{
	"id": "d8f39ab0-27bb-49c5-93f2-b14c6c99cebc",
	"created_at": "2026-04-06T00:13:37.990866Z",
	"updated_at": "2026-04-10T03:20:16.24415Z",
	"deleted_at": null,
	"sha1_hash": "343486bdcf7e6965d9e1856f35c7f8c3eac6bef5",
	"title": "Conti Ransomware Group Diaries, Part II: The Office",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1043612,
	"plain_text": "Conti Ransomware Group Diaries, Part II: The Office\r\nPublished: 2022-03-02 · Archived: 2026-04-05 18:00:46 UTC\r\nEarlier this week, a Ukrainian security researcher leaked almost two years’ worth of internal chat logs from Conti,\r\none of the more rapacious and ruthless ransomware gangs in operation today. Tuesday’s story examined how\r\nConti dealt with its own internal breaches and attacks from private security firms and governments. In Part II of\r\nthis series we’ll explore what it’s like to work for Conti, as described by the Conti employees themselves.\r\nThe Conti group’s chats reveal a great deal about its internal structure and hierarchy. Conti maintains many of the\r\nsame business units as a legitimate, small- to medium-sized enterprise, including a Human Resources department\r\nthat is in charge of constantly interviewing potential new hires.\r\nOther Conti departments with their own distinct budgets, staff schedules, and senior leadership include:\r\n–Coders: Programmers hired to write malicious code, integrate disparate technologies\r\n–Testers: Workers in charge of testing Conti malware against security tools and obfuscating it\r\n–Administrators: Workers tasked with setting up, tearing down servers, other attack infrastructure\r\n–Reverse Engineers: Those who can disassemble computer code, study it, find vulnerabilities or weaknesses\r\n–Penetration Testers/Hackers: Those on the front lines battling against corporate security teams to steal data,\r\nand plant ransomware.\r\nConti appears to have contracted out much of its spamming operations, or at least there was no mention of\r\n“Spammers” as direct employees. Conti’s leaders seem to have set strict budgets for each of its organizational\r\nunits, although it occasionally borrowed funds allocated for one department to address the pressing cashflow\r\nneeds of another.\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/\r\nPage 1 of 6\n\nA great many of the more revealing chats concerning Conti’s structure are between “Mango” — a mid-level Conti\r\nmanager to whom many other Conti employees report each day — and “Stern,” a sort of cantankerous taskmaster\r\nwho can be seen constantly needling the staff for reports on their work.\r\nIn July 2021, Mango told Stern that the group was placing ads on several Russian-language cybercrime forums to\r\nhire more workers. “The salary is $2k in the announcement, but there are a lot of comments that we are recruiting\r\ngalley slaves,” Mango wrote. “Of course, we dispute that and say those who work and bring results can earn more,\r\nbut there are examples of coders who work normally and earn $5-$10k salary.”\r\nThe Conti chats show the gang primarily kept tabs on the victim bots infected with their malware via both the\r\nTrickbot and Emotet crimeware-as-a-service platforms, and that it employed dozens of people to continuously\r\ntest, maintain and expand this infrastructure 24 hours a day, 7 days a week.\r\nConti members referred to Emotet as “Booz” or “Buza,” and it is evident from reading these chat logs that Buza\r\nhad its own stable of more than 50 coders, and likely much of the same organizational structure as Conti.\r\nAccording to Mango, as of July 18, 2021 the Conti gang employed 62 people, mostly low-level malware coders\r\nand software testers. However, Conti’s employee roster appears to have fluctuated wildly from one month to the\r\nnext. For example, on multiple occasions the organization was forced to fire many employees as a security\r\nprecaution in the wake of its own internal security breaches.\r\nIn May 2021, Stern told Mango he wanted his underlings to hire 100 more “encoders” to work with the group’s\r\nmalware before the bulk of the gang returns from their summer vacations in Crimea. Most of these new hires,\r\nStern says, will join the penetration testing/hacking teams headed by Conti leaders “Hof” and “Reverse.” Both\r\nHof and Reverse appear to have direct access to the Emotet crimeware platform.\r\nOn July 30, 2021, Mango tells stern the payroll has increased to 87 salaried employees, with more hires on the\r\nway. But trying to accurately gauge the size of the Conti organization is problematic, in part because cybersecurity\r\nexperts have long held that Conti is merely a rebrand of another ransomware strain and affiliate program known as\r\nRyuk.