{
	"id": "3d1799db-858c-4828-ae7a-7c17bcfa461d",
	"created_at": "2026-04-06T00:12:31.106502Z",
	"updated_at": "2026-04-10T13:12:31.676518Z",
	"deleted_at": null,
	"sha1_hash": "58f8230500a7e67ba1dec7342d670f3520044904",
	"title": "Conti Ransomware | Arctic Wolf",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1038066,
	"plain_text": "Conti Ransomware | Arctic Wolf\r\nBy Arctic Wolf\r\nPublished: 2022-03-16 · Archived: 2026-04-05 13:45:27 UTC\r\nKey Takeaways\r\nInternal chats between individuals of the Conti ransomware group further reveals the structure of their\r\nRansomware as a Service (RaaS) model.\r\nOverwhelmingly, Conti’s victims have been based in the US, followed by Germany.\r\nCertain individuals within the Conti ransomware group fulfill financial, technical, and management\r\nresponsibilities as opposed to fully automated solutions.\r\nChats occur between 442 individuals, 44 of which are considered to be “core” members of the Conti\r\nransomware group.\r\nPolitical affiliations between individuals of the Conti ransomware group are not homogenous, and in fact,\r\ncan be contentious.\r\nConti Ransomware. New Conflict, New Information\r\nAmidst the turmoil of the Ukraine-Russia conflict, incident responders and ransomware researchers observed\r\nseveral ransomware gangs publish statements on their dark web blog sites. Some actors asserted the apolitical\r\nnature of their operations, while others clearly favored a side.\r\nMost notably, the Conti ransomware group posted a public statement in support of Russia with a stern warning of\r\nretaliation on February 25, 2022. Shortly after this, cyber defenders quickly learned that Conti’s pro-Russian\r\nsupport was not representative of the group’s constituents. In an ironic turn of events, after Conti exposed private\r\ndata from extorted companies over the past year and a half, Conti’s own sensitive data has now been exposed.\r\nGoing by the handle “@ContiLeaks” on Twitter, individual(s) with access to internal Conti data began publishing\r\nlarge archives of information, including Conti’s internal chats from Jabber, details on infrastructure, internal\r\ndocuments, and even source code stating emphatically, “Glory to Ukraine.” While third-party leaks cannot be fully\r\nverified, many of their contents correspond to Conti’s dark web posts and our direct experience with this threat\r\nactor. Our analysis can shed light on the nature of communications between the alleged individuals operating\r\nwithin the Conti threat actor group.\r\nConti Victim Demographics\r\nFor background, Conti is one of the most prolific ransomware groups that we have tracked over the past 21\r\nmonths, often ranking in the top 5 of ‘most posted victims’ on their dark web site, where victims who don’t pay\r\nup, are exposed and shamed. From monitoring their dark web posting activity to responding to ransomware\r\nattacks initiated against businesses in real-time, we can use our own data to contextualize this latest leak.\r\nhttps://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed\r\nPage 1 of 9\n\nConti Dark Web Victims by Geographic Location\r\nOverwhelmingly, Conti’s claimed ransomware victims are headquartered in the United States.\r\nConti Dark Web Claimed Victims by Industry\r\nWhile victim organizations are varied, Conti’s dark web blog exposed manufacturing, construction, and\r\ntechnology firms most often. This is not to say that firms among these industries are the most frequently targeted\r\nby the Conti group — exposure is a consequence of failed negotiations, while companies who quickly pay the\r\nransom typically aren’t exposed. Specific targeting of organizations is not the most lucrative tactic for most threat\r\nhttps://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed\r\nPage 2 of 9\n\nactors; their most effective strategy finds victims through automatic scanning of any vulnerabilities on the public\r\ninternet that they know how to exploit, that ultimately lead to an internal network.