{
	"id": "3add598e-e943-497c-b0e4-91c0ebc47f76",
	"created_at": "2026-04-06T01:28:56.020137Z",
	"updated_at": "2026-04-10T03:19:55.769215Z",
	"deleted_at": null,
	"sha1_hash": "0e1df93df41676f9936aeadf88938add608633ed",
	"title": "Move fast and commit crimes: Conti’s development teams mirror corporate tech",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45062,
	"plain_text": "Move fast and commit crimes: Conti’s development teams mirror\r\ncorporate tech\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-06 01:02:39 UTC\r\nThere has been a long-lasting trope about cybercriminals for nearly two decades: young men sitting alone in a\r\ndark basement, hopped up on energy drinks and EDM basslines, crafting code into the wee hours of the morning\r\nin the hopes their malware will net them millions of dollars after they hack their way into the world’s leading\r\ncompanies. This idea has creeped into the information security industry’s mindset, mainly that it’s nearly\r\nimpossible to stop these kinds of criminals, who work in small teams or by themselves, because they don’t have to\r\nfollow the corporate norms that are put in place to protect organizations.\r\nThe recent Conti leaks flip this narrative on its head. Researchers with Intel 471 have found that the ransomware\r\ngroup’s development operations mirror that of most technology-focused companies: scores of employees\r\nseparated by divisions, building “products'' with commonly-used tools, and a focus on tech-savvy concepts like\r\n“continuous integration” and “continuous delivery.” By mirroring the corporate culture of most technology\r\ncompanies, it changes the paradigm for organizations that need to protect themselves. Instead of the idea that a\r\nrag-tag group of tech-minded marauders are outmaneuvering organizations’ security teams, the reality is that\r\nransomware gangs are devoting time, effort, manpower and money on a business-like level for the sole purpose of\r\nextorting legitimate businesses.\r\nCrime needs lots of code\r\nIntel 471 estimates that at one point Conti included as many as 150 members, with different departments and\r\nteams working on a variety of projects. Conti’s backbone was the development team, with subdivisions\r\nresponsible for building malware, testing its functionality, and recruiting and onboarding new employees. Each\r\nteam has “subteams” responsible for their own tasks and projects, including a team specifically working on the\r\nBazarBackdoor and TrickBot malware. It also included coders developing malware crypters, front- and back-end\r\nenvironments, TrickBot web-injects and various other modules.\r\nThere were at least eight “senior” developers who were responsible for different ransomware builds, while also\r\nfloating between teams responsible for other malware, crypting services, and support projects. Senior developers\r\nalso reached out to various affiliates for “customer service,” discussing particular attacks and providing various\r\nransomware builds and decrypters.\r\nTeam leaders placed specific focus on the crypting efforts, which was created to keep malware hidden from\r\nantivirus software and cybersecurity experts. As many as 13 developers worked on crypting services, from\r\ndevelopment to testing to source code review.\r\nThe development team also supported other semi-legitimate projects the group leadership promoted in addition to\r\nmalware, including the idea of launching a “private social network” for cybercriminals and a blockchain platform\r\nhttps://intel471.com/blog/conti-leaks-ransomware-development\r\nPage 1 of 3\n\nsimilar to the BNB Chain exchange.\r\nBusiness as usual\r\nThe Conti group tasked team members to recruit developers on legitimate freelance marketplaces as well as\r\nunderground cybercrime forums. Human resource representatives and respective team managers usually told\r\nnewcomers they would be going to work on “illegal” projects and taught them about operational security\r\nmeasures. Some employees were comfortable with what was presented to them, while others struggled with\r\nfinding the right level of operational security. Here is a sample of two conversations with new employees:\r\n[Image: Conti Team Blog image1 Dialog]\r\n[Image: Conti Team Blog image2 Dialog]\r\nThe average salary of a developer was about US $2,000 a month, and those who performed well and met project\r\ndeadlines received bonuses. The group offered awards, bonuses and opportunities for career growth. However,\r\nbosses were vocal with those who underperformed and threaten to penalize developers’ earnings if they did not\r\nmeet benchmarks:\r\n[Image: Conti Team Blog image3 Dialog]\r\n[Image: Conti Team Blog image4 Dialog]\r\nEven criminals have customer service\r\nThe Conti team apparently had members who engaged with clients, discussing inquiries and eliminating bugs that\r\nwould appear in the malware:\r\n[Image: Conti Team Blog image5 Dialog]\r\nThe same person who chided poor performance among other developers was also tasked with reaching out to\r\nclients in a sales engineer capacity. The following conversation shows him instructing a customer on what to\r\ncheck before using new builds in future schemes:\r\n[Image: Conti Team Blog image6 Dialog]\r\nAll in a day’s work\r\nThe conversations uncovered by Intel 471 could arguably be found in any legitimate organization that depends on\r\ncode development to be operationally successful. Given that the conversations were happening in an organization\r\ndevoted to cybercrime serves as evidence that ransomware gangs are not fly-by-night operations. These groups are\r\norganized enough to know that they need time to remain a lucrative endeavor and multiple levels of technical\r\ntalent to meet those goals. By understanding how closely ransomware gangs mirror legitimate technology firms,\r\nsecurity teams can formulate their defensive posture and establish to the rest of their organization’s operations\r\nwhat needs to be done in order to keep their enterprise safe.\r\nhttps://intel471.com/blog/conti-leaks-ransomware-development\r\nPage 2 of 3\n\nSource: https://intel471.com/blog/conti-leaks-ransomware-development\r\nhttps://intel471.com/blog/conti-leaks-ransomware-development\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intel471.com/blog/conti-leaks-ransomware-development"
	],
	"report_names": [
		"conti-leaks-ransomware-development"
	],
	"threat_actors": [],
	"ts_created_at": 1775438936,
	"ts_updated_at": 1775791195,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0e1df93df41676f9936aeadf88938add608633ed.pdf",
		"text": "https://archive.orkl.eu/0e1df93df41676f9936aeadf88938add608633ed.txt",
		"img": "https://archive.orkl.eu/0e1df93df41676f9936aeadf88938add608633ed.jpg"
	}
}