War is hell, and attacks can come quickly and out of nowhere, as the Conti ransomware gang has learned. Only days after making a public pledge of support for the Russian government as it invades Ukraine, the group has experienced a data leak of tens of thousands of its internal chat messages.
The data leak is courtesy of a Ukrainian security researcher and is apparently a considerable chunk of the Conti ransomware gang’s internal communications (though not all of them). The breach provides the public with evidence of numerous criminal operations and the researcher has said that there is “more to come.”
Conti ransomware gang exposed after threatening “retaliation” for cyber attacks on Russia
It was just about a week ago that the Conti ransomware group posted a dark web message indicating that it wanted to participate in the Ukraine war as a defensive cyber measure. The group threatened to attack Western targets in response to any cyber attacks on the Russian government or on the country’s critical infrastructure.
However, while Conti may be based in Russia, their “ransomware-as-a-service” clients range all over Eastern Europe. Some of them, especially those located in Ukraine, did not particularly appreciate the group’s sudden registration as a Russia-aligned mercenary brigade. Conti quickly backpedaled on their full-throated original statement, taking a more neutral stance and backing off some from the promise of cyber retaliation.
That didn’t make a difference to at least one Ukraine security researcher, who appears to have access to the group’s Jabber communication system. The researcher’s data leak included over 60,000 of the group’s internal messages. The authenticity of the messages were confirmed by independent researchers, who spotted matches with previously circulating Conti messages that followed the group’s December 2021 attack on Shutterfly. KrebsOnSecurity also notes that gaps in the messages correspond with periods in which Conti was under heavy fire from law enforcement operations.
The data leak compromised a XMPP chat server used by the group that held 60,694 messages logged since January 21, 2021. It is most likely all of the group’s chat messages from that date, but the Conti ransomware group has been in business since at least July 2020 and older messages were not captured.
Experts who have reviewed the files say that they contain explicit information about the group’s crimes, private URLs containing data leaks from their attacks, and hundreds of bitcoin addresses that contain a total of $13 million in ransom payments. Information was also found about previously unknown victims of the Conti ransomware. All of this is now publicly available to law enforcement and security researchers, likely striking a serious blow to the group’s operations. The files have been translated into English by security researcher Bill Demirkapi.
Data leak provides valuable insights; Conti ransomware group may scatter and reform
Security researchers are still poring through the data leak, but some particularly interesting nuggets have already been unearthed. One is an internal confirmation from the group that the TrickBot botnet is offline and that several of its members had defected to Conti. While TrickBot had greatly slowed down toward the end of 2021, it was one of the most persistent and troublesome botnets for several years prior and managed to survive more than one law enforcement operation against it.
The Conti ransomware gang also apparently tried to trick security firms, such as Sophos and CarbonBlack, into doing demos for them as a means of scouting their tools. The hackers put together shell companies for this purpose, but it is not clear how successful they were.
Messages that begin in October 2021 also indicate that Conti had sources in Russian law enforcement that provided insider tips about investigations, though at the time it appears that the country’s officials were more interested in tracking down REvil.
Aaron Sandeen, CEO of Cyber Security Works, points out some of the other interesting bits that have been discovered: “What’s fascinating about these leaked chats is that they seem to be struggling with the same challenges (turnover, attrition) that any other legitimate company would … Conti uses 17 vulnerabilities that exist in products such as Microsoft, Adobe, Apache log4J to launch their attacks. They were quick to weaponize Log4J vulnerabilities even as organizations around the world scrambled to patch their digital environment. It is possible that these leaks could cause Conti to temporarily disappear then reemerge as a new group. Ryuk disappeared after successfully targeting 67.3 million targets in 2020. There have been persistent rumors that they rebranded themselves as Conti.”
The Conti data leak highlights something of a civil war in the black market hacking community, which is centered to a great degree on Eastern Europe. Ransomware groups and other known criminals are taking sides on both ends of the conflict, with some already launching attacks. Others are mirroring the trend of international companies pulling their products out of Russia; for example, underground forum Raidforums has taken a pro-Ukraine stance and is blocking connections from users in Russia. Ukraine’s Defense Ministry has openly called for hackers around the globe to assist with the country’s cyber defenses, a call that has been answered by the collective Anonymous as well as numerous other individual actors.
The Russian invasion has thus far stuck largely to conventional warfare, but action may be ramping up as the country has announced it will be withdrawing from the global internet as of March 11. This is a capability that the country has tested several times in recent years, most recently in June and July of last year.