The ransomware landscape is a complex web of criminal enterprises, where connections between different groups often remain hidden beneath layers of operational security and misdirection. Recent analysis of ransom negotiations has revealed surprising early links between two major ransomware operations that predate previously known connections by more than a year.
The Known Connection
The cybersecurity community has long understood that a Conti affiliate made the transition to QuantumLocker in spring 2022. In May 2022, Microsoft's threat intelligence teams published research identifying a prolific threat actor designated DEV-0230, described as one of Conti's most active affiliates and allegedly responsible for creating the group's training materials. Following Conti's controversial pro-Russian stance during the Ukraine invasion—which marked the beginning of the end for the criminal enterprise—DEV-0230 reportedly shifted operations to QuantumLocker starting April 23, 2022.
According to the late Vitali Kremez, founder of AdvIntel, DEV-0230 actually represented part of Conti's Team 2. While Team 3 disappeared during the group's implosion, the historic Team 1, heir to Ryuk operations, spawned new criminal brands including Black Basta, Karakurt, and Blackbyte.
The Ransomware Evolution
The technical lineage tells an interesting story. QuantumLocker emerged in July 2021 as the successor to MountLocker, which had launched in September 2020 (though BlackBerry research suggests July 2020). Between these two operations, the criminal actors also deployed Astro Locker (March 2021) and Xing Locker (May 2021), creating a clear evolutionary path of ransomware variants.
Breakthrough Analysis: What the Chat Logs Revealed
Among the first significant insights from the study of ransom chat negotiations initially released in May 2023 came a surprising discovery that pushes back the timeline of Conti-MountLocker connections by over a year.
Stylometric analysis of these conversations has revealed evidence suggesting that a Conti-linked actor was already involved in MountLocker cyberattacks as early as autumn 2020.
Calvin So, a threat intelligence analyst, applied stylometric techniques to analyze communication patterns across different ransomware negotiations. His initial research had already identified migration patterns between BlackMatter and Hive operations by examining linguistic fingerprints in victim-criminal exchanges.
For his second round of analysis, So gained access to previously unpublished negotiations involving REvil, Conti, and MountLocker before they became publicly available. The results were startling.
The October 2020 Discovery
The breakthrough came from analyzing a conversation that began in October 2020 following a MountLocker cyberattack. So's stylometric analysis revealed an unexpectedly high level of similarity with Conti negotiations occurring during the same period. These weren't merely similar communication styles—closer examination revealed clear copy-and-paste patterns following identical scripts.
The evidence shows recurring language elements from Conti operations extending well beyond autumn 2020, though MountLocker negotiation examples remain much rarer than those associated with Conti. Despite the limited sample size, the similarities strongly support the existence of a durable relationship between a Conti subgroup and the MountLocker franchise, established much earlier than previously documented.
Implications for Threat Intelligence
The discovery that Conti actors were potentially operating MountLocker campaigns in late 2020—more than 18 months before the known DEV-0230 transition to QuantumLocker—suggests that the criminal ecosystem was more fluid and murky than previously understood.
The research demonstrates the value of analyzing ransom chat communications as a source of threat intelligence. By examining the linguistic patterns and operational procedures revealed in these negotiations, security researchers can map previously unknown connections between criminal groups and better understand the evolution of ransomware-as-a-service operations.
The MountLocker-Conti connection serves as a reminder that in the world of cybercrime, appearances can be deceiving, and the true extent of criminal collaboration often remains hidden until careful analysis brings it to light.