{
	"id": "efc4ee08-8735-4eea-ac5e-e4739367e74c",
	"created_at": "2026-05-07T02:44:05.470756Z",
	"updated_at": "2026-05-07T02:44:11.005168Z",
	"deleted_at": null,
	"sha1_hash": "3275cac8c51689bad254ea4eae623a7201997e1a",
	"title": "Leaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up… Sort Of",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 117964,
	"plain_text": "Leaks of Conti Ransomware Group Paint Picture of a Surprisingly\r\nNormal Tech Start-Up… Sort Of\r\nBy etal\r\nPublished: 2022-03-10 · Archived: 2026-05-07 02:36:59 UTC\r\nIntroduction\r\nYou’ve probably heard of the Conti ransomware group. After their 2020 emergence, they’ve accumulated at least\r\n700 victims, where by “victims” we mean ‘big fish’ corporations with millions of dollars in revenue; unlike your\r\naverage neighborhood ransomware operation, Conti never cared for extorting your mother-in-law for her vacation\r\nphotos. For a while, Conti was the face of ransomware, along with fellow gang REvil – until this February, when\r\n14 REvil operatives were arrested by the Russian authorities, leaving Conti effectively alone in its position as a\r\nmajor league ransomware operation. At the time, this was cautiously hailed as a sign of goodwill on Russia’s part;\r\nsome figured that possibly the Russians would finally refuse to tolerate the incessant and irreverent attacks\r\noriginating on Russian soil and targeted at western corporate offices, schools and hospitals. Now, a month later\r\nand two weeks into the full-blown war between Russia and Ukraine, this utopian vision does not seem so likely.\r\nOn February 25th, 2022, Conti released a statement of full support for the Russian government — coupled with a\r\nstern warning addressed at anyone who might consider retaliating against Russia via digital warfare.\r\nFigure 1 – Initial announcement of Conti group supporting Russia\r\nA few hours later, someone high up the chain at Conti must have realized that this statement might possibly\r\nbackfire, and it was modified to read as follows:\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 1 of 21\n\nFigure 2 – Modified announcement of Conti group supporting Russia\r\nAs per Dr. Maya Angelou’s famous quote, “When someone shows you who they are, believe them the first time”.\r\nA lot of people were angry, and didn’t care for the clarification. To Conti’s dismay, one of these people had the\r\nmeans to meaningfully act on their anger.\r\nStarting February 27, a new Twitter account appeared by the name of “ContiLeaks”, and started doing unto Conti\r\nas they often did unto corporations who won’t pay up. Allegedly a Ukrainian security researcher, ContiLeaks\r\npublished a huge log containing hundreds of thousands of Jabber and Rocket.Chat messages that Conti had used\r\nfor internal communication. This led to a veritable gold rush of researchers diving into the huge pile of messages\r\nand sharing their summaries, findings and observations; we’d be remiss not to mention the in-depth series of blog\r\nposts published by Brian Krebs, who read the entire leak and distilled it into a list of takeaways – a sacrifice that\r\nmust not be taken for granted.\r\nWe say that because the data-set in question is simply maddening to wade through. First of all, as noted above, it\r\nis huge. Once you get past that, there are many other problems. Some of the messages are missing. Some of the\r\nmessages are unclear. Some of the messages were encrypted with OTR (Off-the-Record Messaging). Some of the\r\nmessages contain Russian slang that does not survive automatic translation — such as the below conversation\r\nwhich was, originally, about email address blacklisting evasion:\r\nFigure 3 – Example of how tricky is Russian slang for automated translation tools\r\nThat first message feels like it should lead to a punchline a la “my dog has no nose”, but all it leads to is\r\nfrustration and sadness on the part of the analyst reading it – as do many other similar messages. Still, with all the\r\nabove said, these messages offer an unprecedented insight into the operations of the Conti Corporation. And it is a\r\ncorporation, for all intents and purposes; there’s an HR department, a hiring process, offline office premises,\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 2 of 21\n\nsalaries and bonus payments. If it weren’t for the looming threat of prison, you could mistake Conti for a normal\r\ntech startup. In this article, we delve into the inner workings of the surprisingly startup-like Conti group.\r\nTeams and responsibilities\r\nConti’s structure is almost a classic organizational hierarchy, with team leaders who report to upper management,\r\nbut to their credit there are many instances of different groups working with each other directly (this is called\r\n“horizontal information flow”, and is a Good Thing and a sign of organizational health, as any steeple-handed\r\nthinkfluencer will happily tell you).