{ "id": "9b983670-4b23-40bb-8ea1-66a223c6b379", "created_at": "2026-04-06T00:17:30.56175Z", "updated_at": "2026-04-10T03:36:11.110963Z", "deleted_at": null, "sha1_hash": "0df5910176ea2a547693b0f25b2c36a02ea2a327", "title": "An insider insights into Conti operations – Part One", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1913991, "plain_text": "An insider insights into Conti operations – Part One\r\nBy Guillaume C.,\u0026nbsp;Livia Tibirna,\u0026nbsp;Erwan Chevalier,\u0026nbsp;Narimane Lavay\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2021-08-17 · Archived: 2026-04-05 13:33:35 UTC\r\nTable of contents\r\nThe origin of Conti ransomware\r\nAn internal discord at the origin of the Conti’s training material leaks\r\nWhat do the Conti leaks tell us?\r\nConclusion\r\nThis is the first of two blog posts, where we focus on the Conti ransomware group whose training material was\r\nrecently leaked on a cybercrime forum. To provide some context to this analysis, we describe Conti’s evolution\r\nand success since its origin. We then contextualize the leaks thanks to our observations on underground forums\r\nand analyze it in terms of threat intelligence. The second blog post will give some details on the techniques used\r\nby Conti operators and how to detect them.\r\nThe origin of Conti ransomware\r\nConti and Ryuk were developed and operated by a group dubbed Wizard Spider by CrowdStrike (aka UNC1878,\r\nGrim Spider, Conti gang) and some affiliates. Wizard Spider started its activity in 2016 by conducting financial\r\nfraud campaigns using the TrickBot banking trojan¹. The link between Conti and Wizard Spider was confirmed by\r\nClearsky, following a bitcoin transaction after a successful ransomware attack².\r\nIn August 2018, the actor previously using TrickBot started to use a new ransomware called Ryuk to target large\r\norganizations, asking for high ransom amounts. Wizard Spider seemed to follow the Big Game Hunting (BGH)\r\ntrend started by BitPaymer’s gang one year earlier³. Ryuk’s activity made the project famous in the ransomware\r\nbusiness. According to Coveware, in Q1 2020, the average ransomware payment on behalf of the group was over\r\n$1.3 million. During this period, we can note the attacks against major US companies such as Electronic Warfare\r\nAssociates (EWA), a US Government contractor⁴.\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one\r\nPage 1 of 10\n\nAverage ransomware payment of Phobos, Ryuk \u0026 Sodinokibi in Q4 2019 and Q1 2020⁵\r\nThe group has constantly evolved its arsenal, reacting to attempts to block them. In 2020, they developed\r\nBazarLoader, which has a high level of obfuscation. They also regularly added known vulnerabilities such as\r\nEternal Blue, Zerologon, and more recently, PrintNightmare to their arsenal.\r\nTheir loaders were often delivered through phishing email or credentials previously obtained from Emotet or\r\nIcedID activity. The affiliates probably used accesses sold by initial access brokers.\r\nConti appears in February 2020 as a Ryuk successor using the new data blackmailing technique⁶ (aka double\r\nextortion technique). They created a website to publish stolen data in case of non-payment of the ransom and to\r\nhave a good-looking chat interface to communicate with victims and others. According to ransom notes SEKOIA\r\nstudied, Ryuk operators used to communicate with victims through secure email services such as Protonmail or\r\nTutanota. \r\nThreatening to leak sensitive files is great to increase the pressure on companies and therefore increase the\r\nprobability that the ransom will be paid and to increase its amount. Note that Wizard Spider seems to consider the\r\nfile decryptor and the deletion of the stolen files as two different services.\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one\r\nPage 2 of 10\n\nOld Conti leak website\r\nNew Conti leak website\r\n(continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad[.]onion)\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one\r\nPage 3 of 10\n\nThe double extortion technique used by Conti has apparently paid off: the group claims more than 150 successful\r\nattacks and $20M of paid revenue by the end of 2020⁷. Based on our observations, Conti is the most prolific group\r\nsince January 2021, with more than 300 publicly disclosed ransomware attacks this year.\r\nThis success is partly due to the efficiency of the group’s tools. Indeed, in 2020, the Conti ransomware was one of\r\nthe fastest to encrypt a computer by running 32 concurrent threads, using AES-256 keys bundled with a RSA-4096 public key. The encryption and data exfiltration speed has since been a marketing argument in the\r\nransomware community and was greatly improved by other groups. One of the Conti ransomware specificities is\r\nthat it can be used in command line to encrypt the local hard drive or network shares.