ACTIVE ADVISORIES
CVE-2026-1142CRITICALVolt Typhoon pre-positioning observed in five additional US utility networks— CISA AA26-148ACVE-2025-58801HIGHIvanti EPM unauthenticated SQLi — exploitation in the wild— Ivanti SAKEVAMBERCISA adds two Fortinet flaws to Known Exploited Vulnerabilities catalog— KEV-2026-05-26CVE-2026-0488CRITICALCisco IOS XE web UI RCE — patch released, mass-scanning detected— Cisco PSIRTBULLETINAMBERNCSC-UK warns of credential-stuffing wave targeting NHS supplier portals— NCSC UKCVE-2026-0991HIGHApache Tomcat path-traversal — proof-of-concept public— ASF securityKEVLOWPAN-OS GlobalProtect CVE-2024-3400 — vendor reports >98% patched— Palo Alto NetworksCVE-2026-1142CRITICALVolt Typhoon pre-positioning observed in five additional US utility networks— CISA AA26-148ACVE-2025-58801HIGHIvanti EPM unauthenticated SQLi — exploitation in the wild— Ivanti SAKEVAMBERCISA adds two Fortinet flaws to Known Exploited Vulnerabilities catalog— KEV-2026-05-26CVE-2026-0488CRITICALCisco IOS XE web UI RCE — patch released, mass-scanning detected— Cisco PSIRTBULLETINAMBERNCSC-UK warns of credential-stuffing wave targeting NHS supplier portals— NCSC UKCVE-2026-0991HIGHApache Tomcat path-traversal — proof-of-concept public— ASF securityKEVLOWPAN-OS GlobalProtect CVE-2024-3400 — vendor reports >98% patched— Palo Alto Networks
Raj "CipherGuard" Kumar Blog

Appearance

By Raj Kumar@cipherguard
Senior Threat Reporter · CipherGuard Investigations
Filed 2026-05-264 min read · 800 words
ransomwarethreat-actorsContiOSINT

What we found in the leaked Conti chats, two years later

When a disgruntled affiliate dumped roughly 60,000 internal Jabber messages from the Conti ransomware group in February 2022, the immediate analysis was understandably noisy. Most of the early write-ups focused on the org chart — who reported to whom, who managed payroll, which devs maintained which modules of the locker — and on the more lurid material about office politics and salaries. That work was useful but limited. Two years on, the leak is more valuable than it was the day it dropped, because we now know which of the people in those messages went on to lead which successor groups.

CipherGuard spent the last six months re-reading the leak end-to-end, with the benefit of Vx-underground's cleaned and translated mirror and the work of independent researchers including Brian Krebs's 2022 series and the WithSecure team's organisational analysis. Three findings stood out as worth committing to the record.

1. The affiliate market was less centralised than the public reporting suggested

The early coverage treated Conti as a corporate entity with a single management line. The chats themselves suggest something messier: by mid-2021, the group was operating closer to a federated commune than a company. There were at least four parallel intake channels for new affiliates, run by different "team leads" with materially different vetting practices. One lead — handle stern — required a written CV and a sample test on a non-production target before approving access to the locker. Another — bentley — was demonstrably willing to onboard any Russian-speaking applicant with a working understanding of psexec and a willingness to split 70/30.

This matters now because the splinter pattern follows the intake structure. The two groups that retained the most disciplined OPSEC after Conti's brand collapsed in May 2022 — Black Basta and the early version of what became Royal — both trace their core membership back to stern's recruits. The shorter-lived, sloppier groups (the brief Quantum revival, the first BlackByte affiliate generation) drew disproportionately from bentley's.

When you read post-Conti reporting from The DFIR Report or Mandiant, this pattern shows up at the IOC level. The discipline around C2 rotation, the consistency of staging-directory naming, the use of Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques against EDR — these are downstream of who recruited whom in 2021.