\r\nTo give an overview of how the communications between the members and affiliates work, we tagged most of the\r\nactive members from Jabber chat with their professional occupations and visualized their communications. In this\r\ngraph, the more saturated the link between the members indicates more intensive communication, thus showing\r\nboth vertical linkage between the bosses and subordinates, and horizontal linkage between the members actively\r\nworking on shared projects. This however is by no means a perfect representation of the organizational structure,\r\nas people are being replaced and promoted all the time.\r\nGraph tips \u0026 notes:\r\nDrag a user node to see their connections and the amount of messages they sent to other users.\r\nHover over the legend’s colors, to see the cluster of people with similar roles within the organization.\r\nUsers who had less than 10 incoming and outgoing messages were filtered out of the graph.\r\nDue to the usage of encryption services, some conversations are missing messages.\r\nOpen Full Screen\r\nThe main groups we observed were:\r\nHR – Responsible for making new hires. This includes combing through Russian-speaking job searching\r\nsites, organizing online interviews, and mediating between the interviewer and the relevant technical focal\r\npoint. In many cases, HR did not have the authority to decide on compensation; if an interview went well,\r\nthe candidate would be referred to higher management who would make them an offer.\r\nCoders – The celebrated folk who maintain the nuts and bolts of the actual malware code, the server back-ends, and admin web panels required by the Conti group’s day-to-day operations. This extends to many\r\nauxiliary tools used by the Conti group including TrickBot, Bazaar, Anchor, the C\u0026C infrastructure and, of\r\ncourse, the “lockers” themselves that encrypt the files of unfortunate victims.\r\nTesters – Check various malware against known security solutions to make sure that they avoid detection.\r\nUnderstandably, security vendors aren’t thrilled to sell their products to the Conti group — in at least one\r\ncase a third party had to get involved, and make the purchase on Conti’s behalf (while collecting a hefty\r\npremium), and we imagine this was a normal occurrence.\r\nCrypters – “Crypting” is cybercrime slang for what some of us more academic types call “obfuscation”.\r\nCrypters are tasked with making syntactic changes to payloads, binaries and scripts to make them more\r\ndifficult to detect and analyze while preserving their semantic function. Crypters would often work closely\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 3 of 21\n\nwith testers; crypter strategies could look good in theory, but the real test was when a tester would throw\r\nthem against a hostile sandbox.\r\nSysAdmins – Conti members tasked with setting up the attack infrastructure and providing support as\r\nnecessary. This includes all tasks dealt with by a typical IT department — installing panels, maintaining\r\nservers, erecting proxies, registering domains, managing accounts, and presumably telling other Conti\r\nmembers to try turning off their machines and turning them back on again.\r\nReverse Engineers – Look at existing tools in order to understand how they work. For instance, while the\r\nConti locker was being built during mid-2020, its development was supported by a reverse-engineering\r\neffort of the Maze ransomware, which was being used at the time by some of Conti’s affiliates. Another\r\nexample is a project reversing the Buer loader in order to launch a similar project inside the Conti\r\necosystem.\r\nOffensive Team – Given initial access to a victim machine, these Conti members (called “hackers” and\r\n“pentesters” in communications) are responsible for privilege escalation and lateral movement, converting\r\nan initial breach into a full capture of the targeted network. Their ultimate goal would be to obtain domain\r\nadministrator privileges, which would then allow exfiltrating and encrypting the victim data.\r\nOSINT Specialists and Negotiation Staff – Once a victim’s data is successfully held for ransom, these\r\nConti members step in to make demands and attempt to secure a deal. Some are OSINT specialists,\r\nconducting research on the targeted company — the sector it operates in, its annual revenue, and so on, in\r\norder for the ransom payment demand to strike a balance between lucrative and realistic. Other members\r\ndo the actual negotiation, and act as “customer service representatives” operating Conti’s Tor-based chat.\r\nHandling “customers” would often entail coaxing, making threats, or providing proof that Conti possesses\r\nthe exfiltrated data and can recover it for the victim or publish it, depending on whether the victim pays.\r\nManagement of the Conti leaks blog, and scheduling publication of victim data in case the deadline for\r\nransom payment is not met, also falls under this department’s purview.