{
	"id": "0774cd6a-0460-4999-a881-22ccbb6cdd6f",
	"created_at": "2026-04-06T00:19:28.06108Z",
	"updated_at": "2026-04-10T03:20:21.063027Z",
	"deleted_at": null,
	"sha1_hash": "af5e0bcf348a25cb90ed04971c7e039290db7236",
	"title": "Conti Ransomware V. 3, Including Decryptor, Leaked",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77390,
	"plain_text": "Conti Ransomware V. 3, Including Decryptor, Leaked\r\nBy Lisa Vaas\r\nPublished: 2022-03-21 · Archived: 2026-04-05 22:45:04 UTC\r\nThe latest is a fresher version of the ransomware pro-Ukraine researcher ContiLeaks already released, but it’s\r\nreportedly clunkier code.\r\nPro-Ukraine security researcher @ContiLeaks yesterday uploaded a fresher version of Conti ransomware than\r\nthey had previously released – specifically, the source code for Conti Ransomware V3.0 – to VirusTotal.\r\nContiLeaks posted a link to the code on Twitter. The code includes a compiled locker and decryptor, according to\r\nvx-underground, which has been archiving the leaks.\r\nThe archive is password-protected, but the password is easy to figure out, according to replies to ContiLeaks’\r\nrelease.\r\nContiLeaks followed up in a few hours by thumbing their nose at the pro-Russia law enforcement that the\r\nresearcher said is looking for them in the UA – in other words, in Ukraine.\r\n“i can tell you good luck mf!” ContiLeaks tweeted, using another acronym that probably doesn’t need explaining.\r\nCrap Code?\r\nThe code is apparently legitimate.\r\nBleepingComputer compiled the newly released source code for Version 3 of Conti ransomware without any\r\nissues, successfully creating the gang’s executables for encrypting and decrypting files.\r\nBut just because it works doesn’t mean it’s an improvement, some said.\r\nAfter analyzing the source code, Payload – a Polish magazine about offensive IT security –  dismissed Version 3\r\nas being a “giant step back” from Version 2 in terms of code quality.\r\nMaybe the changes between versions were done by a flunky dev, Payload suggested in its response to vx-underground. “We analyzed it. There is […] very little improvement, and giant step back in terms of source code\r\nquality. Most probably these changes were made by someone else than original developer.”\r\nFor those who are combing through Conti code, you’re better off sticking with the “cleaner” 2.0, Payload\r\nsuggested. “But definitely: if anyone wants to learn anything from this code, please move to Conti 2.0, it’s a lot\r\ncleaner and overall better to start with,” Payload said.\r\nhttps://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/\r\nPage 1 of 3\n\nRoss Williams, director of digital forensics and incident response (DFIR) at managed detection and response\r\n(MDR) services provider CRITICALSTART, told Threatpost on Monday that from a DFIR perspective,  these\r\nleaks give security professionals and responders “insight into the gang’s tactics, techniques and procedures as well\r\nas indicators of compromise.” The information enables them “to identify a breach or infection more quickly and to\r\nthereby slow the spread of ransomware,” Williams said via email.\r\nIt also gives anyone with the motivation and skillset to penetrate a network the tools they need to create their own\r\nransomware gang: The criminally inclined can just use the Conti software along with its training manuals, which\r\nwere also leaked, noted BreachQuest Head of Product Marco Figueroa.\r\nWith all this access to Conti code, tools and tactics, a hit from “Conti” could be close to a hit from “your guess is\r\nas good as mine.”\r\n“I believe the only way to verify that a victim was hit with ‘Sterns Conti gang’ is by tracking the payment to\r\nbitcoin addresses,” Figueroa said. “Stern” is a reference to the name used by one of the Conti group’s top\r\nmanagers.\r\nThe Conti Gutting Continues\r\nThis is just the latest in a series of leaks following ContiLeaks’ promise to eviscerate the Conti group – a promise\r\nof revenge that followed Conti’s having pledged support for the Russian government over its invasion of Ukraine.\r\nContiLeaks’ earlier spills included an older version of Conti ransomware source code – one that dated to Jan. 25,\r\n2021. Version 3.0 – the one released on Sunday – is over a year newer.\r\nIn their earlier leaks, ContiLeaks has also divulged source code for TrickBot malware, a decryptor and the gang’s\r\nadministrative panels, among other core secrets.