Conti is the operation that most clearly demonstrated what a mature ransomware enterprise actually looks like from the inside. Before the ContiLeaks of 2022 we had inferences. After them we had org charts, payroll spreadsheets, HR conversations, and R&D roadmaps. Conti also showed how a single operation can collapse and then reconstitute itself, like a damaged starfish, into half a dozen successor brands.
Origins
Conti emerged in mid-2020 as the next evolution of the Ryuk operation run by the Russian-speaking cybercrime collective tracked variously as Wizard Spider, TrickBot Group, or UNC1878. Where Ryuk had been a custom strain deployed by a small operator team, Conti was rebuilt as a multi-affiliate ransomware. Distribution still leaned on TrickBot and BazarLoader malware infections, but the operation rapidly grew its affiliate base and became one of the most active extortion brands of 2020–2022.
The malware
The Conti locker was technically competent rather than spectacular. It used a hybrid AES + RSA scheme, multi-threaded encryption, intermittent encryption for speed, and a flexible target-list mechanism. The ESXi variant became one of the more widely deployed Linux ransomware payloads of the era. The leaked source code in 2022 became a starter kit for half the next generation of operators, LockBit Green, ScareCrow, Meow, Akira, and others all incorporated chunks of Conti.
The corporate structure
Internal chat logs and payroll documents leaked in February 2022 revealed an organisation that ran like a tech company:
- A CEO-level operator known as "Stern" set strategy and approved hires.
- Dedicated managers ran development, intrusions, OSINT, HR, and "support."
- Salaries were paid monthly, in Bitcoin, with "employee of the month" awards and bonuses for results.
- A hiring funnel recruited developers through legitimate Russian job sites, often without the candidates initially realising they were being interviewed for a criminal enterprise.
- An R&D team worked on rootkits, proxies, custom command-and-control, and integration with TrickBot, BazarLoader, and Anchor.
- A "negotiations" team handled victim chat, with scripts and pricing models.
Estimates from the leaks put headcount at roughly 100 people, with monthly payroll around $1–2 million.
Notable victims
Conti was indiscriminate in a way many of its peers were not. The operation explicitly targeted hospitals, government agencies, and critical infrastructure despite the public taboos. High-profile victims included:
- Health Service Executive of Ireland (May 2021), a catastrophic attack that disrupted Irish public healthcare for months and drew an unprecedented public response.
- Costa Rica’s government (April 2022), which led the country to declare a national emergency and prompted a US State Department $10M reward for information on the operators.
- Shutterfly, JVCKenwood, Advantech, and dozens of US municipalities and school districts.
Conti is estimated to have extracted over $180 million in ransoms in 2021 alone, making it the single most profitable operation that year.
ContiLeaks
On 27 February 2022, three days after Russia’s full-scale invasion of Ukraine, Conti’s official blog posted a statement pledging "full support" of the Russian government and threatening retaliatory cyberattacks against critical infrastructure of "any country" considered hostile to Russia. The post was edited within hours but the political damage was already done.
A pro-Ukrainian insider, believed to be a Ukrainian researcher with access to Conti’s Jabber server, began leaking. Over the following weeks, more than 60,000 internal chat messages, source code for the locker and the TrickBot bot, training documents, internal tooling, and payroll information appeared on public Twitter and GitHub. The corpus was almost overwhelming, but it gave researchers, journalists, and law-enforcement agencies a once-in-a-decade view into the inner workings of a top-tier RaaS.
Affiliates began withdrawing immediately. The Conti brand became unprofitable: paying Conti now risked OFAC sanctions exposure, and victims started refusing on legal grounds. Internal communications captured the leadership’s panic in real time.
The "controlled demolition"
Rather than a simple shutdown, Conti executed what researchers later called a controlled demolition. The leak site was kept active for months while leadership quietly migrated personnel and tooling into successor operations:
- Black Basta absorbed senior intrusion talent and quickly became a top-five operator in its own right.
- BlackByte took on additional affiliate flow.
- Karakurt was an existing Conti subsidiary that had specialised in pure-extortion, no-encryption attacks.
- Royal (later rebranded again as BlackSuit) absorbed another tranche of Conti veterans.
- Zeon and Quantum ran additional intermediate brands.
By June 2022 the Conti leak site went dark. The Conti name was retired; the people, infrastructure, and affiliate relationships were not.
What Conti taught us
Three lessons stand out. First, mature ransomware operations are not gangs; they are companies, with the same management problems, hiring pipelines, and bureaucratic dysfunctions as legitimate firms. Second, political alignment matters: Conti’s pro-Russia statement was the proximate cause of the leak, and it remains the clearest example of a criminal operation paying a price for its geopolitical loyalties. Third, "takedown" is rarely terminal. The Conti machine was not arrested; it was reorganised. Most of its successor brands are still operating today.
The Conti story is therefore both a triumph and a cautionary tale. The triumph is that an opaque, highly capable enterprise was exposed in unprecedented detail, and that one of the worst ransomware operations of the modern era was effectively dismantled. The cautionary tale is that the same talent, the same tooling, and the same affiliate relationships are still running, just under different names.