On February 27, 2022, just days after Russia invaded Ukraine, a Twitter account called @ContiLeaks began publishing tens of thousands of internal messages from the Conti ransomware group. Over the following weeks, the leaks expanded to include source code, training materials, and operational documents. It was one of the most significant intelligence windfalls in cybersecurity history.
The leaks confirmed what researchers had long suspected: Conti operated less like a criminal gang and more like a mid-sized software company, complete with HR processes, salary structures, and dedicated R&D teams. But the most tactically valuable revelations were about how the group approached supply chain targeting.
Inside Conti's Organization
The leaked communications — over 60,000 messages from internal Jabber chat logs — painted a detailed picture of Conti's organizational structure:
Leadership: A core leadership team handled strategy, finances, and relationships with other criminal groups. The individual known as "Stern" appears to have been the organizational leader, while "Mango" managed day-to-day operations.
Development teams: Separate teams worked on the ransomware payload, the backend infrastructure, and auxiliary tools. Developers were paid monthly salaries ranging from $1,500 to $2,000 — modest by Western standards but competitive in the regions where most developers were located.
Negotiation team: Dedicated negotiators handled victim communications, with training materials on psychological pressure tactics, how to research victim revenue to calibrate demands, and scripts for common negotiation scenarios.
OSINT team: A dedicated team conducted open-source intelligence gathering on potential targets, researching company revenue, cyber insurance coverage, and IT infrastructure before attacks were launched.
The total headcount was estimated at 60-100 people at any given time, with significant turnover among lower-level members.
Supply Chain Targeting Methodology
The leaks revealed that Conti had developed a systematic approach to supply chain targeting, though they didn't use that specific terminology. Their methodology included several key elements:
Targeting MSPs and IT Service Providers
Internal messages showed explicit discussions about targeting managed service providers. The logic was straightforward — compromising an MSP provided access to dozens or hundreds of client networks through a single intrusion. Chat logs included instructions on:
- Identifying MSP-specific software (ConnectWise, Datto, Kaseya) in compromised networks
- Extracting MSP credentials to pivot to client environments
- Timing ransomware deployment across multiple client networks simultaneously for maximum impact
One message from a senior operator stated bluntly that MSPs were "the best targets" because "one access gives many companies."
Software Supply Chain Awareness
While Conti wasn't conducting sophisticated supply chain attacks like SolarWinds, the group showed awareness of software dependencies as an attack surface:
- Operators discussed targeting software update mechanisms as persistence and distribution methods
- Training materials included sections on identifying centralized management tools that could be abused for lateral deployment
- Chat logs referenced using legitimate software distribution tools (SCCM, PDQ Deploy, GPO) to push ransomware across networks
Third-Party Access Exploitation
The leaks showed that Conti frequently exploited third-party access as an entry vector:
- Compromised credentials from IT vendors were traded and shared among operators
- VPN credentials from third-party contractors were a preferred initial access method
- The group maintained lists of compromised vendor accounts that could provide access to multiple organizations
Technical Arsenal Revealed
The source code leak provided unprecedented visibility into Conti's technical capabilities:
The Ransomware Payload
Conti's ransomware was written in C++ and used a combination of ChaCha20 and RSA-4096 for encryption. The source code revealed:
- Multi-threaded encryption design for speed — Conti could encrypt a network significantly faster than most competitors
- Support for encrypting network shares and mapped drives
- Command-line arguments for targeting specific directories or drives
- A built-in ability to kill processes and services that might lock files (databases, email servers, backup software)
Cobalt Strike Integration
The leaks confirmed Conti's heavy reliance on Cobalt Strike for post-exploitation. Training materials included detailed guides on:
- Setting up Cobalt Strike team servers with proper OPSEC
- Using Cobalt Strike's lateral movement capabilities
- Deploying custom Beacon configurations to evade detection
- Integrating Cobalt Strike with other tools for credential harvesting
BazarLoader and TrickBot
Conti had close ties to the TrickBot malware operation, using both TrickBot and BazarLoader as initial access vectors. The leaks revealed that these were not separate criminal operations but rather different divisions of the same broader organization.
BazarLoader served as a lightweight initial access tool, while TrickBot provided broader capabilities including:
- Bank credential theft
- Network reconnaissance
- Active Directory enumeration
- Delivery of the Conti ransomware payload
The Human Element
Beyond the technical details, the Conti leaks provided a rare window into the human side of ransomware operations:
Recruitment: New members were often recruited through Russian-language forums. Junior operators started with basic tasks like maintaining infrastructure and were gradually promoted to more sensitive roles.
Internal conflicts: The chat logs revealed frequent disagreements about targets, payment splits, and operational decisions. Several operators expressed discomfort about attacking hospitals and critical infrastructure, though these objections were typically overruled.
The Ukraine split: The leaks themselves were triggered by an internal conflict over Russia's invasion of Ukraine. After Conti's leadership posted a pro-Russia statement, a Ukrainian member of the organization (or someone with access) began leaking internal data in retaliation.
Working conditions: Despite the criminal nature of the work, the internal discussions revealed mundane workplace dynamics — complaints about workload, requests for time off, discussions about salary, and frustrations with management decisions.
Impact on the Ransomware Ecosystem
The Conti leaks had several significant consequences:
Direct Impact on Conti
The group formally dissolved in May 2022, though the shutdown was orderly rather than chaotic. Members migrated to several successor operations:
- Royal ransomware (later rebranded to BlackSuit)
- Black Basta
- Karakurt (focused on data extortion without encryption)
- Quantum ransomware
Intelligence Value
Security researchers and law enforcement gained enormous value from the leaks:
- Detection signatures were developed based on the leaked source code
- The organizational structure information aided law enforcement investigations
- The training materials helped defenders understand attacker methodology
- The communication patterns provided insights into how ransomware groups make targeting decisions
Copycat Operations
The leaked Conti source code was quickly adopted by other threat actors. Within months, multiple new ransomware variants appeared that were clearly derived from the Conti codebase. This had the perverse effect of democratizing access to high-quality ransomware code.
Defensive Takeaways
The Conti leaks provided actionable intelligence for defenders:
MSP security is everyone's security. If your organization relies on managed service providers, their security posture directly affects yours. Conti explicitly targeted MSPs as a force multiplier.
Third-party access needs continuous monitoring. Conti's operators frequently used compromised vendor credentials as their initial access vector. Monitoring third-party access patterns and enforcing least-privilege principles are essential.
Backup infrastructure is a primary target. The leaked training materials explicitly instructed operators to identify and destroy backup systems before deploying ransomware. Air-gapped or immutable backups are not optional.
Speed matters in detection. Conti's multi-threaded encryption was designed to be fast — often completing full network encryption in hours. Detection and response capabilities need to match that speed.
How Safeguard.sh Helps
The Conti leaks revealed what security professionals already knew: ransomware groups treat the software supply chain as an attack multiplier. From MSP targeting to exploiting centralized management tools, every shared dependency is a potential blast radius expander.
Safeguard.sh addresses this directly by providing comprehensive supply chain visibility. The platform's automated SBOM management tracks every software component across your organization, identifying shared dependencies that could become single points of failure — exactly the kind of centralized tools Conti's playbook targeted.
With Safeguard.sh's continuous monitoring, you can detect when components in your supply chain develop new vulnerabilities or when vendor security postures change. The platform's policy enforcement ensures that your supply chain security standards are applied consistently, not just during procurement but throughout the entire software lifecycle. When threat groups like Conti target the tools that connect your infrastructure, you need visibility that matches their ambition.