\r\nFrom the graph we can also identify the main people in the organization playing the key role in the group’s\r\ncommunications:\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 4 of 21\n\nFigure 4 – Key members and their communications based on the leaked messages\r\nStern is the Big Boss, well-known as a leader of the group both internally and outside the organization.\r\nHe’s the one developing the high-level vision of the group’s operations and collaborations with affiliates,\r\nand manages many of the people and projects directly and indirectly. Stern also directly pays salaries to\r\nmultiple members of the organization and manages most of the expenses. Depending on time, Stern’s\r\nmanagement style fluctuates widely between micromanagement with sending broadcast messages asking\r\nabout their tasks and problems and multi-day absences.\r\nBentley is a technical lead of the group responsible for testing and evasion of malware and payloads used\r\nby multiple groups inside and outside the organization. Bentley manages teams of crypters and testers,\r\nworking with many different internal and external customers, as well as handles the questions related to\r\ndigital certificates, third-party anti-virus solutions.\r\nMango is the “manager of general questions of the team”, solving mostly the questions between the people\r\nwho are responsible for infection campaigns and the coders. Mango also takes part in the HR process and\r\ndirectly pays salary to part of the task force, as well as effectively assisting Stern with his other projects.\r\nBuza is a technical manager responsible for coders and their products, curating loaders and bots\r\ndevelopment within multiple coders teams.\r\nTarget is a manager responsible for the hackers’ teams, their intercommunication and workload. He also\r\nmanages all the aspects of all offline offices, both for hackers and operators, their budgeting, HR and\r\neffective communication with other parts of the organization. He also manages part of the tasks related to\r\nsocial engineering campaigns.\r\nVeron aka mors is the focal point of the group’s operations with Emotet. Veron is managing all the aspects\r\nof Emotet campaigns, including their infrastructure, closely with relevant Conti members.\r\nHiring process\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 5 of 21\n\nWe’ve all heard of the skill shortage in tech, and the Conti group has to deal with it just like everyone else. To\r\nimprove their odds, they opted to diversify their initial candidate pool; instead of solely relying on criminal\r\nunderground talent, Conti regularly recruits staff by abusing legitimate recruitment websites.\r\nRecruitment Sites\r\nThe main resource typically used by Conti HR for hiring is Russian-speaking headhunting services such as\r\nheadhunter.ru. They’ve also used other sites such as superjobs.ru, but reportedly with less success. Conti OPSec\r\nforbids leaving traces of developer job openings on such websites, a regulation stringently enforced by one of the\r\nhigher-ups, Stern; and so for hiring developers, Conti bypasses the headhunter.ru job system, instead directly\r\naccessing the CV pool and contacting candidates by email. You might wonder “why does headhunter.ru offer such\r\na service?”, and the answer is, they don’t. Conti simply bought the software which provide access to the\r\n“borrowed” CV pool without permission, which seems to be standard practice in the cybercrime world.\r\nFigure 5 – Access to headhunter.ru resume database through third-party tools for the recruitment purposes\r\nThis need to directly interface with a huge list of CVs instead of using the site’s built-in filtering further\r\nexacerbates the typical HR struggle to find candidates with the relevant tech expertise. At times, Conti HR has\r\nexpressed downright frustration at being swamped with irrelevant candidates:\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 6 of 21\n\nFigure 6 – Challenges in finding talents for Conti Corporation\r\nOnce HR does locate a candidate who might fit some vacancy inside Conti Corp, their CV is anonymized and sent\r\nto the relevant technical point of contact inside the organization. This begins a cumbersome dialogue where HR\r\nacts as a mediator, to make sure that the candidate’s prospective superior does not learn their identity. Needless to\r\nsay, this process is not bulletproof. Sometimes it’s possible to deduce the candidate’s identity by running a web\r\nsearch for their job experience, and sometimes HR would just make a mistake and fail to expunge the name.\r\nFigure 7 – CV of one of the candidates passed from HR to the hiring manager\r\nOne might be surprised by the demographic make-up of Conti employees. Contrary to the prevailing stereotype of\r\nyoung and reckless cybercriminals, who have an illusion of invincibility and nothing to lose, Conti was also\r\napproached by prospective senior employees. One such person, who claimed to have developer experience going\r\nback to 1980, introduces himself as follows:\r\nFigure 8 – Old school developer working for the group\r\nThe use of HeadHunter as a recruiting tool is not limited to technical specialists. It was also used for recruiting\r\nother employees, e.g. dispatchers for call centers used in social engineering campaigns such as BazaarCall.