Conti is technically dead. The brand was retired in mid-2022 after the Russia-Ukraine war, the leaked internal chats published by a Ukrainian researcher under the handle "ContiLeaks," and the operational embarrassment of the Costa Rica government attack that triggered a national state of emergency. But any security engineer who worked ransomware cases between 2020 and 2022 knows the story does not end there. Conti's operators, code, and affiliate relationships fragmented into Black Basta, BlackByte, Karakurt, Royal, Zeon, and several smaller crews that still use the playbook. So when I talk about "Conti supply chain patterns," I mean the tradecraft of a loose federation that continues to run today under different names.
The Industrial Ransomware Era
Conti emerged in mid-2020 as a successor to Ryuk, run by a group widely attributed to Russian-speaking operators known as Wizard Spider, TrickBot, and — in U.S. Treasury OFAC designations — a cluster that received sanctions against specific named individuals. At its peak, Conti affiliates were pulling in roughly $180 million per year in extortion revenue according to Chainalysis' 2022 Crypto Crime Report. The group's May 2021 attack on Ireland's Health Service Executive disrupted hospital operations nationwide and cost an estimated €100 million in recovery. They had a human resources function, a help desk, performance reviews, and salary tiers for penetration testers. They were an industry.
What set Conti apart operationally was the depth of its affiliate program. Unlike earlier Ransomware-as-a-Service operations, Conti gave affiliates access to fully developed toolkits, shared access to compromised environments, and — critically — internal "how-to" documents on exploiting specific enterprise products. When the ContiLeaks dump appeared in February 2022, the industry saw internal manuals for Cobalt Strike usage, Active Directory attack paths, Veeam exploitation, Kaseya VSA abuse, and AnyDesk deployment. These were not generic guides. They were the accumulated institutional knowledge of a crew that had been inside thousands of networks.
MSP and RMM as Force Multipliers
The single most important supply chain pattern in Conti's history is their preference for managed service providers and remote monitoring and management (RMM) platforms as attack vectors. I reviewed at least four cases where the initial access was not a phishing email to the victim organization but a compromise of the IT provider who managed them.
The pattern looks like this. Operators gain access to an MSP through a phished administrative credential, an exposed ConnectWise or Kaseya console, or a SonicWall or Fortinet appliance missing CVE-2021-20016 or CVE-2021-20021 patches. Once inside the MSP, they use the RMM platform — designed to push software to every managed endpoint — to deploy Cobalt Strike, SystemBC, BazarLoader, or the Conti encryptor to dozens or hundreds of downstream customers simultaneously. The July 2, 2021 Kaseya VSA attack was not Conti but its sibling REvil, using the same logical approach via CVE-2021-30116. Conti affiliates ran structurally identical operations against smaller MSPs throughout 2021 and early 2022.
The supply chain framing matters because the victim organization often had reasonable security. Their MSP did not. And the MSP's software-delivery path was trusted enough to push signed installers to every endpoint on demand.
The Exploitation Portfolio
Reading the ContiLeaks, the group maintained a surprisingly mature portfolio of exploits for enterprise infrastructure products. Their go-to initial access CVEs during 2021 and early 2022 included:
- CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 (ProxyLogon, Exchange)
- CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 (ProxyShell, Exchange)
- CVE-2021-44228 (Log4Shell, rapidly weaponized within days of disclosure)
- CVE-2020-1472 (Zerologon, used for domain privilege escalation in post-access phases)
- CVE-2021-42278 and CVE-2021-42287 (sAMAccountName spoofing)
- CVE-2021-20016 and several other SonicWall SMA flaws
What made these attacks "supply chain" rather than garden-variety exploitation was the scale and the trust relationships. ProxyShell-compromised Exchange servers were used to phish internally from legitimate email accounts. Log4Shell was weaponized against VMware vCenter, Ubiquiti UniFi, and numerous enterprise applications that sat at the heart of customers' software delivery paths. A single vulnerable Jenkins or vCenter became the pivot into every downstream deployment.
Tradecraft Signatures
Several Conti tradecraft elements keep reappearing in the spinoff groups I have tracked through 2023 and 2024.
First, TrickBot, BazarLoader, and IcedID as initial loaders, frequently delivered through phishing, thread-hijacked email, or cracked software downloads. These loaders themselves abuse the software supply chain — pirated Microsoft Office installers, cracked Adobe applications, and fake invoicing PDF readers have all seeded initial Conti infections.
Second, Cobalt Strike as the command-and-control backbone, with frequent use of malleable C2 profiles that mimic legitimate traffic and stolen or pirated Cobalt Strike licenses. The ContiLeaks showed the group maintaining a private fork with customized post-exploitation modules.
Third, heavy use of legitimate administrative tools for propagation, including PsExec, WMIC, PowerShell Remoting, and SMB shares. Encryptor deployment typically used Group Policy or the compromised RMM to push the payload to all hosts simultaneously.
Fourth, systematic backup destruction before encryption. Operators specifically hunted Veeam, Acronis, and Commvault infrastructure, abused the documented Veeam credential-extraction weakness later tracked as CVE-2023-27532, and deleted Volume Shadow Copies to prevent trivial recovery.
The Spinoff Era
After Conti formally shut down in May 2022, the operators did not retire. Black Basta emerged in April 2022 and has since been responsible for high-profile intrusions at Rheinmetall, Capita, Hyundai Europe, and ABB. Analyst consensus — including Mandiant's UNC4393 tracking — attributes Black Basta to former Conti operators. Royal Ransomware, first observed in September 2022 and responsible for the May 2023 City of Dallas attack, also shows strong Conti TTP overlap and is now tracked as Blacksuit. Karakurt continued the data-extortion-only side of the operation through 2023 and into 2024.
The MSP and RMM supply chain tradecraft persisted across all of these. The ConnectWise ScreenConnect vulnerability chain disclosed as CVE-2024-1708 and CVE-2024-1709 on February 19, 2024 saw immediate exploitation by Black Basta and other Conti-descended crews, targeting exactly the kind of managed service infrastructure Conti had pioneered as an entry point.
How Safeguard Helps
Safeguard targets the supply chain exposures that Conti-descended crews continue to exploit, from MSP tooling to enterprise middleware. The platform inventories RMM, backup, and identity infrastructure components across customer environments, flags when critical CVEs — CVE-2024-1709 ScreenConnect, CVE-2023-27532 Veeam, CVE-2021-44228 Log4j — remain unpatched, and correlates those exposures with supplier relationships so teams understand downstream blast radius. Policy gates catch deployments that pull in unsigned or unexpectedly modified installers, which is the typical fingerprint of an RMM-pushed ransomware payload. By pairing CVE enrichment with supplier and SBOM intelligence in one place, Safeguard helps defenders spot the chokepoints ransomware affiliates keep attacking, before the encryption starts.