{
	"id": "51b30c5e-515c-4f08-9e71-b6e131cc4520",
	"created_at": "2026-04-06T00:09:01.566243Z",
	"updated_at": "2026-04-10T13:12:19.193677Z",
	"deleted_at": null,
	"sha1_hash": "5b79c6a3660ad05da5619e7f12857a4e66c07670",
	"title": "Conti Ransom Gang Starts Selling Access to Victims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 297813,
	"plain_text": "Conti Ransom Gang Starts Selling Access to Victims\r\nPublished: 2021-10-25 · Archived: 2026-04-05 14:47:07 UTC\r\nThe Conti ransomware affiliate program appears to have altered its business plan recently. Organizations infected\r\nwith Conti’s malware who refuse to negotiate a ransom payment are added to Conti’s victim shaming blog, where\r\nconfidential files stolen from victims may be published or sold. But sometime over the past 48 hours, the\r\ncybercriminal syndicate updated its victim shaming blog to indicate that it is now selling access to many of the\r\norganizations it has hacked.\r\nA redacted screenshot of the Conti News victim shaming blog.\r\n“We are looking for a buyer to access the network of this organization and sell data from their network,” reads the\r\nconfusingly worded message inserted into multiple recent victim listings on Conti’s shaming blog.\r\nIt’s unclear what prompted the changes, or what Conti hopes to gain from the move. It’s also not obvious why\r\nthey would advertise having hacked into companies if they plan on selling that access to extract sensitive data\r\ngoing forward. Conti did not respond to requests for comment.\r\n“I wonder if they are about to close down their operation and want to sell data or access from an in-progress\r\nbreach before they do,” said Fabian Wosar, chief technology officer at computer security firm Emsisoft. “But it’s\r\nsomewhat stupid to do it that way as you will alert the companies that they have a breach going on.”\r\nThe unexplained shift comes as policymakers in the United States and Europe are moving forward on efforts to\r\ndisrupt some of the top ransomware gangs. Reuters recently reported that the U.S. government was behind an\r\nhttps://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/\r\nPage 1 of 3\n\nongoing hacking operation that penetrated the computer systems of REvil, a ransomware affiliate group that\r\nexperts say is about as aggressive and ruthless as Conti in dealing with victims. What’s more, REvil was among\r\nthe first ransomware groups to start selling its victims’ data.\r\nREvil’s darknet victim shaming site remains offline. In response, a representative for the Conti gang posted a long\r\nscreed on Oct. 22 to a Russian language hacking forum denouncing the attack on REvil as the “unilateral,\r\nextraterritorial, and bandit-mugging behavior of the United States in world affairs.”\r\n“Is there a law, even an American one, even a local one in any county of any of the 50 states, that legitimize such\r\nindiscriminate offensive action?” reads the Conti diatribe. “Is server hacking suddenly legal in the United States or\r\nin any of the US jurisdictions? Suppose there is such an outrageous law that allows you to hack servers in a\r\nforeign country. How legal is this from the point of view of the country whose servers were attacked?\r\nInfrastructure is not flying there in space or floating in neutral waters. It is a part of someone’s sovereignty.”\r\nConti’s apparent new direction may be little more than another ploy to bring victim companies to the negotiating\r\ntable, as in “pay up or someone will pay for your data or long-term misery if you don’t.”\r\nOr maybe something just got lost in the translation from Russian (Conti’s blog is published in English). But by\r\nshifting from the deployment of ransomware malware toward the sale of stolen data and network access, Conti\r\ncould be aligning its operations with many competing ransomware affiliate programs that have recently focused\r\non extorting companies in exchange for a promise not to publish or sell stolen data.\r\nHowever, as Digital Shadows points out in a recent ransomware roundup, many ransomware groups are finding it\r\ndifficult to manage data-leak sites, or hosting stolen data on the dark web for download.