Threat Intelligence Tarot
Major Arcana · 17
Criminal (Russia, St. Petersburg-linked)
G0092★★★★★
risk 5/5
✦ The Plague ✦
Conti
Wizard Spider · GOLD ULRICK · TrickBot Group
HealthcareGovernmentCritical infrastructureSchools
Active since ~2020 · Ransomware extortion, Data theft, Disruption
It spread through hospital networks while patients were wheeled into corridors. The Plague does not distinguish between a defense contractor and an ICU - everything encrypts the same. Its leaked chat logs revealed an organization of 100+ people with department heads and vacation policies.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Ireland Health Service Executive (HSE) attack - shut down national healthcare
- ◆Costa Rica government ($20M demanded, national emergency declared)
- ◆Internal chat logs leaked by Ukrainian researcher (2022)
- ◆400+ healthcare attacks during COVID-19
Defenses
- ▸Healthcare-specific ransomware response plans (HHS 405(d))HHS 405(d)
- ▸SMB signing enforcement to block lateral movementCIS Control 12 ↗
- ▸LSASS protection (Credential Guard, PPL)CIS Control 5 ↗
- ▸Network segmentation isolating clinical systemsNIST CSF: PR.AC ↗
Reversed: Their Weakness
When Conti publicly sided with Russia after the Ukraine invasion, a Ukrainian security researcher leaked two years of internal chat logs - exposing everything from the group's internal disputes to its cryptocurrency wallets.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.