Conti ransomware: prepare and protect your clients

| By:
Bryson Medlock

Conti is one of the most notorious cybercrime collectives in the world. Widely known for their aggressive and effective tactics to mount large-scale attacks on organizations of all sizes, Conti ransomware is a reminder of the importance of developing a robust cybersecurity plan for your clients. 

From using multi-factor authentication (MFA) to monitoring networks for vulnerabilities, use these recommendations to help protect your clients against the possibility of ransomware attacks. 

What is Conti ransomware?

Conti ransomware works by leveraging a ransomware-as-a-service (RaaS) attack model. 

This model of industrialized cybercrime typically functions by paying affiliates to deploy malware into an organization’s IT systems. Once this implementation occurs, it creates a window of opportunity for the primary cybercriminals to infiltrate an organization’s network, encrypt data, and then hold this information for ransom.  

In the case of Conti ransomware, the CIA theorizes that Conti developers likely have a slightly different model: Developers pay the deployers of the ransomware a wage versus a percentage of the proceeds used by affiliate cyber actors. Furthermore, since the widely publicized ransomware attack on the Colonial Pipeline in May 2021, the RaaS landscape continues to evolve, with key players adopting new tactics that draw less attention.

Who is behind Conti ransomware? According to statements by the U.K. and U.S., Conti is likely linked to Russian intelligence services, and many of their actions align with Russia’s international interests. Researchers have also concluded that cybercriminals in the Conti ransomware gang have connections to the Kremlin

In most scenarios, Conti attacks have employed similar tactics and procedures to prey on victims: 

  • Gain access. The first step in a cybercriminal attack is to gain access to a victim’s network. For Conti attacks, this most commonly occurs through spear phishing campaigns — such as tailored emails with malicious attachments or links, exploiting vulnerabilities with the remote desktop protocol (RDP), promoting fake software via search engines, or leveraging other malware distribution networks. 
  • Move laterally. After the initial malware infiltrates the victim’s network, the cybercriminals move laterally to gain deeper access to confidential and sensitive information. 
  • Encrypt and delete. One of the main goals of a Conti ransomware attack is to identify and compromise high-value data — and the third stage of a ransomware attack is to encrypt files quickly, making it difficult for IT teams to detect anything out of the ordinary. 
  • Extort. Conti cybercriminals often download critical file backups and then delete them from the victim’s organization. They later use these backup files as blackmail to threaten data leaks or compel organizations to comply in order to restore access to key files and proprietary information. 

The Conti leaks/shutdown

One major development regarding the Conti ransomware group is that it took down most of its infrastructure in May 2022, leading many industry experts to say that the group had “shut down.” However, this shift still has ripple effects today.

One such example is the leak earlier that year of over 2 years’ worth of private chats inside the organization. The leak was believed to have been prompted by the group’s public support of Russia in the war with Ukraine. These leaks provided unparalleled insight into the workings of the organization, including:

  • Spending thousands of dollars on a monthly basis on anti-virus tools to see if their malware could be detected.
  • The group’s size, which ranged between 65-100 employees at any given time.
  • The similarity of communications between the hackers and employees at any other organization, talking about paid leave and sharing gossip.
  • The fact that their chat logs were not encrypted, which played a role in the leak.
  • Potential ties between Conti and Russian law enforcement.

As of right now, it’s not 100% clear what’s become of the former Conti hackers. At one point, they claimed they would be splitting into smaller, autonomous groups, but there’s no clear proof this is the case.

While it’s easy to assume this change means that Conti is no longer a topic worthy of discussion, this couldn’t be further from the truth. First, many of the hackers that are a part of that “talent group” can easily find their way into other ransomware collectives, potentially increasing their capacity to target organizations.

Secondly, the leaks have given the cybersecurity community a much deeper look into how hacking groups operate on a day-to-day basis.

Finally, some of the major attacks that Conti has claimed responsibility for still have ramifications in the cyber landscape today. Here are some examples.

Recent Conti ransomware attacks

Conti has been affiliated with more than 1,000 ransomware attacks. Many of the recent Conti ransomware attacks have been high-profile and gained significant media attention. 

Costa Rican government

Two major Conti ransomware attacks crippled many of Costa Rica’s essential services, leading to the declaration of a national emergency. Beginning in mid-April of 2022, attackers targeted 27 government bodies, forcing them to shut down or alter operations. 

Files from within the finance ministry were encrypted, and the digital tax service and IT system for customs control were destroyed: Import and export businesses faced shipping container shortages, with local news reports estimating that the losses ranged from $38 million per day up to $125 million over 48 hours. 

The Conti ransomware gang allegedly disbanded in June 2022 after this hack, but its members are believed to have joined other cybercriminal groups. 