\r\nAfter all, when it takes weeks to download one victim’s data via Tor — if indeed the download succeeds at all —\r\nthe threat of leaking sensitive data as a negotiation tactic loses some of its menace. It’s also a crappy user\r\nexperience. This has resulted in some ransomware groups exposing data using public file-sharing websites, which\r\nare faster and more reliable but can be taken down through legal means quite quickly.\r\nData leak sites also can offer investigators a potential way to infiltrate ransomware gangs, as evidenced by the\r\nrecent reported compromise of the REvil gang by U.S. authorities.\r\n“On 17 Oct 2021, a representative of the REvil ransomware gang took it to a Russian-speaking criminal forum to\r\nreveal that their data-leak sites had been ‘hijacked’,” Digital Shadows’ Ivan Righi wrote. “The REvil member\r\nexplained that an unknown individual accessed the hidden services of REvil’s website’s landing page and blog\r\nusing the same key owned by the developers. The user believed that the ransomware gang’s servers had been\r\ncompromised and the individual responsible for the compromise was ‘looking for’ him.”\r\nA recent report by Mandiant revealed that FIN12 — the group believed to be responsible for both Conti and the\r\nRyuk ransomware operation — has managed to conduct ransomware attacks in less than 3 days, compared to\r\nmore than 12 days for attacks involving data exfiltration.\r\nSeen through those figures, perhaps Conti is merely seeking to outsource more of the data exfiltration side of the\r\nbusiness (for a fee, of course) so that it can focus on the less time-intensive but equally profitable racket of\r\ndeploying ransomware.\r\nhttps://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/\r\nPage 2 of 3\n\n“As Q4 comes near, it will be interesting to see if issues relating to managing data leak sites will discourage new\r\nransomware groups [from pursuing] the path of data-leak sites, or what creative solutions they will create to work\r\naround these issues,” Righi concluded. “The Ryuk ransomware group has proven itself to remain effective and a\r\ntop player in the ransomware threat landscape without the need for a data-leak site. In fact, Ryuk has thrived by\r\nnot needing a data leak site and data exfiltration.”\r\nSource: https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/\r\nhttps://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/"
	],
	"report_names": [
		"conti-ransom-gang-starts-selling-access-to-victims"
	],
	"threat_actors": [
		{
			"id": "f6f91e1c-9202-4497-bf22-9cd5ef477600",
			"created_at": "2023-01-06T13:46:38.86765Z",
			"updated_at": "2026-04-10T02:00:03.12735Z",
			"deleted_at": null,
			"main_name": "WIZARD SPIDER",
			"aliases": [
				"TEMP.MixMaster",
				"GOLD BLACKBURN",
				"DEV-0193",
				"UNC2053",
				"Pistachio Tempest",
				"DEV-0237",
				"Storm-0230",
				"FIN12",
				"Periwinkle Tempest",
				"Storm-0193",
				"Trickbot LLC"
			],
			"source_name": "MISPGALAXY:WIZARD SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "63061658-5810-4f01-9620-7eada7e9ae2e",
			"created_at": "2022-10-25T15:50:23.752974Z",
			"updated_at": "2026-04-10T02:00:05.244531Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"Wizard Spider",
				"UNC1878",
				"TEMP.MixMaster",
				"Grim Spider",
				"FIN12",
				"GOLD BLACKBURN",
				"ITG23",
				"Periwinkle Tempest",
				"DEV-0193"
			],
			"source_name": "MITRE:Wizard Spider",
			"tools": [
				"TrickBot",
				"AdFind",
				"BITSAdmin",
				"Bazar",
				"LaZagne",
				"Nltest",
				"GrimAgent",
				"Dyre",
				"Ryuk",
				"Conti",
				"Emotet",
				"Rubeus",
				"Mimikatz",
				"Diavol",
				"PsExec",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a2d3f35f-3b29-4509-bff5-af2638140d39",
			"created_at": "2022-10-25T16:07:23.633982Z",
			"updated_at": "2026-04-10T02:00:04.695802Z",
			"deleted_at": null,
			"main_name": "FIN12",
			"aliases": [],
			"source_name": "ETDA:FIN12",
			"tools": [
				"Agentemis",
				"BEERBOT",
				"BazarBackdoor",
				"BazarCall",
				"BazarLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"KEGTAP",
				"TSPY_TRICKLOAD",
				"Team9Backdoor",
				"The Trick",
				"TheTrick",
				"Totbrick",
				"TrickBot",
				"TrickLoader",
				"bazaloader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434141,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b79c6a3660ad05da5619e7f12857a4e66c07670.pdf",
		"text": "https://archive.orkl.eu/5b79c6a3660ad05da5619e7f12857a4e66c07670.txt",
		"img": "https://archive.orkl.eu/5b79c6a3660ad05da5619e7f12857a4e66c07670.jpg"
	}
}