Conti-Ryuk

The organisation referred to by the aliases Conti‑Ryuk and Maze operates as a ransomware threat actor that conducts cyber extortion campaigns against victim entities. Its core activity involves gaining unauthorized access to networks, deploying ransomware to encrypt critical files, and simultaneously exfiltrating sensitive data before encryption. After the attack, the group threatens to publish the stolen information on leak sites unless a ransom is paid, a tactic commonly described as double extortion. The group’s services are offered to affiliates or used directly by its operators, enabling a broad range of targets across different industries.

The source material does not provide explicit quantitative details about the organisation’s size, geographic reach, or overall footprint, so no statements regarding employee count, revenue, or market share can be made. Likewise, there is no disclosed information about the number of attacks conducted, the volume of data typically stolen, or the financial scale of its operations. Consequently, any description of scale must be limited to the observable behaviour documented in the available incident reports.

Distinguishing attributes of the group include its use of dedicated leak sites where victim data is posted to increase pressure on targets, as demonstrated in the August 2 2020 incident involving a healthcare provider. The organisation is known to operate under multiple aliases—Conti‑Ryuk and Maze—which may reflect rebranding, affiliate structures, or collaborative efforts between distinct threat actor clusters. In the cited incident, both aliases appeared to be involved, with each posting separate datasets, indicating a capability to coordinate or independently execute data‑leak components of a ransomware campaign. The group’s focus on sectors that hold high‑value personal information, such as healthcare, underscores its specialization in exploiting data that can cause significant reputational and regulatory harm when exposed.

No explicit details about the organisation’s ownership, parent‑company relationships, or subsidiary status are present in the provided sources, so no structural notes can be affirmed. The available information therefore describes the Conti‑Ryuk/Maze entity primarily through its observed ransomware tactics, the dual‑alias naming pattern, and its demonstrated impact on victim organisations.