{ "id": "1c6fb232-26eb-4aa0-92db-3174ad790431", "created_at": "2026-04-06T00:13:42.758212Z", "updated_at": "2026-04-10T03:36:11.166586Z", "deleted_at": null, "sha1_hash": "c122408390cd14b627c3fc7ddd93f8086edcf832", "title": "TRM Analysis Corroborates Suspected Ties Between Conti and Ryuk Ransomware Groups and Wizard Spider | TRM Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1642811, "plain_text": "TRM Analysis Corroborates Suspected Ties Between Conti and\r\nRyuk Ransomware Groups and Wizard Spider | TRM Blog\r\nArchived: 2026-04-05 20:22:13 UTC\r\nKey Findings\r\nAn analysis of leaked private messages of Conti group members, open-source reporting, and on-chain\r\ninvestigations of salary-related addresses by TRM investigators indicates ties between two ransomware groups,\r\nConti and Ryuk. Both Conti and Ryuk also appear to be part of the Wizard Spider cybercriminal group, and are\r\nresponsible for the TrickBot botnet. \r\nNot only do on-chain investigations indicate funds for salary paid by a Conti core member were derived\r\nfrom a known Ryuk ransomware address, similarities in code and other factors suggest that Conti is a\r\nrebranding of the Ryuk ransomware. Such a tactic of rebranding is widely known to be used by\r\nransomware syndicates to cover their tracks as described by BleepingComputer.\r\nOn February 27, 2022, an individual with apparent inside access to Conti’s infrastructure leaked nearly\r\n160,000 messages from internal chats and other data shedding light on more than a year of Conti’s\r\noperations, uncovering the syndicate’s ecosystem as well as hundreds of crypto addresses used to extort\r\nvictims and fund the group's activities. Authentication of leaks as having come from Conti infrastructure\r\nwas confirmed by the threat intelligence community including TheRecord.\r\nThe leak was sparked by Conti’s official statement on February 25, 2022, announcing full support to the\r\nRussian State and threatening the world with offensive operations if any Russian infrastructure is attacked\r\nas a possible response to Russia’s invasion of Ukraine.\r\nBackground\r\nRyuk ransomware, which was active from mid-to-late 2018, was responsible for a high number of ransomware\r\nattacks resulting in millions of USD in losses. For several years, the threat intelligence community has suspected\r\nthat both Ryuk and Conti ransomware were operated by a single group identified as Wizard Spider by\r\nCrowdStrike based on the similarities in code and other factors. \r\nAfter Ryuk’s suspected rebrand to Conti in approximately May of 2020, the ransomware continued becoming\r\neven more destructive, eventually merging with the group running the TrickBot botnet at the end of 2021\r\naccording to threat intelligence firm AdvIntel. TrickBot initially emerged in 2016 as a banking Trojan designed to\r\nsteal user credentials and personally identifiable information (PII). The prolific botnet then expanded its\r\ncapabilities to credential harvesting, crypto mining, and gaining a foothold into the victims’ systems to deploy\r\nransomware. \r\nTrickBot and Wizard Spider’s Ryuk business relationships first followed a BaaS (Botnet-as-a-Service) model and\r\ngrew to a partnership after Ryuk’s rebranding to Conti. Working with TrickBot, Conti quickly became one of the\r\nhttps://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider\r\nPage 1 of 6\n\nmost profitable and prolific ransomware syndicates. Threat researcher Jack Cable, who runs the crowdsourcing\r\nransomware site ransomwhe.re, estimated Conti as being the most profitable group through mid-2021. \r\nImage Source: TRM Labs\r\nConti Supports Russia, Issues Threats \r\nAccording to the chatter observed on top-tier dark-web forums, the Russian invasion of Ukraine and the ongoing\r\nmilitary conflict have split the Russian-speaking cybercriminal community. In dark web chatter, many\r\ncybercriminals, including ransomware threat actors, voiced support for a particular side, while others, like\r\nLockBit2.0, tried to maintain a level of neutrality. On February 25, 2022, Conti openly voiced its support for the\r\nRussian State and posted a threat to the “Western world” on its official extortion site, stating it would strike back\r\nwith offensive operations if any of the Russian infrastructures is attacked. \r\nSource: Conti’s Extortion Site\r\nShortly after Conti’s official statement, on February 27, 2022, an individual with apparent inside access to Conti’s\r\ninfrastructure leaked purported internal chat logs consisting of nearly 160,000 messages via Twitter, shedding light\r\non more than a year of Conti’s operations. The individual who leaked the chats claimed in online tweets to be\r\ndoing so in retaliation for Conti’s support of the Russian invasion of Ukraine. The leak also included hundreds of\r\ncrypto addresses, which appear to have been used in the group’s illicit activity to extort victims and pay for\r\nhttps://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider\r\nPage 2 of 6\n\nservices such as the salaries of the group’s members. Authentication of leaks as having come from Conti\r\ninfrastructure was confirmed by the threat intelligence community including TheRecord.