Get in Touch

Contact us to learn more about our elite cybersecurity services and industry-leading technologies.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Emergency Incident Assistance

Is your network under attack? Get in touch with a
BreachQuest Specialist right away with this form.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

Conti’s Dangerous New Phase

By: BreachQuest

Conti's Dangerous New Phase

On Friday, February 25, two days after Russia invaded Ukraine, the ransomware group Conti released this message.


Who is Conti?

Conti is a major name in the ransomware space, with a long history that includes roots in big-game ransomware groups of the past (i.e., Ryuk) and inclusion in the Maze cartel1. It is operated by the Wizard Spider group, which created TrickBot2.  Wizard Spider has been identified as a Russian group.

Historically, the sole motivation for ransomware operators has been money. Wizard Spider/Conti and groups like it are well-organized and can be ruthless. Simple pattern – get access, steal “sensitive” data (sensitive in the sense of Personal Identifiable Information(PII) or items that are valuable to the victim), encrypt everything, and demand a ransom. Without a ransom, the data is posted for the world to see to embarrass the victim and cause reputational damage.

In the past, occasionally, ransomware operators have posted splashy mission statements, named enemies, etc. But for the most part, the groups have shied away from the spotlight. Groups that have ended up in the spotlight, for example, DarkSide due to the Colonial Pipeline attack, have often scattered like cockroaches and rebranded and regrouped under a different name.

Conti’s Major Shift

When this message was released on Friday, February 25, 2022, it represented a major shift. Money is no longer the motive, and the spotlight is no longer a deterrent. The gloves are off. This likely means a new plan of attack. Instead of stealing valuable documents from the company, they may now steal documents that have intelligence value. Previously they demanded a ransom, now they will wreak havoc. Instead of demanding a ransom, they can throw away the keys and cripple their victims.

The new danger is that this means they will no longer hold back and will start to pick targets that are critical infra or vital services without worrying about a payday.

Retraction or Misdirection?

A few hours after they issued the above message, they issued this message


This partial retraction was likely issued so that they can continue running their ransomware business without aligning themselves so firmly with an atrocity. Or at least to give that appearance. The original statement is likely closer to the truth. Someone said the quiet parts out loud.

Be Prepared

With the increasing number of attacks, all companies require strengthening their security infrastructure to prevent potential threats. While times are uncertain, the best protection is preparedness. Build your strong cybersecurity foundation follow our Cybersecurity Practices for Secure Infrastructure.


Written by Sean Cordes, BreachQuest’s Associate Director of Incident Response.




Share this article:

Sign up for our newsletter to get more industry news and insights.

Related Insights


BlackCat – The New Ransomware on the Block

Read more


Conti: Still here, Still Dangerous

Read more


The Conti Leaks | Insight into a Ransomware Unicorn

Read more