\r\nInterviewing these candidates is the responsibility of “Derek”, a Conti HR employee, who’d use Telegram instead\r\nof tor-based chats for this task.\r\nWord of Mouth\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 7 of 21\n\nWhen communicating with employees, higher management would often make the case that working for Conti was\r\nthe deal of a lifetime — high salaries, interesting tasks, career growth(!) — and employees should make an effort\r\nto pull in any highly-talented candidates they know, so that they may also enjoy this paradise. “Stern”, one of the\r\nhigher-ups, even came up with an employee referral program for coders, where a successful referral that lasts\r\nmore than a month nets a bonus equal to the referred employee’s second salary.\r\nFigure 9 – Refer-a-friend bonuses\r\nIn one truly outstanding case, a curious ex-red teamer hacked the group’s Jabber in order to speak to Stern\r\ndirectly. While in a typical tech company such a gambit might be frowned upon, in the cybercrime world it is\r\nevidently an equivalent of the mythical Firm Handshake:\r\n Figure 10 – Ex-red teamer hacked the group’s Jabber to get the job later\r\nDarknet Forums\r\nApart from these unorthodox methods, Conti also recruits talent in the more traditional way, through underground\r\nforums. Prospective candidates are first given the jabber handle that their interviewer will use (such as admintest,\r\nwhich would handle tests for sysadmins). If the interview was successful, a permanent account for the candidate is\r\ncreated. Even with this routine method, Conti HR would sometimes get creative: for example, when searching for\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 8 of 21\n\noffensive team members and sysadmins, they came up with the idea of “recycling” an older recruitment drive by a\r\nrival ransomware group. Their chief competitor, REvil, had earlier pulled a publicity stunt and deposited a million\r\ndollars in bitcoin into an account, then posted a recruitment ad in the midst of the very active forum thread\r\ndiscussing the deposit. This ad received many responses with contact details, all public, and so Conti HR could\r\nextract from this thread a pool of high-quality candidates to spam with job offers.\r\nFigure 11 – Borrowing talents from REvil group thread on the dark forum\r\nCompensation and Performance\r\nMembers of Conti’s negotiating team (including OSINT specialists) are paid by commissions, calculated as a\r\npercentage of the paid ransom amount that ranges from 0.5% to 1%. Coders and some of the managers are paid a\r\nsalary in bitcoin, transferred once or twice a month.\r\nConti employees are not protected by their local labor boards, and so have to endure some practices that typical\r\ntech employees are exempt from, such as being fined for underperforming:\r\nFigure 12 – Fines for underperformance\r\nWhile fines are mostly used as an established tool in the coder department, they are sporadically employed on\r\nmanager whims in other departments — for example, in IT and DevOps, where one person responsible for\r\ndepositing money was fined $100 for a missed payment:\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 9 of 21\n\nFigure 13 – Fines for technical mistakes\r\nUltimately, this method proved not effective enough, and Conti management had to resort to the more traditional\r\nthreat of termination in order to motivate employees, as seen below.\r\nFigure 14 – Termination for non-motivated employees\r\nThe Offensive team gets less flexibility in its time off as well. After all, a team member being available or not can\r\nspell the difference between a breach being detected and neutralized, and it being successfully advanced to the\r\nstage where victim data is encrypted and exfiltrated. For members of this team, who are used to being constantly\r\non call, a simple pleasure such as having Saturday and Sunday off is cause for celebration:\r\nFigure 15 – No work-home balance for some of Conti employees  \r\nOther than these strokes of good fortune, the offensive team cannot catch a break. Even on the New Year, which is\r\nwidely celebrated in all Russian-speaking countries and usually entails several days of employee vacation,\r\nmembers of this team are expected to jump into their “combat roles” if need be. Other employees are also\r\ntechnically on call during these days, but it is strongly implied that they are on paid vacation in practice, and will\r\nnot be getting bosses’ surprise inspection texts during the holiday.