The threat ecosystem of Conti, one of the most prolific malware strains in the global cyber threat landscape, is growing stronger day by day. Recent findings indicate it is diverting away from U.S. targets towards other NATO-affiliated countries in Europe.

Conti’s transformation

According to eSentire researchers, Conti did not shut down, it just moved its operations to the brands BlackByte and Black Basta. These groups have been aggressively targeting critical infrastructure segments in Europe and other organizations across the globe.

Attack campaign

  • Between the end of February and mid-July, these ransomware groups listed 81 victim organizations on their data leak sites.
  • Of these, 41% of the targets were companies in critical infrastructure sectors, including energy, government, transportation, pharmaceuticals, facilities, food, and education in Europe.
  • The remaining 59% were primarily in manufacturing, small retail, and construction organizations in the U.S.

Blackbyte’s recent activities

  • In October, BlackByte was spotted with a new exfiltration tool named Exbyte (Infostealer.Exbyte), mostly abusing ProxyShell flaws.
  • It was observed abusing legitimate drivers with Bring Your Own Driver (BYOD) technique to bypass security products.

Black Basta's recent activities

  • A possible link was found between the Black Basta operation and the FIN7 hacking group, suggesting that they are sharing custom impairment tools developed by the same threat actors.
  • The Black Basta ransomware group was using multiple distribution methods to deploy Brute Ratel, SmokeLoader, Emotet, and other malware.


Conti is forming new allies, developing new tools and techniques, and actively hacking critical organizations. Increased activities by Conts affiliates and the attack diversion suggest that it is growing as a diverse illicit RaaS industry, which gives jobs to thousands of cybercriminals worldwide with various specializations.
Cyware Publisher