{
	"id": "7fe23619-faf4-4720-824d-e0f73e40f9ee",
	"created_at": "2026-04-06T00:11:18.922167Z",
	"updated_at": "2026-04-10T13:12:58.951488Z",
	"deleted_at": null,
	"sha1_hash": "b14b7f53f625fc0f9f8d5be4b65e74c76b824e38",
	"title": "Ransomware gang Conti has already bounced back from damage caused by chat leaks, experts say",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40829,
	"plain_text": "Ransomware gang Conti has already bounced back from damage\r\ncaused by chat leaks, experts say\r\nBy Suzanne Smalley\r\nPublished: 2022-03-07 · Archived: 2026-04-05 15:16:38 UTC\r\nA Twitter account known as ContiLeaks debuted to much fanfare in late February, with people around the globe\r\nwatching as tens of thousands of leaked chats between members of the Russia-based ransomware gang Conti hit\r\nthe web.\r\nIn the days after the leaks, many celebrated what they thought would be a devastating blow to Conti, which a\r\nUkrainian security researcher had apparently punished by leaking the internal chats because the gang threatened to\r\n“strike back” at any entities that organized “any war activities against Russia.”\r\nBut ten days after the leaks began, Conti appears to be thriving.\r\nExperts say the notorious ransomware gang has pivoted all too easily, replacing much of the infrastructure that\r\nwas exposed in the leaks while moving quickly to hit new targets with ransom demands. According to Vitali\r\nKremez, CEO of the cybersecurity firm AdvIntel, by Monday morning Conti had successfully completed two new\r\ndata breaches at U.S.-based companies.\r\n“Conti is back and still operational and will pursue more targets,” Kremez said. “They’re safe and sound.”\r\nKremez and other experts said that in the days after the chats first leaked on Feb. 27, Conti may have been back on\r\nits heels, but it was never fully disabled. The gang’s leadership made a significant effort in the early days\r\nfollowing the leaks to transition its infrastructure that was exposed in the hacks to new systems, which slowed\r\ndown ransomware activity initially, experts said. That interregnum has come to an end.\r\nAllan Liska, a threat analyst at Recorded Future, said that because so many victims do not disclose ransomware\r\nattacks it is hard to know if Conti was totally inactive in the first few days after the leaks, but he said his firm had\r\n“definitely noticed a slowdown” in activity from Conti.\r\nLiska said nothing was posted to Conti’s extortion sites — where the gang publicizes data belonging to users who\r\ndon’t pay ransoms — for a few days after the leaks began. However, Liska said Conti doesn’t post daily to the site\r\neven in normal circumstances so it is hard to know for sure if the two events are linked.\r\nThe threat analysis community has been buzzing about Conti’s increasing network activity in the past few days,\r\nLiska said. While Liska was unaware of the new data breaches disclosed by Kremez, he said he has heard about a\r\nrecent increase in “attempted breaches or phishing emails being sent, things like that, that are indicative that\r\nthey’re [Conti] still trying to gain access.”\r\n“The botnet and the command and control activity is starting to tick back up,” Liska said.\r\nhttps://www.cyberscoop.com/ransomware-gang-conti-bounced-back/\r\nPage 1 of 3\n\nMuch of Conti’s infrastructure was down in the initial days after the chats leaked — at least 25 different servers\r\nwere exposed in the leaks, according to Liska, and those remain down. But Liska said Conti’s “command and\r\ncontrol” server is very large and not all of it has fallen.\r\nLiska said he estimates that Conti has between 50 and 100 servers running at any time, making the 25 or so that\r\nhave been taken down a survivable injury. In recent days, Liska said, Conti has used the same software that\r\npowered the old infrastructure and simply moved everything to new Internet Protocol addresses.\r\nA history of resilience\r\nMany experts said they are unsurprised by Conti’s staying power. As a collective whose members are highly\r\nskilled and anonymous even to each other, nothing short of a law enforcement takedown will truly put them out of\r\nbusiness, experts said.\r\nJohn Shier, a senior security adviser at the hardware and software security firm Sophos, said that other\r\nransomware collectives have bounced back from seemingly devastating blows.\r\n“Whenever one of these groups gets gets disrupted, the temptation is to celebrate a little bit, but there’s always\r\ngoing to be that okay, well, what’s next?” Shier said. “Where are they going to pop up next, under what kind of\r\nnew model potentially are they going to pop up? Because these groups can be fairly resilient.”\r\nShier said Conti’s bitcoin wallet reportedly had about $2 billion in it, a figure he called “staggering.” It’s also a\r\nfigure that compels groups like Conti to rise from the dead. Emsisoft threat analyst Brett Callow put it bluntly:\r\nRansomware, he said, is “so massively profitable it isn’t going to go away quickly or easily.”\r\nLiska and Shier agreed on one thing that will likely change as a result of the leaks: Cybercriminals may be more\r\ncareful about taking on as many affiliates as they have in the past to counter security risks. In the affiliate\r\nransomware model, gangs loan their malware to other hackers in exchange for a share of profits.\r\nThe Conti chat leaker is known to be a Ukrainian security researcher and not an affiliate, according to Kremez.