\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 10 of 21\n\nFigure 16 – Conti employees are entitled to be available for work even during the New Year holidays  \r\nAs seen in Silver’s message further above, there is an “employee of the month” award that draws from the fund of\r\npunitive fines levied on that month’s less favored employees. The award bonus is equal to 50% of that employee’s\r\nsalary, and may be given to employees for useful new initiatives that score points with management (such as\r\ninventing a new payload delivery method) or for extraordinary commitment and persistence while solving some\r\nspecific issue.\r\nFigure 17 – Employee of the month competition  \r\nManagement evidently takes the award very seriously — the reasons for picking the winner are not made up, and\r\nthe above-mentioned points do matter.\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 11 of 21\n\nFigure 18 – How the managers chose the employee of the month\r\nManagement style varies from team to team. In some cases, the “big boss” Stern just sends a broadcast message\r\nasking the group how they are, what projects they are working on and whether they have any new ideas they want\r\nto advance. In other cases, middle management is involved and typically demands reports, most of which are\r\nunfortunately unavailable to us as they are transferred with OTR or via private sharing services such as privnote.\r\nAt times team leaders might even engage in the time-honored corporate tradition of the Performance Review,\r\ndiscussing at the end of the year how the employee fared, what they did right and how they can improve, as well\r\nas informing them about Conti’s global plans for next year and recommending training opportunities.\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 12 of 21\n\nFigure 19 – “Performance review” and official trainings for Conti employees\r\nRemote and Anonymous Work\r\nNot all Conti employees know that they are part of criminal activity — at least not right from the start. In one\r\nonline job interview, a manager tells a potential hire for the coding team: “everything is anonymous here, the main\r\ndirection of the company is software for pentesters”.\r\nOne striking example is a group member known by the moniker “Zulas”, most likely the person who developed\r\nTrickbot’s backend in the Erlang programming language. Zulas is very passionate about Erlang, eager to show\r\nexamples of his other work, and even mentions his real name. When his manager mentions that his “trick”\r\n(Trickbot) project was seen by “half of the world”, Zulas does not understand the reference, calls the system\r\n“lero” and reveals that he has no idea what his software is doing and why the team goes to such lengths to protect\r\nmember identities. His interlocutor decides not to break his naive heart, and tells him that he is working on a\r\nbackend for an ad analytics system.\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 13 of 21\n\nFigure 20 – Trickbot backend developer allegedly doesn’t know what he develops\r\nEven when an unwitting employee finally realizes what they are building, Conti has a plan to retain them. Stern\r\nhimself briefly describes the process in another conversation: the coder might work on just one module, without\r\nunderstanding the project as a whole; when they finally realize, after many hours of work, Conti offers them a pay\r\nraise. Stern testifies that by that point, employees typically figure that since everything has gone smoothly so far,\r\nthey don’t have to worry about consequences, and therefore the only incentive to go through the hassle of quitting\r\ntheir job is purely moral considerations. Stern seems to imply that this method yields good retention rates, even\r\nfor employees who would otherwise have balked at being recruited to work for a cybercrime syndicate in the first\r\nplace. If you ask us, this ranks right up there with Asch’s and Milgram’s experiments as a depressing empirical\r\nresult in social psychology.\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 14 of 21\n\nFigure 21 – What Conti developers know about what they are doing?\r\nAt Conti, We Work Hard and Play Hard\r\nIt seems that many of the long-term employees developed relationships that extend further than just anonymous\r\ncommunication via work chat. For example, some employees are comfortable with lending other members money\r\nif they are stuck in another city and forgot their ledger. Some members even have face to face meetings, getting\r\ntogether and drinking wine with their families:\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 15 of 21\n\nFigure 22 – Relationship between some Conti employees\r\nAn inherent part of belonging to a crime group, and a natural conversation subject between colleagues, is the job\r\nrisk. Attitude to this subject varies greatly between employees: some disregard the risk and see mainly the\r\nbenefits, going so far as to romanticize their job (“only here I realized the dreams can come true”), and others\r\nexpress fear and even outright confess that they want out.