{ "id": "2d940c39-7859-49fe-81f5-d72922bba291", "created_at": "2026-04-06T00:11:09.761877Z", "updated_at": "2026-04-10T03:36:13.856246Z", "deleted_at": null, "sha1_hash": "c46f996144c8691370651f32d21164f0fa39e8a2", "title": "Conti puts the ‘organized’ in organized crime", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43460, "plain_text": "Conti puts the ‘organized’ in organized crime\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 15:40:38 UTC\r\nCombing through business intelligence platforms to find new prospects. Deciding whether to focus on huge\r\nmultinational companies or small- and medium-sized businesses. Finding the right person to contact in the\r\norganization. Developing a script that will land information that’s critically needed for success.\r\nThe above scenario is one that may seem familiar to anyone that works in sales. However, this set of actions has\r\nalso been adopted by organizations which make money by less conventional means, particularly criminals who are\r\nresponsible for ransomware attacks.\r\nDue in part to the leak of information tied to the Conti ransomware group, Intel 471 was able to piece together the\r\ninner workings of the notorious criminal syndicate. With this information, researchers were able to understand\r\nhow Conti conducted its actions, which often mirrored processes used by countless legitimate businesses.\r\nIntel 471 discovered communications tied to one division of Conti which had its own dedicated mission. This\r\nteam was responsible for collecting information on targets for ongoing and future attacks, drafting phishing scripts\r\nthat were used over the phone and sent via email, and applying multiple forms of pressure in the course of\r\nransomware negotiations. The team had access to several open-source intelligence (OSINT) and business\r\nintelligence tools, as well as a legal “expert” who provided advice on how to threaten victims with litigation or\r\nofficial complaints that would be sent to government authorities. In chats found by Intel 471 researchers, some\r\nteam members were unaware they were working for criminals, instead believing they worked for a company\r\nproviding competitive intelligence to their customer base.\r\nTeam Building!\r\nThe division, known inside Conti as the “Fire Team,” started in July 2021 as a way for the gang to invent cover\r\nstories for phishing phone calls to targeted personnel, as well as randomize spam letters to potential victims. By\r\nNovember 2021, the team consisted of 10 people, which prepared operational and revenue reports on potential\r\ntargets. The team leader allegedly made US $3,000 per month while members were paid US $2,000 per month. In\r\naddition to their salary, team members also received a one percent cut of any ransom they helped negotiate. While\r\nransom cuts were dispersed via cryptocurrency, some salaries were paid via prepaid bank cards.\r\nDespite initially being stood up to do reconnaissance on future targets, the team started ransomware negotiations\r\nas more members were brought on board.\r\nI'm going to need those TPS reports... ASAP\r\nThe reports put together by the team contained general information on targeted companies that included\r\noperations and revenue. However, the team focused heavily on the target’s personnel. The reports were required to\r\ninclude phone numbers, email addresses and social media accounts of the company’s leadership, mid-level\r\nhttps://intel471.com/blog/conti-leaks-cybercrime-fire-team\r\nPage 1 of 3\n\nemployees, and some information technology personnel. Leaders requested contact information of at least 20\r\npersonnel per report, with encouragement to focus on female employees.\r\nSome people were also tasked to collect open source information on a target’s network infrastructure following\r\ndirections that included:\r\nInternet domains\r\nWHOIS data like IP notations, domain registrar, age, and who purchased the domain.\r\nSubdomains, with IP addresses if possible\r\nSSL certificates in raw format, open TCP ports, and vulnerabilities found using OSINT tools\r\n“Remember, any information about the company may be useful for its competitor (our client), therefore, do not\r\ndisregard any nuances that may seem insignificant at first glance. We need EVERYTHING!,” a team leader posted\r\nin a Russian-language chat discovered by Intel 471 researchers.\r\nThe team apparently utilized several tools and subscription-based services to gather the information required.\r\nThose most frequently mentioned included the SignalHire contact information platform, the SpiderFoot OSINT\r\ntool and the Shodan search engine. Another team member brought on in November 2021 apparently also had\r\naccess to a paid version of the ZoomInfo business intelligence platform.\r\nCompanies that made the cut\r\nIn the early stages of standing up the division, the higher-level leaders of Conti asked for draft reports on a variety\r\nof high-profile technology, pharmaceutical and finance industry companies. However, a month later, the team\r\nchanged direction, focusing on organizations in the aerospace, chemical, defense, energy, hospitality and medical\r\nequipment industries, particularly those with an annual revenue from US $500 million to US $5 billion.\r\nAs affiliates launched attacks, reconnaissance assignments changed. Actors from other parts of the group told the\r\nteam to find information on dental clinics and online stories, as they were considered to be the “best” targets.\r\nPreference also was given to insurance, law and logistics companies.\r\nCircling back on deliverables\r\nThe Fire Team’s leader took the information gathered in the reports and used it for various ransomware\r\nnegotiations, often collaborating with other people working within the syndicate. Some of these actors managed\r\ncalls to Conti victims and potential targets, while others would jump into ongoing conversations and leave\r\nmessages for victims, even if they did not start the negotiation process. Additionally, an alleged “lawyer” familiar\r\nwith U.S. and European legislation sought additional ways to pressure hacked companies with threats of litigation\r\nfrom customers or employees, or official complaints that would be sent to government authorities. This set of\r\nactors would also have side conversations about ransomware victims, primarily focused on data that would be\r\nposted on the Conti name-and-shame blog from time to time.\r\nOver the course of the conversations Intel 471 researchers observed, other actors gave the Fire Team feedback on\r\nwhat types of companies it should reconnaissance on in the future. One actor specifically mentioned that they\r\nwere having trouble convincing JP MorganChase employees over the phone to install malware. In turn the actor\r\nsuggested targeting smaller companies with less strict security policies.\r\nhttps://intel471.com/blog/conti-leaks-cybercrime-fire-team\r\nPage 2 of 3\n\nNo job is perfect\r\nEven criminal syndicates can’t avoid office politics. Despite the structure set up by Conti, team members still\r\ncomplained to their bosses and one another about time spent working and the amount of money each member\r\nmade. One team member who received 0.5% of ransom payouts often claimed to have a much higher workload\r\ncompared to the team leader and complained about being exploited. The team leader often called this actor\r\n“greedy” and actively sought to give this person more work and pay the actor less.\r\nRansomware, Inc.\r\nOne of the biggest mysteries for years when discussing ransomware was wondering how these criminal groups\r\nconducted operations. With the Conti leaks, the information security community now has the best look it's ever\r\ngotten at what makes these criminal groups tick. As Intel 471’s analysis shows, these groups are set up to conduct\r\ncrimes as if they were a legitimate business. There are divisions dedicated to examining every facet of a potential\r\ntarget — no matter the size — in the hopes that the information can help them extract more money post-attack.\r\nThe stereotype of young men in a basement coding their way into international crime sprees is woefully\r\ninaccurate. Ransomware-as-a-service groups operate like corporate entities, with payroll, revenue goals and salary\r\nbonuses worked into their operations. By understanding their inner workings, security teams can better adjust their\r\nthreat models and take the necessary steps to make sure that security measures make similar reconnaissance\r\nefforts worthless.\r\nSource: https://intel471.com/blog/conti-leaks-cybercrime-fire-team\r\nhttps://intel471.com/blog/conti-leaks-cybercrime-fire-team\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://intel471.com/blog/conti-leaks-cybercrime-fire-team" ], "report_names": [ "conti-leaks-cybercrime-fire-team" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434269, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c46f996144c8691370651f32d21164f0fa39e8a2.pdf", "text": "https://archive.orkl.eu/c46f996144c8691370651f32d21164f0fa39e8a2.txt", "img": "https://archive.orkl.eu/c46f996144c8691370651f32d21164f0fa39e8a2.jpg" } }