\r\nConti Jabber Messages by Month\r\nA potential pattern emerges between Conti’s dark web posting activity and internal chat logs\r\nMethodology\r\nAfter helping victims recover from Conti ransomware incidents and tracking the group’s activity for 21 months,\r\nwe have become familiar with the group’s tactics, techniques, and procedures (TTPs). Backed by our previous\r\nobservations of the group, we can now learn more about the internal sociological makeup of the Conti gang\r\nthrough an analysis of the revealed chat logs, allowing us to gain an even deeper understanding of how this\r\nadversary model operates.\r\nBy providing insight into the operations of Conti, we can form a clearer picture of the threat actors behind the\r\nransomware. By identifying who the various members are talking to, the frequency and cadence with which they\r\ncommunicate, and the organizational structure of the organization, we further our understanding of how to defend\r\nagainst one of the most prolific ransomware groups in the market.  In order to dig into these areas, our\r\nmethodology includes relevant chats for context and validation.\r\nAs an example of our methodology, take the following message from the leaked chat logs. On September 24,\r\n2020, an individual going by the cryptonym Mushroom sent a message to another individual named Buza\r\n(cryptonyms have been italicized):\r\n“hello. At this point I made the bootloader for Target like he said, tested them, and I gave them to\r\nBentley. Frog told him to give Bentley the stable version of his Bentley kit as well…”\r\nThere is considerable information in this single partial message. Focusing on the individuals and their interactions,\r\nwe can think of these as a network, conceptualizing the individuals as vertices and impute edges given their\r\nreported interactions. Further, we can determine the source and target of these interactions.1\r\nhttps://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed\r\nPage 3 of 9\n\nIn the message, Mushroom provides a report to Buza, creating a directed edge between the two. Within the chat,\r\nwe learn that Mushroom was tasked by Target to provide a deliverable to Bentley. Target also receives a request\r\nfrom Frog to provide a deliverable to Bentley. Based even on this single message, we observe a structure begin to\r\nemerge.\r\nThe interactions contained in this single chat transcript can be derived from the body of the message, and these\r\nsame structures are likewise captured in the individuals’ own messages to and from each other. To visualize these\r\nsender and receiver relationships, we analyzed the leaked chat data and visualized a network that yielded 442\r\nunique chat handles, represented here as nodes.\r\nhttps://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed\r\nPage 4 of 9\n\nColored nodes indicate each detected subgroup within the Conti organization\r\nWithin the 442 nodes of the chat network, there were roughly 8 clusters or “communities” based on a community-detection algorithm. This is designed to cluster more dense connections within a subgroup and draw a boundary.\r\nThis graph reflects the entire leak, with many weakly-connected nodes, so we filtered the Conti network further\r\ndown to its primary members which yielded a smaller graph of roughly 44 nodes.\r\nhttps://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed\r\nPage 5 of 9\n\nStill denoted by the colors of their network “communities,” and labeled with their chat handles, these individuals\r\nrepresent the core of the Conti network graph. From here, we can begin to tease out the structure further by\r\nasking, “Who is important in this graph?”\r\nTo determine importance, we used a quantitative measure called “degree” which is simply the number of\r\nconnections to other nodes. In-degree refers to the number of inbound connections (received) and out-degree\r\nrefers to the outbound connections (sent). As a measure of importance, in-degree is larger for the individuals\r\nStern, followed by Defender, Bentley, Mango, and Buza.\r\nName In-Degree Authority Hub PageRank Betweenness Centrality\r\nStern 157 0.235122 0.308495 0.077951 0.158787\r\nDefender 152 0.224893 0.337484 0.054485 0.286215\r\nBentley 118 0.214211 0.229546 0.065222 0.048557\r\nMango 110 0.178626 0.225409 0.0266974 0.060916\r\nBuza 100 0.18 0.227305 0.0162215 0.053068\r\nIn-degree measures the number of individuals that communicate with the named key players. Another measure of\r\nimportance is called “authority.”6 This algorithm measures not just connectedness by frequency, but the weight of\r\nimportance from those connections. This can indicate a node’s authoritativeness in a network if other focal nodes\r\npoint to another as a final word, destination, or “authority.”