\r\nConnecting Wizard Spider, Conti, and Ryuk\r\nAn analysis of the Conti leaks, specifically information within the leaked messages related to salary payments, as\r\nwell as the on-chain flow of funds revealed unique insights into the operation of Wizard Spider. TRM analysts\r\nfound that, unlike most ransomware syndicates, Conti implements a model of wage-based employees in addition\r\nto the percentage-based affiliate model used by traditional RaaS (Ransomware-as-a-Service) groups. \r\nTRM on-chain analysis corroborated payments discussed on July 14, 2020; the chats show actors “Salamandra”,\r\nthe threat actor in charge of Conti’s HR, and “Stern”,  a senior Wizard Spider team member, discussing a potential\r\ncandidate for hire, called \"bonen\". bonen,  a coder with 20 years of experience was hired with a salary of 150,000\r\nRubles per month (approximately $2,112 USD at the time). In addition, bonen was paid 15,000 Rubles\r\n(approximately $207 USD) for completing a test assignment. This transaction was also confirmed by TRM on-chain analysis.  \r\nThe on-chain investigation also confirmed a transfer of $85,000 USD  from Stern to a team lead on one of the\r\nConti teams operating under the alias “Mango.” The transfer was made to pay for the salary of Mango’s team.\r\nMango requested the transfer from Stern on July 19, 2021, according to the leaks, so that the funds could then be\r\nsplit across the team of nearly 100 people consisting of pentesters, coders, OSINT investigators, and reverse\r\nengineers. Some of the funds were also set aside for payments for servers and test assignments for new hires\r\naccording to the chats between Stern and Mango.\r\nSource: TRM Labs\r\nFurther investigation identified that the funds for the aforementioned payment from Stern to Mango were derived\r\nfrom a known Ryuk ransomware address reported by CrowdStrike in January of 2019. This financial transaction\r\nappears to confirm the long-suspected ties between Ryuk and Conti and underscores the widely adopted tactics of\r\nrebranding by ransomware syndicates to cover their tracks, described by BleepingComputer. However, despite the\r\nhttps://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider\r\nPage 3 of 6\n\nrebranding, the cryptocurrency financial transactions carried out by the groups leave a trail, which can be\r\nuncovered, as TRM shows. \r\nSource: TRM Labs\r\nThe chats further revealed that Wizard Spider is also working on putting together a team that will attempt to\r\ndevelop an internal Blockchain platform and its own token to circumvent cryptocurrency tracking by law\r\nenforcement and researchers. \r\n“We want to create our own cryptosystem such as etherium, polkadot, and binance smart chain,” Stern said to\r\ntheir team members on June 28, 2021. “We need to study the principles, code, and other things to be able to build\r\non. And then, we will be able to integrate NFT, DEFI, DEX, and all the existing and upcoming trends,” they\r\nadded.\r\n“Do we think that any of us are gurus of Blockchain and trends? Anyone has any idea the direction we can take to\r\ndevelop it?”, Stern continued on July 8, 2021. Stern’s crypto aspirations were met with less enthusiasm from other\r\nthreat actors such as Mango: “This is a great idea, but very complicated at the same time. Let’s be realistic, we\r\ncan’t handle it on our own with so little experience and resources.”\r\nDespite the fact that the Blockchain project still has not been developed, the threat actors’ interest in expanding\r\ninto the cryptocurrency and the Defi space does raise significant concern. Based on the chats, the overall goal for\r\nWizard Spider is to create a threat actor-friendly blockchain product. TRM assesses with a high level of\r\nconfidence that would provide an additional stream of revenue as well as an internally controlled payment\r\nenvironment for the cybercrime underground. \r\nWizard Spider Likely to Remain a Threat\r\nTRM assesses that Wizard Spider will continue to be a significant threat despite recent setbacks, notably the\r\nphasing out of their long used TrickBot tool at the beginning of February due to its high detection followed by the\r\nleak of internal Conti’s information. Wizard Spider quickly resumed their operations, posting its first victim on\r\nMarch 2, 2022, on their extortion site. As of March 23, 2022, the syndicate published 41 victims in total with 22\r\nof them being US entities. These victims are likely to have been breached by Wizard Spider before the leak and it\r\nis unclear if the syndicate was able to obtain access to any new victims since then. \r\nhttps://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider\r\nPage 4 of 6\n\nBased on tracking the continued level of activity and messages posted by Wizard Spider, TRM analysts assess that\r\nthe group is likely to fully restore their operational capacity in the near future and will continue to run their\r\noperations under the same name and not rebrand. Unlike several other major ransomware operations, which have\r\nstated publicly and on the dark web that they do not target critical infrastructure, Conti/Ryuk