\r\nThe leaks – an act of revenge wrought upon the cybercrooks who’ve sided with Russia in the war (one among the\r\nthousand cuts that have been bleeding Russia as cybercrooks take sides) – have also included nearly 170,000 chat\r\nconversations between the Conti ransomware gang members, covering more than a year from January 2021\r\nthrough February 2022.\r\nIt’s a treasure trove that researchers have spent weeks poring over, discovering the inner workings of the\r\nextortionists’ dark business, its top brass and far more.\r\nFor example, a clear picture of Conti company culture has arisen from the leaks. For one thing, it’s run like a legit\r\nhigh-tech company, offering bonuses, employee-of-the-month and other such benefits, researchers say. Chat logs\r\nalso have shown that bored top management have mulled working on something new: say, Conti’s own altcoin\r\nalternative to Bitcoin.\r\nNew Conti Affiliate Discovered\r\nIn related news, on Monday, eSentire’s Threat Research Unit (TRU) published a report about a new Conti affiliate\r\ngroup. The report details new accounts, specific IP addresses, domain names and Protonmail email accounts\r\nlinked to the affiliate, Indicators of Compromise that organizations should address immediately, an overview of\r\nhttps://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/\r\nPage 2 of 3\n\nattack vectors, and how the affiliate is – like so many criminals – abusing the Cobalt Strike intrusion framework\r\nfor attack purposes.\r\neSentire’s report details one such Cobalt Strike incident, nicknamed ShadowBeacon, during which the Cobalt\r\nbeacons were being deployed from the domain controllers via PsExec: a legitimate admin tool used for remotely\r\nexecuting binaries.\r\nTogether with BreakPoint Labs (BPL), TRU observed threat actors leveraging the Cobalt Strike infrastructure to\r\nattack seven different U.S. companies between 2021 and 2022. According to eSentire, victims included companies\r\nin the financial, environmental, legal and charitable sectors.\r\n“The Windows logs revealed that the threat actor had been able to register their own virtual machine on the victim\r\norganization’s network,” the report noted, “using it as a pivot to their actual, exterior [command-and-control, aka\r\nC2, server].”\r\nData in Motion Most at Risk in Ransomware Attacks\r\nTo protect from ransomware attacks, Rajiv Pimplaskar, CEO of the VPN company Dispersive Holdings, told\r\nThreatpost on Monday that organizations should look beyond protecting data at rest: the data that’s at risk of\r\ngetting paralyzed in a ransomware attack. “Information is most vulnerable for a data breach or malware infection”\r\nwhen it’s in motion, the CEO cautioned.\r\n“Network resources are prime targets for Ransomware as a Service (RaaS) actors as they can be ideal vectors for\r\ninsider threats, code and injection attacks, Man In The Middle (MITM), privilege escalation as well as lateral\r\nmovement,” Pimplaskar said via email.\r\nPimplaskar suggested that, beyond establishing proper access control and device posture checking to prevent\r\nunauthorized access, “network security must also be bolstered with advanced capabilities such as managed\r\nattribution and active data multi-pathing. These capabilities obfuscate network soft targets as well as keep data\r\nsecure from hostile detection and interception.”\r\n032122 14:90 UPDATE: Added input from Ross Williams.\r\n032122 16:43 UPDATE: Added input from Marco Figueroa.\r\n032122 18:05 Corrected explanation of UA: It is, in fact, the two-letter acronym for Ukraine.\r\nMoving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your\r\nassets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore\r\norganizations’ top risks and challenges, best practices for defense, and advice for security success in such a\r\ndynamic computing environment, including handy checklists.\r\nSource: https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/\r\nhttps://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/"
	],
	"report_names": [
		"179006"
	],
	"threat_actors": [],
	"ts_created_at": 1775434768,
	"ts_updated_at": 1775791221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/af5e0bcf348a25cb90ed04971c7e039290db7236.pdf",
		"text": "https://archive.orkl.eu/af5e0bcf348a25cb90ed04971c7e039290db7236.txt",
		"img": "https://archive.orkl.eu/af5e0bcf348a25cb90ed04971c7e039290db7236.jpg"
	}
}