\r\nA hub score is assigned to nodes which more reliably point to others high in authority. Like the guiding aim of\r\nauthority, PageRank is a procedure designed to rank the importance of a node based on the importance of the\r\nnodes which point to it.7\r\nThe final algorithm used in our analysis determines “betweenness centrality,” measuring which node falls along\r\nthe shortest path between any given two nodes. Being high in betweenness centrality is often a strategic position\r\n— someone who is likely a broker or gatekeeper. On this measure of betweenness, Defender is the most central,\r\nconnecting disparate ends of the network to greater extent than any other node in the network.\r\nFindings\r\nBased on the analysis of the recently leaked Conti chats, it is clear that Conti’s internal structure is anything but\r\nflat and egalitarian. On all measures of centrality aside from PageRank, the same five individuals remained the\r\nmost important nodes. Certain individuals hold central roles within Conti’s ransomware business structure and the\r\nvarious metrics of network centrality allow us to triangulate key players and positions:\r\nName Position Function\r\nhttps://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed\r\nPage 6 of 9\n\nStern Leader Oversees the whole operation.\r\nDefender\r\nTechnical\r\nAdministrator\r\nManages internal infrastructure.\r\nBentley Developer/R\u0026D Lead\r\nOversees “cryptors” and tool obfuscation (testing against Anti-Virus\r\nsolutions).\r\nMango\r\nGeneral Team\r\nManager\r\nOversees personnel and manages projects, assists with payroll.\r\nBuza Coder Lead Oversees teams of coders\r\nStern appears to be the superior within the identified core group. It might seem puzzling, for instance, that Stern\r\nranked highest in in-degree, authority, and PageRank, yet Defender holds advantage in betweenness centrality.\r\nThis is instructive as various metrics of importance in the network capture qualitatively different things. In\r\nexamining Defender’s network, it appears Defender’s position resembles something of a technical coordinator for\r\nthe network of Conti operatives, maintaining some of the Conti infrastructure, technical operations, and reminding\r\nnew members to submit backup contacts.\r\nDefender appears to report to Stern, who based on the quantitative findings, had the highest in-degree, PageRank,\r\nand authority scores. These measures can also be corroborated with qualitative analysis of messages between\r\nDefender and Stern. Defender provides reports upon request and was even seen calling in sick to Stern.\r\nMango, also a central node, appears to have some authority over some personnel aspects of the organization,\r\nhaving some involvement with hiring and payroll. Writing to Stern about the shortcomings of a lower manager\r\nafter a promotion, Mango states,\r\n “love slow down with the promotion, he’s relaxed, he says he’s doing a lot, but in fact there are more\r\nwords than deeds and then see for yourself… I told him off, let him sweat for another month, motivated\r\nhim.”\r\nStern, for his part instructs Mango to keep the other team members “in check.”\r\nMango’s involvement in payroll is seen in reminding Stern repeatedly, “don’t forget about the paycheck bro,\r\neveryone’s looking forward to it.” Later, reminding his superior:\r\n     “Pay the gang here bc1qkmyv5860pe24h9ytadkzgqltkjuuk9z9s027df\r\n     sum total 85k\r\n     99947 core team 62 people, I get 54 paychecks\r\n     33847 – reverse team, 23 people\r\n     8500 – new team of coders, 6 people, only 4 are getting salaries so far\r\n     12500 Reverses, 6 people\r\n     10000 OSINT department 4 people\r\n     3000 for expenses (servers/protections/ test tasks for new people)\r\n     164.8k total per month.”\r\nhttps://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed\r\nPage 7 of 9\n\nIn addition to operating under a hierarchical structure, there is a division of labor within the Conti network. The\r\nchat logs are replete with mentions of teams with different designations: teams of coders, core team, reverse team,\r\nand OSINT department. From the chat data, we know that numerous individuals are mentioned occupying certain\r\nroles, such as a message from Stern to Mango in which Stern mentions “HR managers Salaman, Kagas, and\r\nViper” or many others naming individuals as “team leads.”