Conti emerged as a successor to the Ryuk ransomware operation and became one of the most prolific cybercriminal enterprises of the early 2020s. It operated on a ransomware-as-a-service (RaaS) model, in which a core team developed the malware and supporting infrastructure while affiliates carried out intrusions and split the ransom proceeds. Conti was notable for its industrialized structure, including salaried developers, HR-style recruiting, and internal management hierarchies.
The group drew particular international attention for its attack on Ireland's Health Service Executive (HSE) in May 2021, which forced the shutdown of IT systems across the Irish public health system and disrupted patient care for months. The U.S. Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency issued advisories linking Conti to hundreds of incidents against U.S. targets, including municipal governments and critical infrastructure.
Conti's political profile rose sharply after Russia's full-scale invasion of Ukraine in February 2022. The group publicly declared support for the Russian government and threatened retaliation against states opposing Moscow. Days later, a Ukrainian researcher leaked a large trove of internal Conti chat logs, source code, and operational files — known as the "ContiLeaks" — exposing the group's organizational chart, payroll, and apparent connections to Russian-speaking cybercrime ecosystems. The leaks gave researchers an unusually detailed look at how a major ransomware operation functioned.
In May 2022, the U.S. Department of State's Rewards for Justice program offered up to $10 million for information on Conti leadership. The brand was retired in mid-2022, but analysts at firms such as Mandiant and Recorded Future have documented former members migrating to successor operations including Black Basta, Royal, and Quantum. Conti is frequently cited in policy debates over sanctions on ransomware payments, cyber insurance, and the responsibility of states that tolerate cybercriminal activity within their borders.
Example
In May 2021, the Conti ransomware group attacked Ireland's Health Service Executive, crippling hospital IT systems and prompting the Irish government to refuse payment of the multi-million-euro ransom demand.
Frequently asked questions
The Conti brand was shut down in mid-2022 following the ContiLeaks exposure, but researchers have tracked former members and infrastructure into successor groups such as Black Basta, Royal, and Quantum.
Keep learning