Conti ransomware group communication records have been published online owing to an alleged insider who opposed to the group’s support for Russia’s invasion of Ukraine, according to reports.
Researchers at VX-Underground, a group that gathers malware samples and data, learned about the breach through the organization’s members. Conti’s Russian-language internal discussion logs are contained in around 400 files in the stolen material. The files date back to January 2021, six months after the group was founded in mid-2020, and contain nearly a year’s worth of messages.
Experts in ransomware are already sifting through the data to learn more about the group’s internal workings. Bill Demirkapi, a security researcher, translated the data to English.
The leaker’s message ended with the words, “Glory to Ukraine.”
In order to conduct attacks, members can rent access to Conti’s infrastructure, which the organisation provides as a ransomware-as-a-service (RaaS). Russian intelligence may have links to Conti, according to experts.
The Russian invasion of neighbouring Ukraine was reported by Reuters. Conti claimed in a blog post that it had “full support” for the Russian incursion and promised to react against crucial infrastructure if Russia was attacked by cyber or military means. “We will utilise our resources in order to strike back if the well-being and safety of peaceful civilians would be at jeopardy due to American cyber aggression,” the organisation said in a new post, claiming it is not affiliated with any government.
Several firms, including Fat Face and Shutterfly, have been hit by ransomware assaults, as well as key infrastructure like emergency dispatch centres and first responders networks. An IT outage in May of last year caused serious delays across the country and cost the government more than 100 million in recovery expenses after Conti wiped out the networks of Ireland’s healthcare system.
More than 30.1 million has been paid to Conti’s ransomware so far, according to Ransomware, a crowdsourced tracking site.
Brett Callow, an Emsisoft ransomware expert and threat analyst, said the release was a “major blow” for Conti, not just because their affiliates and other collaborators will have lost faith in the operation. There is a good chance that they’ll be asking how the operation was infiltrated, if law enforcement was involved, and if there are any breadcrumbs that may take them to them.”
Many RaaS operations, particularly some located in Russia, have ties to Ukraine. This technique of openly siding with one side or the other risks alienating those with insider knowledge of the operation, according to Callow.
Hacktivists and security allies are releasing Conti’s data as part of a broader response to the Kremlin invasion, including the development of Ukraine’s “IT army,” which targets Russian sites, services, and infrastructure.