\r\nComparative table created by LockBit 2.0 group (available on their website)\r\nAnother specificity that indicates a continuity between the activities of Ryuk and Conti is Ryuk’s habit of\r\ndemanding ransom payments proportional to the revenues of the targeted company that has continued with the\r\nConti ransomware. Once their affiliates compromise a target, they send the operators a report containing\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one\r\nPage 4 of 10\n\ninformation about the victim (name, website address, number of servers and endpoint locked, amount of stolen\r\ndata, and target’s revenue) to help during the ransom negotiation.\r\nConti’s negotiators are experienced and patient. They use the anchor technique by setting a very high first price\r\nand negotiating it. They use a service-oriented rhetoric, calling the victim “customer” and themself “support”.\r\nUnlike other ransomware gangs, Conti did not hold back from attacking the hospitals during the COVID-19\r\ncrisis⁸.\r\nAn internal discord at the origin of the Conti’s training material leaks\r\nOn August 5, 2021, a XSS cybercrime forum member known as “m1Geelka” leaked a Conti ransomware group’s\r\ntraining material. The “manual” includes some insights on the modus operandi of one of the most successful\r\nransomware cartels at the moment.\r\nFrom our observations of the discussions between different actors, “m1Geelka” is believed to be one of the\r\nWindows Administrators of the group. After allegedly working for Conti (or as he states, “I got in there to find out\r\nhow they work”), “m1Geelka” judged the remuneration formula to be unfair and decided to do justice to the\r\ngroup’s “partners”. \r\nIn fact, the cybercriminal community has repeatedly voiced that Conti’s alleged remuneration was inadequate,\r\ngiven the qualifications they are looking for. Starting from $1,500 and from $2,000 for technical profiles, wages\r\nare, however, constantly being adjusted upwards, and accompanied by regular bonuses, all paid in BTC – the\r\ngroup states. \r\nEven so, “m1Geelka” was promptly expelled from the Russian-speaking underground community. He has broken\r\none unwritten rule that dictates the law in this medium: conflicts have to be solved through private arbitration\r\nprocesses.\r\nThis has also driven us to pay close attention to the most recent activity of a Conti representative on a forum\r\nwhere he was particularly active from June to August 2021. “IT_Work” is the online persona of a suspected threat\r\nactor who handled the group’s expansion this summer.\r\nThe Conti’s representative profile on XSS forum, banned since August 6, 2021\r\nAs commercial activities related to ransomware are now prohibited on this platform, no advertisements for the\r\nused software, nor any specifications about the targeted countries or industries were seen. Instead, we observed a\r\nmassive recruitment campaign on the XSS cybercriminal forum which is highly popular among ransomware\r\noperators seeking to create new partnerships. \r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one\r\nPage 5 of 10\n\n“We are a small recruitment team” – “IT_Works” states. He announced “lots of vacancies” in June 2021, so\r\ncandidates were encouraged to apply for job openings or to make spontaneous applications. “No formalization\r\nunder the Labor Code” is stipulated, as to comfort some and prevent others. \r\nThere were over a dozen job openings on behalf of Conti spotted in less than two months, revealing a highly\r\nspecialized and organized group structure. As commonly observed among ransomware groups originating from\r\nRussia or countries within the Commonwealth of Independent States (CIS), the communication is performed in\r\nRussian and the job listings are addressed to “Russian speakers only!”.