2. OPSEC fatigue is a real, observable phenomenon

The most striking thing about reading 18 months of operator chat in chronological order is watching OPSEC erode in real time. In Q1 2021, operators routinely scolded each other for reusing aliases, for posting screenshots without redacting timestamps, for paying for VPS instances with personal payment instruments. By Q4 2021, the same operators were sharing PCAPs in cleartext, posting selfies in the office channel, and — in two memorable cases — pasting their own home address into a discussion about a delivery.

This is not unique to Conti. We see the same arc in the leaked Yanluowang chats from October 2022 and in the brief glimpses inside LockBit correspondence that surfaced after the February 2024 NCA-led takedown. The slow grind of operational discipline is incompatible with sustained productivity at scale. Once a group hits a certain transaction volume, the same people are doing the same things every day, and small lapses compound.

For defenders, the practical implication is that the IOCs you collect late in a group's lifecycle are usually higher-fidelity than the ones you collect early. Many SOCs still treat threat intel as a strictly time-sensitive feed, with old IOCs ageing out automatically. That is a mistake. stern's 2021 OPSEC was excellent. stern's post-Conti 2022 OPSEC, once renamed and continuing operations under a new identity inside Black Basta, was visibly less so — and the artefacts from late-2022 incidents have proven much more useful for attribution than those from earlier.

3. The negotiator role is undervalued

Almost every public write-up of the leak focused on the technical staff. The chats are dominated, in word count, by a much smaller team: the negotiators. There were perhaps a dozen of them at any given time. They worked in shifts. They had standard scripts. They had a clear escalation ladder. And they were, by the company's own retrospective metrics shared in management channels, the single largest driver of revenue variance — far more than the locker's technical sophistication.

The implication for incident-response shops is straightforward: the technical playbook for ransomware is now mostly commoditised. The negotiation playbook is where the residual variance lives. CipherGuard's earlier reporting on this is collected in Proactive ransomware defence and crisis communication; the Conti material confirms, with material detail, why crisis-communication preparation is so disproportionately valuable.

What we did not find

A handful of theories the early coverage advanced did not survive the re-read.

  • There is no evidence in the chats of operational direction from the FSB. There is plenty of evidence of political alignment, including the now-infamous February 2022 statement of support for the Russian invasion of Ukraine. But the day-to-day operational chatter shows no taskings, no targeting requests, and no funding from any state agency. This is consistent with the CISA / FBI / NSA joint advisory of September 22, 2022 on Iranian-affiliated activity for comparison — when state direction is present, it is generally visible in the artefacts. Here, it is not.
  • The "$2.7 billion in ransom payments" figure that circulated in mid-2022 is not supported. The accounting messages in the leak show a much smaller cumulative figure for the period they cover — closer to $167 million, net of affiliate splits, across roughly fourteen months. Chainalysis's own 2023 Crypto Crime Report revised the broader ransomware-payment estimates downward for similar reasons.
  • There is no evidence of a "Conti University" training programme of the kind some early coverage described. There were ad-hoc tutorials and a handful of Russian-language slide decks on Active Directory exploitation, but nothing resembling a structured curriculum. The "university" framing appears to have originated from a single Telegram boast that was not corroborated elsewhere.

How to read leaks like this

Three practical notes for any analyst sitting down with a similar corpus:

  1. Read chronologically, not topically. The temptation is to grep for keywords. The signal is in the time series.
  2. Build a handle-to-handle graph early. Most operators used at least three aliases over the period. Without a unified identity map, the rest is impossible to parse.
  3. Pay particular attention to the negotiation and accounting channels. The technical channels show you what the group could do. The business channels show you what the group actually did, which is almost always a much narrower set of activities.

CipherGuard's working copy of the leak — including a Polars-friendly Parquet conversion and a handle-resolution table — is available to verified researchers on request. We do not redistribute the raw archive; the vx-underground mirror is the canonical source.

Methodology note. "60,000 messages" is the round figure most often cited; the actual count in the version we worked with is 62,138 unique messages across 148 distinct handles and 17 Jabber rooms, after deduplication. Date range: 2020-06-04 through 2022-02-28, with a small number of messages outside that range that appear to be backfilled by the leaker.

Powered by VitePress - 1.6.3