{
	"id": "1611dd31-f988-4217-8b8a-52ee10466faf",
	"created_at": "2026-04-06T00:10:36.496858Z",
	"updated_at": "2026-04-10T03:20:18.372605Z",
	"deleted_at": null,
	"sha1_hash": "69d2ff8fccfca4202a5d65d8e3739951b3bd3558",
	"title": "Cybercrime loves company: Conti cooperated with other ransomware gangs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50742,
	"plain_text": "Cybercrime loves company: Conti cooperated with other\r\nransomware gangs\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 13:16:22 UTC\r\nSoftware developers often depend on the collective knowledge of the industry to build their products. Whether it's\r\nthrough reverse engineering, poaching talent, or straight up cloning things, developers often lean on this collective\r\nknowledge to build operating systems, social media services, messaging applications or many other kinds of\r\nsoftware.\r\nRansomware gangs are apparently no different. Thanks to the Conti Leaks, Intel 471 researchers found evidence\r\nthat the Conti ransomware group kept a close eye on other ransomware groups and borrowed some of their\r\ntechniques and best practices for its own operations. Additionally, Intel 471 also observed the Conti group’s\r\naffiliates and managers cooperating with other gangs, which included the LockBit, Maze and Ryuk teams.\r\nFrom reworking encryption algorithms, to copying sections of ransom notes, to using developers that worked on\r\nseveral different kinds of ransomware, Intel 471 found that Conti’s operations were powered by information\r\ngleaned from competitors.\r\nRyuk\r\nThe Conti and Ryuk ransomware strains have widely been attributed to the same group, with Ryuk likely serving\r\nas a predecessor to Conti.\r\nThe metamorphosis of this strain has been debated for some time. Some research hypothesizes that Ryuk\r\nransomware operators initially joined the Conti team as its own division in order to use TrickBot to distribute\r\nRyuk, while others believe Conti was just a re-work of Ryuk.\r\nHowever the metamorphosis occurred, it’s clear from the Conti Leaks chats that top-level Conti operatives had\r\ndirect access to actors who were behind Ryuk. Intel 471 researchers found conversations tied to one of Conti’s\r\nsenior managers that contained multiple references to the group behind Ryuk.\r\nFor example, on June 23, 2020, the senior manager discussed a Bleeping Computer article where researchers\r\npointed at the Ryuk ransomware gang’s slowdown in operations. The manager told another top associate that the\r\nRyuk gang’s operations would soon return to normal (Ed. Note: Handles have been changed to mask true\r\nidentities):\r\n[Image: Conti Dialog image1]\r\nOn July 16, 2020, the two actors revealed their plans to use money earned from Ryuk ransomware campaigns to\r\ncover rent and other expenses (translated from Russian):\r\nhttps://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker\r\nPage 1 of 3\n\n[Image: Conti Dialog image2]\r\nOn Aug. 26, 2020, the two actors discussed compensation and recruitment issues pertaining to the Ryuk team\r\n(translated from Russian):\r\n[Image: Conti Dialog image3]\r\nThese chats, among others, show that high-level Conti managers were knowledgeable about Ryuk ransomware\r\noperations and most likely had direct access to the threat actors using it.\r\nMaze\r\nIntel 471 researchers found chats that revealed Conti’s alleged coder claimed to have copied features from Maze\r\nransomware while developing Conti.\r\nOn July 17, 2020, the head developer had a conversation with the senior manager, claiming to have changed the\r\nConti’s cryptographic algorithm from the AES-256 block cipher to the ChaCha20 stream cipher, which increased\r\nencryption speed:\r\n[Image: Conti Dialog image4]\r\nOn July 8, 2020, another top developer communicated with the senior manager, claiming that a Maze ransomware\r\ndeveloper provided access to the group’s administrative panel.\r\n[Image: Conti Dialog image5]\r\nAlso in early July 2020, Conti group members revealed they used Maze ransomware as a temporary stopgap while\r\nConti was in development. (translated from Russian):\r\n[Image: Conti Dialog image6]\r\nA few weeks later, Conti was in steady use, becoming one of the most active ransomware strains in the latter half\r\nof the year.\r\nLockBit 2.0\r\nOur researchers found that in November 2021, two high-level Conti managers discussed a partnership with\r\nLockBit 2.0. The two managers apparently initially disagreed on the partnership’s details, later clarifying it in a\r\nleaked conversation:\r\n[Image: Conti Dialog image7]\r\nThis conversation lines up with what a LockBit 2.0 representative shared on an underground forum in April 2022,\r\nwhere they admitted that they had been in contact with Conti representatives primarily due to interest in using\r\nTrickBot.\r\nRagnar Locker\r\nhttps://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker\r\nPage 2 of 3\n\nOn Sept. 27, 2021, Conti’s open source intelligence (OSINT) team leader had a conversation that revealed he\r\nupdated the group’s ransom note by copying a portion of the text from the Ragnar Locker ransom note.\r\n[Image: Conti Dialog image8]\r\nHere is the comparison of what victims would get from each ransom note.\r\n[Image: Screen Shot 2022 04 27 at 2 29 26 PM]\r\nRansomware gangs do not operate in a vacuum. While each gang wants to make as much money as possible, there\r\nis a level of cooperation and partnership that each gang uses to ultimately boost their ill-gotten gains. While\r\nlegitimate companies are also profit-driven, they will often create partnerships or collaborate with each other as a\r\nway to be successful. Given all of the other ways ransomware gangs have followed a legitimate business model, it\r\nshould not be surprising that they would strike accords or lean on each other in order to make as much money as\r\npossible.\r\nSource: https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker\r\nhttps://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker"
	],
	"report_names": [
		"conti-ransomware-cooperation-maze-lockbit-ragnar-locker"
	],
	"threat_actors": [],
	"ts_created_at": 1775434236,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/69d2ff8fccfca4202a5d65d8e3739951b3bd3558.pdf",
		"text": "https://archive.orkl.eu/69d2ff8fccfca4202a5d65d8e3739951b3bd3558.txt",
		"img": "https://archive.orkl.eu/69d2ff8fccfca4202a5d65d8e3739951b3bd3558.jpg"
	}
}