{
	"id": "a83fae6b-35ff-49a1-9da4-8620ced1957b",
	"created_at": "2026-04-06T00:11:37.79812Z",
	"updated_at": "2026-04-10T03:33:15.460035Z",
	"deleted_at": null,
	"sha1_hash": "8bfef5d9a4efec142697a97c0c4bcf3be37f99a9",
	"title": "Conti gang threatens to dump victim data if ransom negotiations leak to reporters",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 187464,
	"plain_text": "Conti gang threatens to dump victim data if ransom negotiations\r\nleak to reporters\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-16 · Archived: 2026-04-05 13:45:57 UTC\r\nThe Conti ransomware gang has published a rare public statement today threatening hacked companies that they\r\nwill leak their stolen files if details or screenshots of the ransom negotiations process are leaked to journalists.\r\nThese ransom negotiations usually take place after Conti (or any other ransomware gang) breaches a company and\r\nencrypts their files. A ransom note is left on affected desktops, with instructions on how the victim could contact\r\nthe attackers.\r\nTypically, ransomware gangs prefer leaving an email address where the victim can reach out, but more often than\r\nnot, they provide a unique URL to a so-called \"payment site\" where victims are asked to log in and talk to the\r\nattackers via a web-based chat feature.\r\nIf an employee of the attacked company uploads a copy of the ransom note or the ransomware binary on malware-scanning portals like VirusTotal, the details included in these ransom notes, including links to the web-based chat\r\nfeature, can also be discovered by security researchers, who often access these negotiations pages and sometimes\r\nshare them on social media.\r\nOver the past few years, news outlets specialized in cybersecurity coverage have often worked with security\r\nresearchers to find links to these secret chats in files uploaded on VirusTotal.\r\nReporters then used the screenshots to reveal details about ransomware incidents — especially when the hacked\r\norganization wasn't upcoming with such information in the first place.\r\nMost of these screenshots typically show a banal negotiations process between the ransomware gangs and the\r\nvictim, with the two working to agree on a final ransom fee, and then the ransomware gang sharing Bitcoin\r\naddresses where they ask for the payment.\r\nHowever, other screenshots have also shown information about the attack itself, how the victim was breached,\r\nwhat kind of data the attackers stole from the victim's network, threats against a victim and its employees, or how\r\ncompanies were trying to disguise payments to groups sanctioned by the US Treasury.\r\nToday, many ransomware gangs like to delude themselves that they are running a \"professional backup \u0026\r\nrecovery\" or \"penetration testing\" fantasy business. These leaked screenshots show the true nature of their actions,\r\nall being nothing more than a good old extortion scheme.\r\nConti angered of recent JVCKenwood negotiations leak\r\nhttps://therecord.media/conti-gang-threatens-to-dump-victim-data-if-ransom-negotiations-leak-to-reporters/\r\nPage 1 of 4\n\nAcross the years, screenshots from almost all ransomware gangs' negotiations have leaked on social media or have\r\nbeen shared with reporters.\r\nBut in a message posted on its blog today, the Conti gang said that it would not tolerate incidents where\r\nscreenshots of its negotiations process are leaked online anymore.\r\nAlthough no particularly \"damaging\" screenshot leak occurred, the Conti group cited its recent attack against\r\nJapanese electronics maker JVCKenwood as the reason it has taken this step. In Conti's own words, below:\r\nFor instance, yesterday, we have found that our chat with JVCKenwood whom we hit a week ago got\r\nreported to the journalists. Despite what is said in the article, the negotiations were going in accordance\r\nwith a normal business operation. However, since the publication happened in the middle of\r\nnegotiations it resulted in our decision to terminate the negotiations and publish the data. JVCKenwood\r\nhas been already informed. Moreover, this week we have once again spotted screenshots from our\r\nnegotiation chats circulating over social media.