{ "id": "60561469-8554-4151-bb0b-a4e515f0f411", "created_at": "2026-04-06T00:13:28.333883Z", "updated_at": "2026-04-10T13:13:08.236772Z", "deleted_at": null, "sha1_hash": "8924101de43da5990b3d0ba6363e39044fada454", "title": "Conti Ransomware Group Diaries, Part I: Evasion", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 763064, "plain_text": "Conti Ransomware Group Diaries, Part I: Evasion\r\nPublished: 2022-03-01 · Archived: 2026-04-05 20:43:33 UTC\r\nA Ukrainian security researcher this week leaked several years of internal chat logs and other sensitive data tied to\r\nConti, an aggressive and ruthless Russian cybercrime group that focuses on deploying its ransomware to\r\ncompanies with more than $100 million in annual revenue. The chat logs offer a fascinating glimpse into the\r\nchallenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also\r\nprovide insight into how Conti has dealt with its own internal breaches and attacks from private security firms and\r\nforeign governments.\r\nConti’s threatening message this week regarding international interference in Ukraine.\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/\r\nPage 1 of 5\n\nConti makes international news headlines each week when it publishes to its dark web blog new information\r\nstolen from ransomware victims who refuse to pay an extortion demand. In response to Russia’s invasion of\r\nUkraine, Conti published a statement announcing its “full support.”\r\n“If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our\r\npossible resources to strike back at the critical infrastructures of an enemy,” the Conti blog post read.\r\nOn Sunday, Feb. 27, a new Twitter account “Contileaks” posted links to an archive of chat messages taken from\r\nConti’s private communications infrastructure, dating from January 29, 2021 to the present day. Shouting “Glory\r\nfor Ukraine,” the Contileaks account has since published additional Conti employee conversations from June 22,\r\n2020 to Nov. 16, 2020.\r\nThe Contileaks account did not respond to requests for comment. But Alex Holden, the Ukrainian-born founder\r\nof the Milwaukee-based cyber intelligence firm Hold Security, said the person who leaked the information is not a\r\nformer Conti affiliate — as many on Twitter have assumed. Rather, he said, the leaker is a Ukrainian security\r\nresearcher who has chosen to stay in his country and fight.\r\n“The person releasing this is a Ukrainian and a patriot,” Holden said. “He’s seeing that Conti is supporting Russia\r\nin its invasion of Ukraine, and this is his way to stop them in his mind at least.”\r\nGAP #1\r\nThe temporal gaps in these chat records roughly correspond to times when Conti’s IT infrastructure was\r\ndismantled and/or infiltrated by security researchers, private companies, law enforcement, and national\r\nintelligence agencies. The holes in the chat logs also match up with periods of relative quiescence from the group,\r\nas it sought to re-establish its network of infected systems and dismiss its low-level staff as a security precaution.\r\nOn Sept. 22, 2020, the U.S. National Security Agency (NSA) began a weeks-long operation in which it seized\r\ncontrol over the Trickbot botnet, a malware crime machine that has infected millions of computers and is often\r\nused to spread ransomware. Conti is one of several cybercrime groups that has regularly used Trickbot to deploy\r\nmalware.\r\nOnce in control over Trickbot, the NSA’s hackers sent all infected systems a command telling them to disconnect\r\nthemselves from the Internet servers the Trickbot overlords used to control compromised Microsoft Windows\r\ncomputers. On top of that, the NSA stuffed millions of bogus records about new victims into the Trickbot\r\ndatabase.\r\nNews of the Trickbot compromise was first published here on Oct. 2, 2020, but the leaked Conti chats show that\r\nthe group’s core leadership detected something was seriously wrong with their crime machine just a few hours\r\nafter the initial compromise of Trickbot’s infrastructure on Sept. 22.\r\n“The one who made this garbage did it very well,” wrote “Hof,” the handle chosen by a top Conti leader,\r\ncommenting on the Trickbot malware implant that was supplied by the NSA and quickly spread to the rest of the\r\nbotnet. “He knew how the bot works, i.e. he probably saw the source code, or reversed it. Plus, he somehow\r\nencrypted the config, i.e. he had an encoder and a private key, plus uploaded it all to the admin panel. It’s just\r\nsome kind of sabotage.”\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/\r\nPage 2 of 5\n\n“Moreover, the bots have been flooded with such a config that they will simply work idle,” Hof explained to his\r\nteam on Sept. 23, 2020. Hof noted that the intruder even kneecapped Trickbot’s built-in failsafe recovery\r\nmechanism. Trickbot was configured so that if none of the botnet’s control servers were reachable, the bots could\r\nstill be recaptured and controlled by registering a pre-computed domain name on EmerDNS, a decentralized\r\ndomain name system based on the Emercoin virtual currency.\r\n“After a while they will download a new config via emercoin, but they will not be able to apply this config,\r\nbecause this saboteur has uploaded the config with the maximum [version] number, and the bot is checking that\r\nthe new config [version number] should be larger than the old one,” Hof wrote. “Sorry, but this is fucked up. I\r\ndon’t know how to get them back.”\r\nIt would take the Conti gang several weeks to rebuild its malware infrastructure, and infect tens of thousands of\r\nnew Microsoft Windows systems. By late October 2020, Conti’s network of infected systems had grown to\r\ninclude 428 medical facilities throughout the United States. The gang’s leaders saw an opportunity to create\r\nwidespread panic — if not also chaos — by deploying their ransomware simultaneously to hundreds of American\r\nhealthcare organizations already struggling amid a worldwide pandemic.\r\n“Fuck the clinics in the USA this week,” wrote Conti manager “Target” on Oct. 26, 2020. “There will be panic.\r\n428 hospitals.”