group/conti',
'victims': 351,
'vulnerabilities': []}