Bright is now integrated with GitHub Copilot

Check it out! →
Product overview

See how dev-centric DAST for the enterprise secures your business.

Web attacks

Continuous security testing for web applications at high-scale.

API attacks

Safeguard your APIs no matter how often you deploy.

Business logic attacks

Future-proof your security testing with green-flow exploitation testing.

LLM attacks

Next-gen security testing for LLM & Gen AI powered applications and add-ons.

Interfaces & extensions

Security testing throughout the SDLC - in your team’s native stack.


Connecting your security stack & resolution processes seamlessly.


Getting started with Bright and implementing it in your enterprise stack.

Book a demo

We’ll show you how Bright’s DAST can secure your security posture.


Check out or insights & deep dives into the world of security testing.

Webinars & events

Upcoming & on-demand events and webinars from security experts.


Getting started with Bright and implementing it in your enterprise stack.

Case studies

Dive into DAST success stories from Bright customers.


Download whitepapers & research on hot topics in the security field.

About us

Who we are, where we came from, and our Bright vision for the future.


Bright news hot off the press.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

We're hiring

Want to join the Bright team? See our open possitions.

Bug bounty

Found a security issue or vulnerability we should hear about? Let us know!

Contact us

Need some help getting started? Looking to collaborate? Talk to us.

Resources > Blog >
Exploring Ryuk and Conti Ransomware Gangs

Exploring Ryuk and Conti Ransomware Gangs

Levan Abesadze

Part 1 of 2

In the dynamic landscape of cyber threats, the battle between ethical and malicious actors has escalated to unprecedented levels. The shift in motivations, from mere amusement to the pursuit of financial gains, has given rise to ransomware gangs that pose a substantial threat to diverse sectors. The implications of this transformation are worrisome for organizations globally, emphasizing the critical need for vigilance and awareness. In this evolving digital battleground, staying informed becomes not only a proactive strategy but a formidable defense mechanism for safeguarding against the menace of ransomware attacks. 

Part 1 of our ransomware gangs series sheds light on the notorious group Ryuk, also known as Conti or “Wizard Spider”. This exploration aims to uncover the tactics, evolution, and impact of these malicious entities on critical industries.

Ryuk: A Threat to Healthcare 

Ryuk, named after a fictional death spirit in Japanese folklore, has become a notorious player in the realm of cybercrime. Specializing in high-stakes ransomware attacks, this group has honed its focus on the healthcare sector, presenting a threat to medical institutions across the United states. 

Ryuk has established itself as a formidable adversary, particularly targeting hospitals in the United States. Between 2018 and 2021, the group executed a staggering 235 confirmed attacks, raking in over $100 million through their relentless ransom demands in 2020 alone. Employing hostile diplomatic relations with their targets, Ryuk often resorts to intimidation when payment is refused. This targeted approach has not only financial implications but also raises concerns about the safety and well-being of those relying on critical healthcare services. 

Tactics Evolution

The ransomware gang has not remained stagnant in their approach. Ryuk continually modifies its malware types and techniques, transitioning from the infamous Trickbot and Emotet to more sophisticated tools like BazarLoader and BazarBackdoor. These advanced tools come at a higher cost but prove to be more effective, eluding detection by many endpoint security systems. Ryuk’s ability to adapt and evolve highlights the dynamic nature of cyber threats, requiring organizations to stay one step ahead in their defense strategies. 

Deceptive Phishing Tactics 

Ryuk employs a sophisticated and diverse range of phishing tactics to infiltrate its targets. These maneuvers include posing as legal professionals or other individuals, initiating discussions on specific topics, or even claiming local affiliations, thereby introducing an additional layer of intricacy to their operations. Operating as a service, Ryuk consistently dispatches these deceptive emails on a daily basis. This relentless approach has proven highly effective, evident in instances where multiple hospitals across the USA fell victim to the same threat actors in a single day. The repercussions of their attacks on healthcare institutions are alarming, as the group strategically targets vulnerable systems, resulting in substantial disruptions to emergency care services.