\r\nOn October 28, the FBI and the U.S. Department of Homeland Security hastily assembled a conference call\r\nwith healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and\r\nhealthcare providers.”\r\nFollow-up reporting confirmed that at least a dozen healthcare organizations were hit with ransomware that week,\r\nbut the carnage apparently was not much worse than a typical week in the healthcare sector. One information\r\nsecurity leader in the healthcare industry told KrebsOnSecurity at the time that it wasn’t uncommon for the\r\nindustry to see at least one hospital or health care facility hit with ransomware each day.\r\nGAP #2\r\nThe more recent gap in the Conti chat logs corresponds to a Jan. 26, 2021 international law enforcement operation\r\nto seize control of Emotet, a prolific malware strain and cybercrime-as-a-service platform that was used heavily\r\nby Conti. Following the Emotet takedown, the Conti group once again reorganized, with everyone forced to pick\r\nnew nicknames and passwords.\r\nThe logs show Conti made a special effort to help one of its older members — Alla Witte — a 55-year-old\r\nLatvian woman arrested last year on suspicion of working as a programmer for the Trickbot group. The chat\r\nrecords indicate Witte became something of a maternal figure for many of Conti’s younger personnel, and after\r\nher arrest Conti’s leadership began scheming a way to pay for her legal defense.\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/\r\nPage 3 of 5\n\nAlla Witte’s personal website — allawitte[.]nl — circa October 2018.\r\n“They gave me a lawyer, they said the best one, plus excellent connections, he knows the investigator, he knows\r\nthe judge, he is a federal lawyer there, licensed, etc., etc.,” wrote “Mango” — a mid-level manager within Conti\r\n— to “Stern,” a much higher-up Conti taskmaster who frequently asked various units of the gang for updates on\r\ntheir daily assignments.\r\nStern agreed that this was the best course of action, but it’s unclear if it was successfully carried out. Also, the\r\nentire scheme may not have been as altruistic as it seemed: Mango suggested that paying Witte’s attorney fees\r\nmight also give the group inside access to information about the government’s ongoing investigation of Trickbot.\r\n“Let’s try to find a way to her lawyer right now and offer him to directly sell the data bypassing her,” Mango\r\nsuggests to Stern on June 23, 2021.\r\nThe FBI has been investigating Trickbot for years, and it is clear that at some point the U.S. government shared\r\ninformation with the Russians about the hackers they suspected were behind Trickbot. It is also clear from reading\r\nthese logs that the Russians did little with this information until October 2021, when Conti’s top generals began\r\nreceiving tips from their Russian law enforcement sources that the investigation was being rekindled.\r\n“Our old case was resumed,” wrote the Conti member “Kagas” in a message to Stern on Oct. 6, 2021. “The\r\ninvestigator said why it was resumed: The Americans officially requested information about Russian hackers, not\r\nonly about us, but in general who was caught around the country. Actually, they are interested in the Trickbot, and\r\nsome other viruses. Next Tuesday, the investigator called us for a conversation, but for now, it’s like [we’re being\r\ncalled on as] witnesses. That way if the case is suspended, they can’t interrogate us in any way, and, in fact,\r\nbecause of this, they resumed it. We have already contacted our lawyers.”\r\nIncredibly, another Conti member pipes into the discussion and says the group has been assured that the\r\ninvestigation will go nowhere from the Russian side, and that the entire inquiry from local investigators would be\r\nclosed by mid-November 2021.\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/\r\nPage 4 of 5\n\nIt appears Russian investigators were more interested in going after a top Conti competitor — REvil, an equally\r\nruthless Russian ransomware group that likewise mainly targeted large organizations that could pay large ransom\r\ndemands.\r\nOn Jan. 14, 2022, the Russian government announced the arrest of 14 people accused of working for REvil. The\r\nRussian Federal Security Service (FSB) said the actions were taken in response to a request from U.S. officials,\r\nbut many experts believe the crackdown was part of a cynical ploy to assuage (or distract) public concerns over\r\nRussian President Vladimir Putin’s bellicose actions in the weeks before his invasion of Ukraine.\r\nThe leaked Conti messages show that TrickBot was effectively shut down earlier this month. As Catalin\r\nCimpanu at The Record points out, the messages also contain copious ransom negotiations and payments from\r\ncompanies that had not disclosed a breach or ransomware incident (and indeed had paid Conti to ensure their\r\nsilence). In addition, there are hundreds of bitcoin addresses in these chats that will no doubt prove useful to law\r\nenforcement organizations seeking to track the group’s profits.\r\nIf you enjoyed this story, please consider reading Part II: The Office, which is about what it’s like to work for\r\nConti, told through the private messages exchanged by Conti employees working in different operational units.\r\nPart III: Weaponry looks at how Conti abused a panoply of popular commercial security services to undermine the\r\nsecurity of their targets, as well as how the team’s leaders strategized for the upper hand in ransom negotiations\r\nwith victims. Part IV: Cryptocrime examines different schemes Conti pursued to invest in and steal\r\ncryptocurrencies.\r\nSource: https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/" ], "report_names": [ "conti-ransomware-group-diaries-part-i-evasion" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434408, "ts_updated_at": 1775826788, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8924101de43da5990b3d0ba6363e39044fada454.pdf", "text": "https://archive.orkl.eu/8924101de43da5990b3d0ba6363e39044fada454.txt", "img": "https://archive.orkl.eu/8924101de43da5990b3d0ba6363e39044fada454.jpg" } }