\r\nBut seeing the ease with which the Conti chats were leaked, as well as the damage they caused, will doubtlessly\r\ncause more gangs to think twice about sharing sensitive information with far-flung affiliates whom they don’t\r\nknow as well as core gang members, Shier and Liska predicted. \r\nShier said he was struck by the fact that nearly 70 people participated in one of the Conti chats.\r\n“That’s a lot of people and not all of them were likely to be Russian citizens living in Russia,” Shier said. “If the\r\npeople who are the principles behind Conti believe in their geopolitical agenda of supporting Russia, and they\r\nwant to prevent others who don’t share that view within their group from causing harm to the group, I can only see\r\nthem severing ties with them. They can still be successful without affiliates — they just won’t make as much\r\nmoney.”\r\nEven if Conti sheds affiliates and scales down in response to the leaks, the gang won’t be put out of business until\r\nthe Russian government pursues criminal charges or allows the U.S. government to do so, experts said. \r\n“The core members that are in Russia, are going to be insulated from any kind of prosecution or anything that\r\ncomes from outside of Russia,” Shier said. “Nothing will be the end of them until the Russian government allows\r\nhttps://www.cyberscoop.com/ransomware-gang-conti-bounced-back/\r\nPage 2 of 3\n\nthem to be investigated and prosecuted.”\r\nShier said it is possible Conti will rebrand under another name, but the group will live another day with the same\r\nleadership it has now. \r\n“I don’t see there being any kind of incentive for the Russian government to do anything with them right now,”\r\nShier said.\r\nJust Monday, Shier said, Conti posted four new data dumps for entities which didn’t pay ransoms on their\r\nextortion site. There were other data dumps posted on Saturday and Sunday, he said. \r\nKremez said Conti may lose some members, but they will revamp and come back stronger because they “learn\r\nfrom mistakes.”\r\nKremez said that in some ways the leaked chats will hurt the effort to snuff out Conti. He said he expects gang\r\nmembers will change aliases so they will be more difficult to track. The gang will update its infrastructure. It will\r\ncut affiliates who are deemed too risky.\r\n“They will reemerge more powerful and better than ever and more bulletproof,” Kremez said. “They will adapt,\r\nthey will improve, some members will relocate. But they [Conti] will definitely not be pushed out of the market.”\r\nSource: https://www.cyberscoop.com/ransomware-gang-conti-bounced-back/\r\nhttps://www.cyberscoop.com/ransomware-gang-conti-bounced-back/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cyberscoop.com/ransomware-gang-conti-bounced-back/"
	],
	"report_names": [
		"ransomware-gang-conti-bounced-back"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf",
			"created_at": "2023-01-06T13:46:38.626906Z",
			"updated_at": "2026-04-10T02:00:03.043681Z",
			"deleted_at": null,
			"main_name": "Tick",
			"aliases": [
				"G0060",
				"Stalker Taurus",
				"PLA Unit 61419",
				"Swirl Typhoon",
				"Nian",
				"BRONZE BUTLER",
				"REDBALDKNIGHT",
				"STALKER PANDA"
			],
			"source_name": "MISPGALAXY:Tick",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "54e55585-1025-49d2-9de8-90fc7a631f45",
			"created_at": "2025-08-07T02:03:24.563488Z",
			"updated_at": "2026-04-10T02:00:03.715427Z",
			"deleted_at": null,
			"main_name": "BRONZE BUTLER",
			"aliases": [
				"CTG-2006 ",
				"Daserf",
				"Stalker Panda ",
				"Swirl Typhoon ",
				"Tick "
			],
			"source_name": "Secureworks:BRONZE BUTLER",
			"tools": [
				"ABK",
				"BBK",
				"Casper",
				"DGet",
				"Daserf",
				"Datper",
				"Ghostdown",
				"Gofarer",
				"MSGet",
				"Mimikatz",
				"Netboy",
				"RarStar",
				"Screen Capture Tool",
				"ShadowPad",
				"ShadowPy",
				"T-SMB",
				"down_new",
				"gsecdump"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b",
			"created_at": "2022-10-25T16:07:23.419513Z",
			"updated_at": "2026-04-10T02:00:04.591062Z",
			"deleted_at": null,
			"main_name": "Bronze Butler",
			"aliases": [
				"Bronze Butler",
				"CTG-2006",
				"G0060",
				"Operation ENDTRADE",
				"RedBaldNight",
				"Stalker Panda",
				"Stalker Taurus",
				"Swirl Typhoon",
				"TEMP.Tick",
				"Tick"
			],
			"source_name": "ETDA:Bronze Butler",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"9002 RAT",
				"AngryRebel",
				"Blogspot",
				"Daserf",
				"Datper",
				"Elirks",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEUNIX",
				"HidraQ",
				"HomamDownloader",
				"Homux",
				"Hydraq",
				"Lilith",
				"Lilith RAT",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"Minzen",
				"Moudour",
				"Muirim",
				"Mydoor",
				"Nioupale",
				"PCRat",
				"POISONPLUG.SHADOW",
				"Roarur",
				"RoyalRoad",
				"ShadowPad Winnti",
				"ShadowWali",
				"ShadowWalker",
				"SymonLoader",
				"WCE",
				"Wali",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"XShellGhost",
				"XXMM",
				"gsecdump",
				"rarstar"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434278,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b14b7f53f625fc0f9f8d5be4b65e74c76b824e38.pdf",
		"text": "https://archive.orkl.eu/b14b7f53f625fc0f9f8d5be4b65e74c76b824e38.txt",
		"img": "https://archive.orkl.eu/b14b7f53f625fc0f9f8d5be4b65e74c76b824e38.jpg"
	}
}