Elysian Mantis, also known as Conti, was a ransomware group active from 2019 to 2022, known for operating a ransomware-as-a-service (RaaS) model. The group used double-extortion tactics, encrypting victims' data and threatening to leak it unless a ransom was paid. It targeted a wide range of industries, including healthcare and critical infrastructure, causing significant disruptions. Elysian Mantis disbanded in 2022 after internal leaks, with members reportedly joining other cybercrime operations.
The full report is available here.
These IOCs were released as part of PTI team research.
One of the most valuable pieces of threat intelligence we discovered during this PTI investigation was the the real IP address of Elysian Mantis’ recovery service platform.
| Domain | Real IP | Date |
|---|---|---|
| contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion | 217.12.204.135 | Tuesday, 28 September 2021 21:30:03 UTC |
| contirecovery.ws | 217.12.204.135 | Tuesday, 28 September 2021 21:30:03 UTC |
Following table contains the authentication logs of the subject Elysian Mantis server with IP 217.12.204.135
| User | Connecting IP | Date (GTM+3) |
|---|---|---|
| root | 89.163.249.244 | Wed Nov 10 14:11 - gone no logout |
| root | 107.189.31.241 | Wed Nov 10 09:09 - 09:10 (00:01) |
| root | 185.220.103.5 | Mon Oct 25 15:08 - 15:50 (00:42) |
| root | 192.42.116.25 | Fri Oct 15 20:25 - 20:28 (00:03) |
| root | 18.27.197.252 | Mon Oct 4 17:47 - 17:47 (00:00) |
| root | 45.153.160.134 | Mon Sep 27 14:12 - 14:18 (00:05) |
| root | 185.220.103.4 | Mon Sep 27 09:10 - 09:13 (00:03) |
| root | 185.130.44.108 | Thu Sep 23 21:08 - 21:26 (00:18) |
| root | 104.244.76.44 | Thu Sep 23 08:04 - 08:04 (00:00) |
| root | 104.244.76.44 | Thu Sep 23 08:01 - 13:02 (05:01) |
| root | 64.113.32.29 | Wed Sep 22 13:46 - 15:40 (1+01:54) |
| root | 54.36.108.162 | Wed Sep 22 12:54 - 13:10 (00:16) |
Following IP addresses are found to be communicating with the subject Elysian Mantis server with IP 217.12.204.135
| Detected TCP Connections on Elysian Mantis Server |
|---|
| 1.177.172.158 |
| 104.244.76.44 |
| 122.51.149.86 |
| 176.9.1.211 |
| 176.9.98.228 |
| 18.27.197.252 |
| 185.130.44.108 |
| 185.220.103.4 |
| 2.82.175.32 |
| 217.160.251.63 |
| 218.92.0.211 |
| 45.153.160.134 |
| 46.101.236.25 |
| 49.234.143.71 |
| 51.75.171.136 |
| 54.36.108.162 |
| 6.11.76.81 |
| 61.177.172.158 |
| 64.113.32.29 |
| 66.211.197.38 |