Impact on healthcare

The recovery process for hospitals can span weeks, leading to disruptions in essential services. A distressing example from Manchester highlights the consequences of such attacks, where a hospital was unable to take immediate action due to the decryption of essential medical files, including X-rays and CT scans. Research has also shown that ransomware attacks have resulted in fatalities. In Germany, for instance, Dusseldorf Hospital had to redirect an emergency case involving an elderly woman with an aneurysm to another hospital in Wuppertal, which was 20 miles away. Tragically, a baby born with a brain injury in Alabama lost their life because the attackers had ransomed the hospital, rendering all computers offline.The collateral damage extends beyond financial loss, affecting patient care and endangering lives. 

Conti: Ryuk Restructured

Ryuk reorganized as Conti to employ a diverse array of tactics designed to infiltrate and compromise targeted systems. One distinctive characteristic of Conti’s operations is its collaboration with another gang known as Maze, utilizing RDP (Remote Desktop Protocol) brute force attacks to gain unauthorized access. In an RDP brute force attack, the attacker typically uses automated tools or scripts to repeatedly try different username and password combinations until they find the correct credentials that grant access to the targeted system. 

Unlike its predecessor, Conti strategically avoids targeting old Soviet countries and promptly exits systems using the Russian language, showcasing a level of sophistication and strategic selectiveness. 

Unique Tactics

Conti’s approach extends to its exploitation of vulnerabilities during the COVID-19 pandemic. Notably, the group poses a substantial threat to the United Kingdom by actively targeting hospitals. Unlike traditional ransomware Conti utilizes various strains with the RSA and AES algorithm, enhancing the complexity of their attacks and making decryption more challenging. 

Examples of Conti’s impact on organizations are particularly distressing. The group not only encrypts essential data but also engages in the extortion of sensitive information. A significant departure from conventional ransome practices, Conti sells the victim’s data on the Darkweb even after the ransom has been paid. This dual-treat approach intensifies the consequences for organizations, as they not only face the immediate aftermath of a ransomware attack but also the potential exposure and exploitation of confidential information. 

Threat Dynamics

The collaboration between Conti and other threat actors, coupled with its ability to adapt and innovate in its tactics, presents an ongoing challenge for cybersecurity professionals. The United States government, recognizing the severity of the threat, has imposed fines for disclosing information about the criminal organization. Despite these measures, Conti’s impact is far-reaching, emphasizing the urgent need for advanced cybersecurity strategies, threat intelligence sharing, and international cooperation to mitigate the evolving risks posed by such sophisticated ransomware groups. 


As ransomware gangs continue to wreak havoc, it is imperative for organizations, especially in critical sectors like healthcare, to bolster their cybersecurity defenses. By understanding their threats and strategies, we’ve provided a foundation for organizations to strengthen their security posture. Identifying these harmful forces is the first step in securing your organization against the continually changing landscape of cyber threats. In part two of this series, we’ll explore Maze and Lockbit, offering insights to help you navigate the intricate world of ransomware threats. Stay tuned for a detailed examination of their approaches and impacts as we continue to enhance cybersecurity awareness. 

You can read part 2 of the series here.


IASTless IAST – The SAST to DAST Bridge

Streamline appsec with IASTless IAST. Simplify deployment, enhance accuracy, and boost your security posture by combining SAST and Bright’s DAST.

Bringing DAST security to AI-generated code

AI-generated code is basically the holy grail of developer tools of this decade. Think back to just over two years ago; every third article discussed how there weren’t enough engineers to answer demand; some companies even offered coding training for candidates wanting to make a career change. The demand for software and hardware innovation was

5 Examples of Zero Day Vulnerabilities and How to Protect Your Organization

A zero day vulnerability refers to a software security flaw that is unknown to those who should be mitigating it, including the vendor of the target software.

Get our newsletter