has continued to\r\ntarget the healthcare system even during the COVID-19 pandemic as noted in the Health \u0026 Human Services\r\nreport “Conti Ransomware and the Health Sector.” \r\nProprietary source reporting has indicated that several other ransomware groups have struggled to keep up with all\r\nof the entities they have gained access to or to develop an effective pipeline of accesses, due to a lack of\r\nemployees such as programmers, negotiators, and others. Conti’s focus on hiring can be seen as evidence of\r\nConti’s efforts to be able to run their operation on an industrial scale, bringing things like gaining access and\r\ndistribution of the malware in house, allowing them to net hundreds of millions in victim payments over the years,\r\nbased on TRM analysis.\r\nConti’s hiring process consists of the interview and test assignment to measure the candidate’s skills level. In\r\norder to attract new employees “Salamandra”, the threat actor in charge of the group’s HR, utilizes many available\r\nresources, from dark web forums to the Russian commercial job posting site hh[.]ru.\r\nImage: Russian commercial job posting site hh[.]ru\r\nBased on the chats, the average salary for threat actors is nearly $2,000 USD a month. While that salary is nearly\r\ntwo times higher than the average salary in the IT industry in Russia according to salaryexplorer[.]com, the\r\ncompensation can seem low when compared to the millions of dollars in payments that Wizard Spider received\r\nfrom its victims. The ability to spend a relatively small percentage of their income on salaries may be one of the\r\nreasons the core members of Wizard Spider preferred to work with full-time employees as opposed to the profit-sharing ransomware-as-a-service that most other ransomware groups currently prefer. \r\nOutlook\r\nTRM is monitoring the discussion of the leaked chats on the dark web to get a sense of the opinions of other threat\r\nactors about the arrangement. In the past, programmers on the dark web have leaked the source code for malware\r\nhttps://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider\r\nPage 5 of 6\n\nin retaliation when they felt that they had not been paid a sufficient percentage of the profit it generated, as\r\nhappened in the case of the Buhtrap leak according to proprietary sources.\r\nThe research done by TRM analysts demonstrates how critical tracking the flow of funds can be in understanding\r\nthe operation of cybercriminal organizations. Although cryptocurrency has made it possible for ransomware to run\r\nsuccessful operations for years and provides a high level of return on investment for threat actors’ efforts, TRM\r\nblockchain analytical tool allows investigations to follow the flow of funds and uncover valuable intelligence that\r\nhelps to connect the dots. TRM continues to monitor Wizard Spider’s activity both on and off-chain to help\r\nmitigate the risk posed by Conti ransomware.\r\nConsidering Wizard Spider’s statement on supporting the Russian State and sharing its political agenda, and their\r\npast willingness to target critical infrastructure, the syndicate might also pose a risk to national security due to its\r\nlevel of sophistication.\r\nAbout TRM Labs\r\nTRM provides blockchain intelligence to help financial institutions, cryptocurrency businesses, and public\r\nagencies detect, investigate, and manage crypto-related fraud and financial crime. TRM's risk management\r\nplatform includes solutions for transaction monitoring and wallet screening, entity risk scoring - including VASP\r\ndue diligence - and source and destination of funds tracing. These tools enable a rapidly growing cohort of\r\norganizations around the world to safely embrace cryptocurrency-related transactions, products, and partnerships.\r\nTRM is based in San Francisco, CA, and is hiring across engineering, product, sales, and data science. To learn\r\nmore, visit www.trmlabs.com.\r\nTo report a lead to Global Investigations, email us at investigations@trmlabs.com.\r\nSources:\r\nhxxps://www[.]zdnet[.]com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/\r\nhxxps://www[.]bleepingcomputer[.]com/news/security/conti-ransomware-shows-signs-of-being-ryuks-successor/\r\nhxxps://therecord[.]media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/\r\nhxxps://www[.]techrepublic[.]com/article/top-5-ransomware-operators-by-income/\r\nhxxps://www[.]bleepingcomputer[.]com/news/security/us-targets-darkside-ransomware-and-its-rebrands-with-10-million-reward/\r\nhxxps://www[.]hhs[.]gov/sites/default/files/conti-ransomware-health-sector.pdf\r\nSource: https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider\r\nhttps://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider" ], "report_names": [ "analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider" ], "threat_actors": [ { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434422, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c122408390cd14b627c3fc7ddd93f8086edcf832.pdf", "text": "https://archive.orkl.eu/c122408390cd14b627c3fc7ddd93f8086edcf832.txt", "img": "https://archive.orkl.eu/c122408390cd14b627c3fc7ddd93f8086edcf832.jpg" } }