\r\nFirst spotted in 2018, Ryuk was just as ruthless and mercenary as Conti, and the FBI says that in the first year of\r\nits operation Ryuk earned more than $61 million in ransom payouts.\r\n“Conti is a Targeted version of Ryuk, which comes from Trickbot and Emotet which we’ve been monitoring for\r\nsome time,” researchers at Palo Alto Networks wrote about Ryuk last year. “A heavy focus was put on hospital\r\nsystems, likely due to the necessity for uptime, as these systems were overwhelmed with handling the ongoing\r\nCOVID-19 pandemic. We observed initial Ryuk ransom requests ranging from US$600,000 to $10 million across\r\nmultiple industries.”\r\nOn May 14, 2021, Ireland’s Health Service Executive (HSE) suffered a major ransomware attack at the hands of\r\nConti. The attack would disrupt services at several Irish hospitals, and resulted in the near complete shutdown of\r\nthe HSE’s national and local networks, forcing the cancellation of many outpatient clinics and healthcare services.\r\nIt took the HSE until Sept. 21, 2021 to fully restore all of its systems from the attack, at an estimated cost of more\r\nthan $600 million.\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/\r\nPage 2 of 6\n\nIt remains unclear from reading these chats how many of Conti’s staff understood how much of the organization’s\r\noperations overlapped with that of Ryuk. Lawrence Abrams at Bleeping Computer pointed to an October 2020\r\nConti chat in which the Emotet representative “Buza” posts a link to a security firm’s analysis of Ryuk’s return.\r\n“Professor,” the nickname chosen by one of Conti’s most senior generals, replies that indeed Ryuk’s tools,\r\ntechniques and procedures are nearly identical to Conti’s.\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/\r\nPage 3 of 6\n\n“adf.bat — this is my fucking batch file,” Professor writes, evidently surprised at having read the analysis and\r\nspotting his own code being re-used in high-profile ransomware attacks by Ryuk.\r\n“Feels like [the] same managers were running both Ryuk and Conti, with a slow migration to Conti in June 2020,”\r\nAbrams wrote on Twitter. “However, based on chats, some affiliates didn’t know that Ryuk and Conti were run by\r\nthe same people.”\r\nATTRITION\r\nEach Conti employee was assigned a specific 5-day workweek, and employee schedules were staggered so that\r\nsome number of staff was always on hand 24/7 to address technical problems with the botnet, or to respond to\r\nransom negotiations initiated by a victim organization.\r\nLike countless other organizations, Conti made its payroll on the 1st and 15th of each month, albeit in the form of\r\nBitcoin deposits. Most employees were paid $1,000 to $2,000 monthly.\r\nHowever, many employees used the Conti chat room to vent about working days on end without sleep or breaks,\r\nwhile upper managers ignored their repeated requests for time off.\r\nIndeed, the logs indicate that Conti struggled to maintain a steady number of programmers, testers and\r\nadministrators in the face of mostly grueling and repetitive work that didn’t pay very well (particularly in relation\r\nto the earnings of the group’s top leadership). What’s more, some of the group’s top members were openly being\r\napproached to work for competing ransomware organizations, and the overall morale of the group seemed to\r\nfluctuate between paydays.\r\nPerhaps unsurprisingly, the turnover, attrition and burnout rate was quite high for low-level Conti employees,\r\nmeaning the group was forced to constantly recruit new talent.\r\n“Our work is generally not difficult, but monotonous, doing the same thing every day,” wrote “Bentley,” the\r\nnickname chosen by the key Conti employee apparently in charge of “crypting” the group’s malware — ensuring\r\nthat it goes undetected by all or at least most antivirus products on the market.\r\nBentley was addressing a new Conti hire — “Idgo” — telling him about his daily duties.\r\n“Basically, this involves launching files and checking them according to the algorithm,” Bentley explains to Idgo.\r\n“Poll communication with the encoder to receive files and send reports to him. Also communication with the\r\ncryptor to send the tested assembly to the crypt. Then testing the crypt. If jambs appear at this stage , then sending\r\nreports to the cryptor and working with him. And as a result – the issuance of the finished crypt to the partner.”