\r\nFigure 23 – The realization of what the group is doing\r\nOffline Offices\r\nYou’d imagine an enterprise like Conti would be hosted entirely online, but no: the Conti group holds several\r\nphysical offices. These are curated by “Target”, Stern’s partner and effective head of office operations, who is also\r\nresponsible for the wage fund, office technical equipment, the Conti hiring process and personnel training. During\r\n2020, offline offices were mainly used by testers, offensive teams and negotiators; Target mentions 2 offices\r\ndedicated to operators who are speaking directly with victim representatives. In August 2020, an additional office\r\nwas opened for sysadmins and programmers, under the purview of “Professor, who is responsible for the whole\r\ntechnical process of securing a victim infection\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 16 of 21\n\nFigure 24 – Expenses in Conti Corporation\r\nThe leaked Rocket.Chat messages include the communications of the offensive team members who worked at the\r\noffice, indicating that the Rocket.Chat was likely installed on their mobile devices.\r\nFigure 25 – Office day to day of Conti Corporation\r\nFuture Development Plans\r\nConti higher management constantly seeks new ways to expand the business. The ideas floated for this purpose\r\nrange from simple scams to full-scale side projects. One of the ideas discussed was creating a crypto exchange in\r\nthe group’s own ecosystem:\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 17 of 21\n\nFigure 26 – “Crypto System” plans by Conti group\r\nMango seems to enthusiastically support all the boss’s ideas and promotes them among other members of the\r\ngroup:\r\nFigure 27 – Internal promotion for the new crypto business ideas\r\nAnother project is the “darknet social network” (also: “VK for darknet” or “Carbon Black for hackers”), a project\r\ninspired by Stern and carried out by Mango, planned to be developed as a commercial project. In July 2021 Conti\r\nwas already in contact with a designer, who produced a few mockups.\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 18 of 21\n\nFigure 28 – Design mockups for the new darknet social network\r\nAftermath of the Leak\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 19 of 21\n\nBecause the leak kept going after the initial dump of leaked data, we all got the unusual privilege of seeing\r\nresponses to the original leak. Members were seen wiping past activity, removing production VMs and moving to\r\nother communication channels.\r\nFigure 29 – Cleaning the production VMs after the leak\r\nIt seems the leak added to the pile of current problems in Conti. As we saw in the chats, the big boss Stern went\r\nsilent around mid-January, in January-February there we’ve observed multiple reported issues with the salary, and\r\neventually, a few days before the leak Frances in Rocket.Chat tells everyone to take a break for 2-3 months to\r\nregroup and reorganize due to wide public attention and the absence of group’s bosses.\r\nFigure 30 – Notification in Rocket.Chat regarding the suspension of operations \r\nWhile all this is going on, the Conti business remains operational, at least partially. The Conti leak site\r\n(ContiNews) is still up and keeps being updated with new victims. As the process of the setup and support of\r\nConti infrastructure is streamlined, it won’t be too much of a problem for Conti to set up its operations from\r\nscratch.\r\nAs for members, Conti will in all likelihood lose a few. Certainly, those members who were doxxed as a result of\r\nthe leak are expected to at least take a long vacation. Probably several more employees who were offended by the\r\nway other members talked about them behind their backs will leave, as well as those who were already uneasy\r\nabout the potential occupational hazards of working for a ransomware operation; this ongoing leak no doubt\r\nspooked them.\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 20 of 21\n\nHaving said all that, with all the knowledge, effort, organization, ingenuity and money poured in, Conti is simply\r\nToo Big To Fail. Barring a wide-sweeping arrest such as the fate that befell REVil, Conti will in all likelihood rise\r\nagain. If any of us had romantic delusions about a hugely profitable operation such as Conti being run by a small,\r\nclueless, passionate group that’s just “winging it” and might get tired of rolling in all this money, we all know\r\nbetter now.\r\nSource: https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nhttps://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/"
	],
	"report_names": [
		"leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of"
	],
	"threat_actors": [],
	"ts_created_at": 1778121845,
	"ts_updated_at": 1778121851,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3275cac8c51689bad254ea4eae623a7201997e1a.pdf",
		"text": "https://archive.orkl.eu/3275cac8c51689bad254ea4eae623a7201997e1a.txt",
		"img": "https://archive.orkl.eu/3275cac8c51689bad254ea4eae623a7201997e1a.jpg"
	}
}