TI News Feed · Threat Intelligence Guides

Conti / Wizard Spider Ransomware: Threat Actor Profile

Conti was both a ransomware brand and the public face of the Wizard Spider / TrickBot empire — one of the most capable Russia-based cybercrime enterprises ever, whose alumni seeded Black Basta and BlackSuit. A full profile.

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

Conti was both a ransomware brand and the public face of the broader Wizard Spider / TrickBot ecosystem — one of the most capable Russia-based criminal enterprises ever observed. MITRE tracks Wizard Spider as a financially motivated group active since at least 2016 and tracks Conti as RaaS used against major corporations and government agencies.

Conti: at a glance

  • Aliases: Wizard Spider, Grim Spider, UNC1878, FIN12, GOLD BLACKBURN, TrickBot-linked cluster; Conti as malware/brand
  • Country / affiliation: Russia-based cybercrime ecosystem
  • Assessed status (as of July 2026): Brand inactive; alumni active
  • Primary objectives: Intrusive access, data theft, ransomware extortion, credential theft, and healthcare/enterprise targeting
  • Financial destruction / gain: No single clean, primary-source group-wide total is verifiable, but Conti/Ryuk operations are tied by the DOJ to $150M+ across 1,000+ victims in related reporting
  • Type: ransomware enterprise + botnet ecosystem

Who is Conti?

The 2022 Conti leaks destroyed the brand's secrecy, exposing chat logs, salaries, and internal structure. Its personnel and tradecraft visibly flowed into later groups including Black Basta and BlackSuit, making Conti the most influential ransomware family tree in the ecosystem.

Aliases and attribution

Wizard Spider is the overarching threat actor cluster; Conti, Ryuk, TrickBot, and BazarLoader are its tools and brands. Vendors label it GOLD BLACKBURN (Secureworks), UNC1878/FIN12 (Mandiant), and Grim Spider (CrowdStrike). The 2022 'Conti Leaks,' released by an insider after the group backed Russia's invasion of Ukraine, provided rare ground-truth for cyber attribution.

Financial impact and damage

Conti and its Ryuk predecessor ran ransomware like a corporation, with salaried staff and HR functions. Related DOJ reporting ties the operation to $150 million-plus in ransom payments across 1,000+ victims, including an attack that paralyzed the government of Costa Rica and prompted a national emergency. A single clean group-wide figure is elusive, so its ranking rests on scale and influence.

Conti timeline

  • 2016: TrickBot ecosystem scales as a banking trojan and loader
  • 2019: Conti ransomware first observed
  • 2020: Ryuk / TrickBot / Conti waves intensify against healthcare and enterprise
  • 2022: Conti leaks and brand rupture after backing Russia's invasion
  • 2024-2026: Tradecraft persists in successor crews (Black Basta, BlackSuit, Royal)

Notable attacks and campaigns

The 2021-2022 attack on Ireland's Health Service Executive and the 2022 attack on Costa Rica's government showed Conti's willingness to cripple public institutions. The Conti Leaks exposed the inner workings of a ransomware corporation. After the brand dissolved, its members seeded a generation of successor operations.

Tactics, techniques, and procedures (TTPs)

The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.

  • T1059.001 — PowerShell: Wizard Spider used macros and PowerShell to download malware and move laterally. Constrain PowerShell and hunt macro-to-PowerShell process chains.
  • T1210 — Exploitation of Remote Services: The cluster exploited Zerologon and EternalBlue for lateral movement. Patch domain controllers and SMB-exposed systems aggressively.
  • T1486 + double extortion — Encryption plus theft: Conti steals sensitive files before encryption and threatens leaks. Detect exfil-before-encrypt patterns and archive staging alongside shadow-copy deletion.

Detection and defense against Conti

Conti's kill chain typically ran from a TrickBot/Bazar infection to domain-wide encryption, so break the chain early:

  • Detect and remediate commodity loaders (TrickBot, BazarLoader, Emotet) before they escalate.
  • Patch domain controllers and SMB systems against Zerologon and EternalBlue.
  • Constrain PowerShell and hunt macro-to-PowerShell process chains.
  • Alert on exfiltration-before-encryption and archive staging.
  • Segment networks and protect backups against shadow-copy deletion.

The bottom line

Conti was the most influential ransomware enterprise of its era; even after its collapse, its alumni and tradecraft define much of today's ransomware landscape. See how Conti ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

What is Conti ransomware?

Conti was a Russia-based ransomware operation and the public face of the Wizard Spider / TrickBot cybercrime ecosystem, active from around 2019 to 2022 and known for attacks on healthcare and governments.

What were the Conti Leaks?

In 2022, an insider leaked Conti's internal chat logs, source code, and operational details after the group publicly backed Russia's invasion of Ukraine, exposing how a ransomware 'corporation' operates.

Is Conti still active?

The Conti brand is inactive, but its members and tradecraft dispersed into successor operations including Black Basta, BlackSuit, and Royal.

What is Wizard Spider?

Wizard Spider is the broader financially motivated threat-actor cluster behind Conti, Ryuk ransomware, and the TrickBot and BazarLoader malware families.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources: