A Detailed Look at the Conti Ransomware Gang

Based on two years of leaked messages, 60,000 in all:

The Conti ransomware gang runs like any number of businesses around the world. It has multiple departments, from HR and administrators to coders and researchers. It has policies on how its hackers should process their code, and shares best practices to keep the group’s members hidden from law enforcement.

Posted on March 29, 2022 at 6:02 AM11 Comments


Clive Robinson March 29, 2022 11:00 AM

@ Ted,

Was it the ethics?

Not likely, more likely PR…

You probably know the legend of Robin Hood.

The Barons and other land holders like disreputable churches badly oppressed the poor, to keep them poor and the Barons and King rich beyond imagination.

So the story of Robin Hood says “He steals from the rich and gives to the poor” and thereby becomes popular and protected by the poor, who like seeing some one “Giving it to the man” etc.

What the legend never says is what the running costs of Robin Hood’s band of “merry men” was, but it was not going to be cheap…

In modern parlance if I was lets say to hit one of the big Silicon Valley Corps for a few hundred million, who would actually care? Judging by the fines they are happy to ignore not even the Corps. But I suspect many might find it funny, or even laudable if I started making anonymous donations to charity with some of the money.

However now consider some four year old girl with long blond hair and a happy smile in a birthday photograph unfortunately dies at or shortly after a ransomware attack on the hospital she is in. Even if her death was nothing what so ever to do with the ransomware attack and provably entirely due to hospital managment negligence, some journalist will try to make it look as though it’s all the fault of the ransomware.

The result not just no popular support for “sticking it to the man” but the “beast” that hides within society will wake and it’s blood lust will be aroused and vengence will be demanded. At which point truth and justice will quietly leave the stage, and the hounds of hell will enter to rip assunder for the pleasure of the societal hord…

Winter March 29, 2022 11:54 AM

@Clive, Ted
“Not likely, more likely PR…”

More like, if you anger the public too much, someone will make you stop to appease the public. And no one can protect you if the powers that be, US, China, Russia, etc. conclude you have become too much of a nuisance/liability.

It is all about cost/benefits.

Hospitals are one of those things that arouse the public. Shutting down oil to Americans is another.

Canuck March 29, 2022 12:03 PM

It’s a decision not to provoke a response by not messing with the wrong people.

If they were a band of merry men, they would outfox the hospitals rather than shying away.

I believe health information statutes demand a much more thorough investigation of data breaches and hacking (no coverups, no wilful blindness) than do the rules that apply to other entities. In other words, these targets have incentives to respond differently.

oh boy March 29, 2022 12:55 PM

“and shares best practices to keep the group’s members hidden from law enforceme”

Funny, I read the article and I didn’t see that discussion.

lurker March 29, 2022 7:14 PM

@oh boy

The leaked messages, reviewed in depth by WIRED, provide an unrivaled view into […] the group’s sophisticated businesslike hierarchy, its members’ personalities, how it dodges law enforcement, and details of its ransomware negotiations.

The para. above that in the article has a link to the message dump. But the link has an embedded tracker. Your move…

Winter March 30, 2022 12:57 AM

If you want much more detail on the Conti Ransomware Gang papers, Brian Krebs has written a four parts series about the leaked papers. They are here:

Conti Ransomware Group Diaries, Part I: Evasion

Part II: The Office

Part III: Weaponry

Part IV: Cryptocrime

Ted March 30, 2022 9:02 AM

@Clive, Winter, All

Not likely, more likely PR…

That makes sense. Also @Winter, thank you for the links to Brian’s articles. Brian mentioned that someone in the Conti gang had at one point threatened to attack hospitals (Part I):

“F*ck the clinics in the USA this week,” wrote Conti manager “Target” on Oct. 26, 2020. “There will be panic. 428 hospitals.”

The FBI and DHS apparently warned the healthcare industry. But the sector was not hit any harder than usual that week. Of course, a later big healthcare hit by the Conti gang (aka Wizard Spider) was Ireland’s Health Service Executive in May 2021.

Mandiant has a graph that shows what industries were hit by Conti. The attacks were more concentrated in manufacturing, legal and professional services, construction and engineering, and retail sectors. Crime with the outrage turned down a notch or two, I guess.


SpaceLifeForm March 30, 2022 3:05 PM

If you are going to leak, redact.

Maybe dump the raw to FBI, and then just report a summary report.

Of course, when there are thousands of files, and GB of data, who has the time to read it all in a timely manner?


The FBI, Danylo said, contacted him after he began to leak the Conti files, asking him to stop leaking.

There may be important intel inside that is not obvious on initial inspection.

The leak without redaction can potentionally cause other unexpected issues.

SpaceLifeForm April 2, 2022 2:44 PM

Turnabout is fair play, right?

In return for free offsite backup, Mosekspertiza now has a modified version of Conti installed. No charge!


over 150,000 emails, 8,200 files and several hundred GB of databases from Mosekspertiza, a state-owned company created by the Moscow Chamber of Commerce to provide expert services to Russian businesses, provided by @xxNB65


See the graphic.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.