\r\nConclusion\r\nBased on our analysis of the Conti chat network, we have explored the patterns of interactions between nodes to\r\nreveal a hierarchy. Based on the data, there are several members that are the most connected. While there is still\r\nmuch to be discovered about Conti leadership, knowing the overall inner workings of communications, projects,\r\nand deliverables within ransomware structures offers new opportunities to disrupt their operations and avoid them\r\naltogether.\r\nThis leak provides insight into the structure of ransomware groups and the non-technical elements driving the\r\nransomware business. Analysis indicates that individuals within the Conti threat actor group are still responsible\r\nfor technical and financial responsibilities. Rather than a one-off, lone wolf operation, our analysis reveals a\r\npossible core group of 44 individuals who run the Conti operation.\r\nConti is armed with a human team, hierarchy, and structure of responsibilities as outlined in their chats and as\r\ninvestigated first-hand by Tetra Defense, an Arctic Wolf company. Being a human-driven enterprise, ransomware\r\nprovides periods of time between victim discovery, initial access, reconnaissance, and attack deployment when an\r\nattack can be disrupted. While the future of the Conti group remains uncertain, this leak provides a case study on\r\nthe inner workings of a Ransomware as a Service (RaaS) structure — a common structure used by other threat\r\nactors we investigate daily.\r\nWith the Conti group still operational, the threat remains, as evidenced by the sprawling network of members and\r\naffiliates. This deep analysis provides us a unique understanding in adversary operations, and informs how we\r\nbuild and enhance our detections to anticipate future TTPs and tradecraft. Arctic Wolf works side by side with\r\ncustomers, 24×7, to hunt for activity and deploy new detections—always advancing security operations with\r\nthreat intelligence and analysis to fuel into the Arctic Wolf® Platform.\r\nThis analysis was performed by Tetra Defense, an Arctic Wolf company, in collaboration with Arctic Wolf Threat\r\nIntelligence.\r\n1Edges in directed networks are often called arcs, however, for simplicity sake we will refer to them as edges in\r\nthis analysis.\r\n2Vincent D Blondel, Jean-Loup Guillaume, Renaud Lambiotte, Etienne Lefebvre, Fast unfolding of communities\r\nin large networks, in Journal of Statistical Mechanics: Theory and Experiment 2008 (10), P1000\r\nR. Lambiotte, J.-C. Delvenne, M. Barahona Laplacian Dynamics and Multiscale Modular Structure in Networks\r\n2009\r\n3This is the network’s K-Core.\r\nhttps://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed\r\nPage 8 of 9\n\n4We are using the unweighted degree to establish sending and receiving relationships and thus filter nodes for\r\nwhich a larger number of messages are exchanged in aggregate. While the latter can be a useful measure, technical\r\ncollaboration may require a higher volume of communication. For transparency, Bentley had the highest weighted\r\nin-degree, followed next by Stern. Yet, Bentley had the fewer total individuals from which these messages\r\noriginated.\r\n5Mango and Buza were not among the top 5 on PageRank.\r\n6This is based on Jon M. Kleinberg work, “Hubs, Authorities, and Communities”\r\n(http://www.cs.cornell.edu/home/kleinber/auth.pdf) and “Authoritative Sources in a Hyperlinked Environment”\r\n(http://cs.brown.edu/memex/ACM_HypertextTestbed/papers/10.html)\r\nSource: https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed\r\nhttps://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed"
	],
	"report_names": [
		"conti-ransomware-leak-analyzed"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434351,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/58f8230500a7e67ba1dec7342d670f3520044904.pdf",
		"text": "https://archive.orkl.eu/58f8230500a7e67ba1dec7342d670f3520044904.txt",
		"img": "https://archive.orkl.eu/58f8230500a7e67ba1dec7342d670f3520044904.jpg"
	}
}