\r\nBentley cautioned that this testing of their malware had to be repeated approximately every four hours to ensure\r\nthat any new malware detection capability added to Windows Defender — the built-in antivirus and security\r\nservice in Windows — won’t interfere with their code.\r\n“Approximately every 4 hours, a new update of Defender databases is released,” Bentley told Idgo. “You need to\r\nwork for 8 hours before 20-21 Moscow time. And career advancement is possible.” Idgo agrees, noting that he’d\r\nstarted working for Conti a year earlier, as a code tester.\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/\r\nPage 4 of 6\n\nOBSERVATIONS\r\nThe logs show the Conti gang is exceedingly good at quickly finding many potential new ransomware victims,\r\nand the records include numerous internal debates within Conti leadership over how much certain victim\r\ncompanies should be forced to pay. They also show with terrifying precision how adeptly a large, organized\r\ncybercrime group can pivot from a single compromised PC to completely owning a Fortune 500 company.\r\nAs a well-staffed “big game” killing machine, Conti is perhaps unparalleled among ransomware groups. But the\r\ninternal chat logs show this group is in serious need of some workflow management and tracking tools. That’s\r\nbecause time and time again, the Conti gang lost control over countless bots — all potential sources of ransom\r\nrevenue that will help pay employee salaries for months — because of a simple oversight or mistake.\r\nPeppered throughout the leaked Conti chats — roughly several times each week — are pleadings from various\r\npersonnel in charge of maintaining the sprawling and constantly changing digital assets that support the group’s\r\nransomware operation. These messages invariably relate to past-due invoices for multiple virtual servers, domain\r\nregistrations and other cloud-based resources.\r\nOn Mar. 1, 2021, a low-level Conti employee named “Carter” says the bitcoin fund used to pay for VPN\r\nsubscriptions, antivirus product licenses, new servers and domain registrations is short $1,240 in Bitcoin.\r\n“Hello, we’re out of bitcoins, four new servers, three vpn subscriptions and 22 renewals are out,” Carter wrote on\r\nNov. 24, 2021. “Two weeks ahead of renewals for $960 in bitcoin 0.017. Please send some bitcoins to this wallet,\r\nthanks.”\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/\r\nPage 5 of 6\n\n“Forgot to pay for the anchor domain, and as a result, when trying to renew it was abused and we /probably/\r\nfucked up the bots,” Carter wrote to Stern on Sept. 23, 2020.\r\nAs part of the research for this series, KrebsOnSecurity spent many hours reading each day of Conti’s chat logs\r\ngoing back to September 2020. I wish I could get many of those hours back: Much of the conversations are mind-numbingly boring chit-chat and shop talk. But overall, I came away with the impression that Conti is a highly\r\neffective — if also remarkably inefficient — cybercriminal organization.\r\nSome of Conti’s disorganized nature is probably endemic in the cybercrime industry, which is of course made up\r\nof criminals who are likely accustomed to a less regimented lifestyle. But make no mistake: As ransomware\r\ncollectives like Conti continue to increase payouts from victim organizations, there will be increasing pressure on\r\nthese groups to tighten up their operations and work more efficiently, professionally and profitably.\r\n“We have all the opportunities and conditions, we just need to be more professional,” Mango wrote Stern on Aug.\r\n27, 2021. “And we constantly have one or the other: Either we write nonsense in chats, or we don’t answer\r\npatients [victims] for half a day. Naturally, our affiliates are nervous after that.”\r\nIf you liked this story, please check out Part III in this series, which examines how Conti secured access to the\r\ncyber weaponry needed to subvert the security of their targets, as well as how the team’s leaders approached\r\nransom negotiations with their victims.\r\nPart IV: Cryptocrime explores different schemes that Conti pursued to invest in and steal cryptocurrencies.\r\nSource: https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/"
	],
	"report_names": [
		"conti-ransomware-group-diaries-part-ii-the-office"
	],
	"threat_actors": [],
	"ts_created_at": 1775434417,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/343486bdcf7e6965d9e1856f35c7f8c3eac6bef5.pdf",
		"text": "https://archive.orkl.eu/343486bdcf7e6965d9e1856f35c7f8c3eac6bef5.txt",
		"img": "https://archive.orkl.eu/343486bdcf7e6965d9e1856f35c7f8c3eac6bef5.jpg"
	}
}