\r\nAn example of a job listing posted by a Conti representative on June 11 on a Russian-speaking cybercriminal\r\nforum. Translated from Russian, the post reads:\r\n“Vacancy for the position of Business Analysts. Required Skills: Business English (reading) required,\r\nconversational is a big plus; Knowledge of business particularities in the U.S.; Analytical skills, attention to\r\ndetail; Advanced PC user. Responsibilities: Analysis of B2B markets; Analysis of companies’ financial statements,\r\nand other public data obtained from government institutions; Drawing up cases on key players on the financial\r\nand industrial markets […]”\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one\r\nPage 6 of 10\n\nA close look at these messages allows us to draw up a rough picture of the Conti’s internal structure, which can be\r\nimaged as follows:\r\nAn overview of how the Conti Group is structured, based on statements recently made by its representatives on\r\ndifferent cybercriminal forums\r\nThis is slightly out of the ordinary job offers that other ransomware groups publish (most often for pentester\r\npositions). Of particular curiosity is the position of Asterisk Administrator. Based on a July 2021 announcement\r\nby Conti, a dedicated Asterisk VoIP service was in development, probably to initiate phone conversations with the\r\nvictims or the victim’s partners or employees, in order to put more pressure on them. Threat actors are particularly\r\ninterested in the “Auto Redial” feature of the Asterisk framework to put the phone number on automatic dial\r\nrepeatedly, until the called party picks up the phone.\r\nThe group is also looking for Web Designers with “really creative ideas“ and UI/UX Designers “to design layouts\r\nof websites and individual user interfaces of web applications”.\r\nTo study potential victim’s activity or to analyze the already attacked ones, Business Analysts are wanted. They\r\nmust be proficient in English and know the business particularities in the U.S, have good analytical skills and “pay\r\nattention to detail”. Business Analysts working for Conti prospect the B2B market, collect and analyze\r\ncompanies’ financial statements and other public data obtained from government institutions, and they are also\r\ndrawing up cases on key players on the financial and industrial markets, according to “IT_Works”.\r\nWhat is also quite unique is the well-structured corporate approach Conti adopted: their “partners” have paid\r\nvacations and sick leaves. They usually have a 3pm-1am, Monday to Friday work schedule, remote only.\r\nWhat do the Conti leaks tell us?\r\nFollowing the first leak release, we decided to analyze its content and tried to assess how useful it could be in\r\nterms of threat intelligence and detection.\r\nThe archive, retrieved by vx-underground⁹, contains a majority of text files written in russian, a few archives,\r\nbinaries, scripts, and softwares (e.g. Cobalt Strike 4.3, Router Scan), and what looks like an unstructured manual\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one\r\nPage 7 of 10\n\nexplaining to Conti affiliates how to operate.\r\nArchive content\r\nA public quick English translation¹⁰ has been made available to organize the leak with three main attack steps:\r\nIncreasing privileges and information collection, Uploading data and Lock. For each step, each manual provides\r\none or more tools/techniques to reach the objective with a kind of best practices approach and a collection of the\r\nbest tools to use.\r\nThere is no new tool or technique to discover, everything is quite old and renowned (e.g. Mimikatz) and should\r\nalready be detected. Although they are up-to-date with the latest vulnerability and have a manual for\r\n“PrintNightmare” (CVE-2021-34527, that is still not fixed by a proper patch from Microsoft). Obviously they also\r\ntry to use Microsoft built-in tools as much as possible to blend-in with legitimate activities in order to avoid\r\ndetection (e.g. powershell, wmi).\r\nSome recommendations are made in terms of operational security in the manual files translated as “Anonymity for\r\nthe paranoid” and “Personal safety” (not available in the public English translation):\r\nA couple of notes on posts about anonymity for the paranoid:\r\n1. The task is not to hide (it still won’t work), but to merge with the crowd. So by disabling webrtc,\r\nJavascript, Flash, etc. just attract more attention to yourself. You should NOT DISCONNECT, but\r\nCHANGE what allows you to be detected.\r\n2. Concerning Kali and other operating systems for hackers. There is a group of people (Hackers) that needs\r\nto be tracked. Technically, this problem is difficult to solve. It’s easier to play on human weakness\r\n(laziness) and gather everyone together by providing a properly advertised, convenient, ready-made and\r\npopular solution. I think the idea is clear. I advise you to use Debian or build something of your own.\r\nI think everyone here works through a virtual machine. Therefore, I advise you to install the virtual machine on\r\nthe encrypted volume using VeraCrypt.