\r\nAs a result, the Conti gang said it is introducing new rules meant to penalize victims or security researchers who\r\nleak screenshots of its ransom negotiations chats to reporters:\r\n1. If we see a clear indication of our negotiations being sent to the media we will terminate the negotiations\r\nand dump all the files on our blog. We are the best team and you can google what estimated revenue we\r\nhave. This became possible only due to our outstanding reputation. Thus, if we need to sacrifice another 10\r\nmln to cut the negotiations but protect our name; don't doubt - we will do so.\r\n2. If we see our chats in public we will also dump your files. If this happens after the ransom is already paid\r\nby the target who shared our chats, we will dump somebody else's files as retaliation. We will not care if\r\nyou directly shared our chats with the media/researchers or if they extracted it from VirusTotal after you\r\nuploaded our samples there. Since, the security firms who share chats via their pocket journalists have no\r\nconcept responsibility, therefore, we will assign responsibilty to the target who is in the chat. We are not\r\nadvocating collective responsibility via collective punishment, but if this is the only option we will do so.\r\nhttps://therecord.media/conti-gang-threatens-to-dump-victim-data-if-ransom-negotiations-leak-to-reporters/\r\nPage 2 of 4\n\nBut the reality of these new rules is that the Conti gang is trying to control the media coverage around its attacks.\r\nThe group is effectively trying to put the blame for failed negotiations and the subsequent data leaks on security\r\nresearchers and journalists — the only two categories of people who can find these chats in the first place —\r\ninstead of the actual attackers.\r\nWith the Biden administration having turned its attention on ransomware attacks, the Conti gang is desperately\r\ntrying to keep its name out of media coverage.\r\nIt's a clever use of whataboutism and intimidation from last month's second most prolific ransomware gang.\r\nRansomware gangs try to control narrative through press releases\r\nFurthermore, the Conti announcement is just the latest in a long series of press releases that ransomware gangs\r\nhave begun publishing on their blogs (leak sites) and underground forums this year.\r\nThrough simple two-sentence statements or long-winded announcements, various ransomware groups have\r\nannounced new rules for their \"operations.\"\r\nGroups like LockBit, Darkside, or BlackMatter have pledged not to attack critical infrastructure in an attempt to\r\nlift US political pressure against their operations but often broke their own rules for the sake of a big score.\r\nThe Ragnar_Locker gang also threatened victims to dump their data if they called law enforcement agencies, in\r\nanother brazen example of a gang trying to intimidate victims.\r\nhttps://therecord.media/conti-gang-threatens-to-dump-victim-data-if-ransom-negotiations-leak-to-reporters/\r\nPage 3 of 4\n\nIn addition, the Grief and DoppelPaymer gangs also threatened to wipe victims' servers if they used professional\r\nransomware negotiators, knowing that negotiators would warn the victim against paying the ransom because the\r\ntwo ransomware operations are effectively sanctioned by the US (via their associations with the Evil Corp\r\ncybercrime gang).\r\nAll of these are examples of how ransomware gangs try to intimidate victims and control their public image\r\naround their attacks. But the reality is that these rules mean nothing for the ransomware gangs, which have no\r\nqualms in breaking them for the sake of a big payment.\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/conti-gang-threatens-to-dump-victim-data-if-ransom-negotiations-leak-to-reporters/\r\nhttps://therecord.media/conti-gang-threatens-to-dump-victim-data-if-ransom-negotiations-leak-to-reporters/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/conti-gang-threatens-to-dump-victim-data-if-ransom-negotiations-leak-to-reporters/"
	],
	"report_names": [
		"conti-gang-threatens-to-dump-victim-data-if-ransom-negotiations-leak-to-reporters"
	],
	"threat_actors": [
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6c4f98b3-fe14-42d6-beaa-866395455e52",
			"created_at": "2023-01-06T13:46:39.169554Z",
			"updated_at": "2026-04-10T02:00:03.23458Z",
			"deleted_at": null,
			"main_name": "Evil Corp",
			"aliases": [
				"GOLD DRAKE"
			],
			"source_name": "MISPGALAXY:Evil Corp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434297,
	"ts_updated_at": 1775791995,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8bfef5d9a4efec142697a97c0c4bcf3be37f99a9.pdf",
		"text": "https://archive.orkl.eu/8bfef5d9a4efec142697a97c0c4bcf3be37f99a9.txt",
		"img": "https://archive.orkl.eu/8bfef5d9a4efec142697a97c0c4bcf3be37f99a9.jpg"
	}
}