 Ireland’s Health Service Executive (HSE) and Department of Health (DoH)

Conti ransomware gained international recognition for a 2021 ransomware attack on the Ireland Health Service Executive and Department of Health, an attack that caused IT systems to shut down for weeks. 

Conti ransomware claimed to have more than 700 gigabytes (GB) of unencrypted files, including financial statements, payroll, contracts, and other sensitive documents. Conti actors demanded a $20 million ransom payment from Ireland’s HSE. Ireland refused to pay the ransom but wound up spending far more to recover from the attack.


In September 2021, Conti ransomware targeted JVCKenwood, an electronics manufacturer in Yokohama, Japan, known for its car and home electronics. Conti actors demanded that JVCKenwood pay $7 million for the return of 1.7 terabytes (TB) of stolen and encrypted data. 

Conti claimed to have terminated negotiations with JVCKenwood after reports surfaced stating that the company leaked details of the ransom negotiation.

Tips for protecting your clients against Conti ransomware

Although the original formation of the Conti RaaS has shut down, its members have likely dispersed into other ransomware operations, bringing their specialized knowledge and strategies to new teams. 

Conti malware is a prime example of the unique cybersecurity challenges MSPs face. To better understand the threat landscape — including Conti ransomware and or Conti strains — read our 2023 MSP Threat Report

Keep software and systems up to date

Conti malware targets vulnerable systems and exploits organizational blind spots. One of the most important tactics for preventing a Conti ransomware attack is to keep all client software and systems up to date. This means patching systems and software in a timely manner and keeping your client’s internal team well-informed on the importance of software updates. 

For further protection, MSPs should leverage cyber threat hunting to effectively monitor and probe client systems to stop potential threats from infiltrating the network. 

Use strong passwords and multi-factor authentication

One of the most effective measures to decrease the possibilities of cyberattacks is to leverage strong passwords and multi-factor authentication. Work with your clients to develop MFA protocols and complex passwords to strengthen security.   

Educate employees on safe computing practices and limit user privileges

In most Conti ransomware attacks over the past three years, a phishing email starts the process. For MSPs seeking the best way to protect clients, consider an email protection solution that detects advanced threats. 

While implementing an upstream solution is the most effective tactic for mitigating phishing emails, it’s also crucial to educate your client’s team on best practices for email hygiene — and how to effectively spot a phishing email to stay safe. 

Back up your data regularly

In most scenarios, Conti ransomware attacks target confidential or crucial data and demand a ransom in order to get it back. Properly backed up data is absolutely vital to maintaining business operations in the case of an attack. Focus on providing your clients with a full suite of backup solutions

For more information on how to put together an effective SaaS backup program for clients, check out our checklist, 5 Things to Consider When You Need Effective SaaS Backup.

Build a strong security culture with your clients

Reducing the potential for cyberattacks starts by building a foundation of strong security. The best thing you can do is support your clients as they develop a strong security culture. This includes educating client team members on best security practices, including: 

  • Strong password policies 
  • Robust security trainings 
  • Multi-factor authentication 
  • Secure remote access
  • Regular backup strategies 

Implement a robust security solution

Constant monitoring for suspicious patterns of behavior is key. This includes suspicious network traffic, unauthorized changes, or repeating patterns that suggest something out of the ordinary.   

If you’re an MSP looking for the best platform to protect your clients, ConnectWise cybersecurity management is here to help. From endpoint detection and response to security policy management, we have a suite of software solutions to help you protect your clients’ most critical business assets. Explore our cybersecurity demos today to get started. 


In most scenarios, Conti ransom notices provide details on how to send payment, how much money they demand, and what will allegedly occur if you do not pay the ransom. 

The typical ransom demand in a Conti ransomware attack varies depending on the victim’s financial records. According to one analysis, the ransom demand is typically between 0.7% and 5% of the victim’s annual revenue — and most ransomware gangs offer discounts for immediate payments.

It depends. Decryption may be possible in certain circumstances, particularly if the malicious malware is flawed or not fully developed. However, in most scenarios, the only viable option is to recover lost data from a backup source. 

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) “strongly discourage” organizations from paying the ransom in cybercriminal attacks. Paying a ransom note can embolden ransomware gangs to target other organizations and encourage more attacks. In many cases, paying the ransom doesn’t result in recovered files.

Historically, the healthcare industry has been most vulnerable to Conti ransomware attacks. While Conti claims to have disbanded, some of the top industries targeted by other RaaS groups include the healthcare, manufacturing, and energy sectors.

Robust antivirus software and antimalware programs can help detect and mitigate potential Conti ransomware attacks. By leveraging these programs to conduct regular scans of the network and all organizational assets, MSPs can identify irregularities or vulnerabilities in the infrastructure. 

It is highly difficult to trace or track the perpetrators of any ransomware attack. Although many RaaS groups are known, the criminals use code names and are difficult to track down.