\r\n1 download Veracrypt\r\n2 you will need to allocate space on your disk for a file / or encrypt the entire disk at once\r\nAn important rule is that you will have to install the virtual machine again, because, unfortunately, when you\r\nencrypt your old working virtual machine, an insurmountable error will appear in the code and it will no longer\r\nstart. This is not a big problem, because you can get all your files from the image of your old virtual machine via\r\n7ZIP.\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one\r\nPage 8 of 10\n\nBecause they are hunting for administrator accounts, they are also cautious about their reaction. In the following\r\nextract from the “Hunting admins, please read, very useful !!” manual, a very explicit warning is made to dissuade\r\nan attacker to directly login to a computer session of an administrator:\r\nNext is an IMPORTANT POINT.\r\nFirst of all, beginners try to raise a session there and VERY OFTEN catch an alert. Alert at the admin = cutting out\r\nof the network, loss of time, nerves. Do not do this!\r\nWhat we’re going to do is poll it through the file system.\r\nBut at the same time they could go for a live brute force of accounts when required, and as noticed by other\r\nresearchers¹¹, use the same example directory (i.e. “ProgramData”) for all their command outputs which probably\r\nleads to a lot of copy/paste.\r\n“ProgramData” directory usage example\r\nTheir discovery, collection and exfiltration methods match a lot with other ransomware groups and most of the\r\ntime the techniques described aim for efficiency more than stealthiness.\r\nOverall the archive reveals an interesting insider look into some ransomware attack operations where the attackers\r\nlook for the weakest points of defense. It also confirms that most of the techniques from these groups are known\r\nand give lots of detection opportunities. This should again remind us as defenders where to focus on.\r\nThe second leak¹² was not as useful: these are 27GBs of mainly tutorial video files from several sources (free or\r\npaying ones), teaching about penetration testing (e.g. Metasploit, Cobalt Strike, network) and reverse engineering.\r\nSome sources are in English while others are in Russian but none seem specific to Conti. Indeed, the content of\r\nthis leak confirms that Conti recruiters are also looking for beginners who will then be trained by following these\r\ntutorials, as indicated on a cybercriminal forum:\r\nTranslated from Russian, the post reads: “Recruitment of pentesters continues. […] Whether you’re a professional\r\nor a beginner, it doesn’t matter. We have an individual approach to everyone. We will teach and help, we need\r\nguys who want to progress in a long-term cooperation!”.\r\nConclusion\r\nConti leaks are a great source of knowledge to find out more about how ransomware cartels operate overall. It\r\ngives good insights into how they handle their operations, how they are organized and the techniques being used\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one\r\nPage 9 of 10\n\nin these operations. This will likely raise the interest of other threat actors who might enter the ransomware scene\r\nby embracing a modus operandi that, up until now at least, has worked very well.\r\nIn the second part of this blog series we will cover some techniques used by Conti in the first leak and the\r\ndetection opportunities for each one. Read: An insider insights into Conti operations – Part two !\r\nYou can also read the following blog post:\r\nCTI Ransomware\r\nShare this post:\r\nSource: https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one" ], "report_names": [ "an-insider-insights-into-conti-operations-part-one" ], "threat_actors": [ { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508", "created_at": "2022-10-25T16:07:24.584775Z", "updated_at": "2026-04-10T02:00:05.042135Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "ETDA:UNC1878", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "Ryuk", "Team9Backdoor", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8492b1a0-126f-4113-b8f7-101d28559629", "created_at": "2023-01-06T13:46:38.864213Z", "updated_at": "2026-04-10T02:00:03.126178Z", "deleted_at": null, "main_name": "GRIM SPIDER", "aliases": [ "GOLD ULRICK" ], "source_name": "MISPGALAXY:GRIM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01", "created_at": "2023-01-06T13:46:39.178183Z", "updated_at": "2026-04-10T02:00:03.23716Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "MISPGALAXY:UNC1878", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434650, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0df5910176ea2a547693b0f25b2c36a02ea2a327.pdf", "text": "https://archive.orkl.eu/0df5910176ea2a547693b0f25b2c36a02ea2a327.txt", "img": "https://archive.orkl.eu/0df5910176ea2a547693b0f25b2c36a02ea2a327.jpg" } }