Tech

Pro-Russia Conti Ransomware Gang Targeted, Internal Chats Leaked

"Glory to Ukraine!" a message from the leaker reads.
Kiev
Image: Chris McGrath/Staff
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

Someone has targeted the Conti ransomware group, a likely Russian-led hacking gang, and leaked a treasure trove of internal chat messages belonging to the group’s members.

The leak comes just days after Conti warned it would retaliate if U.S. or Western powers hacked critical infrastructure in Russia or Russian-speaking parts of the world. The leak is also part of a wave of activity from the digital underground with hackers targeting various other Russian-aligned targets.

Advertisement

“The contents of the first dump contain the chat communications (current, as of today and going to the past) of the Conti Ransomware gang,” a message from the leaker and shared on Twitter by malware research group vx-underground reads. “We promise it is very interesting.”

Some researchers who’ve been digging through the released chat logs agree.

“There is some extremely valuable information in the logs,” Bill Demirkapi, a security researcher who said they examined the data, told Motherboard in an online chat. While many of the released chat messages are in Russian, Demirkapi said he processed the data in bulk with the Google Translate API and released a translated version for others to download.

Do you have any more information on hacks happening during the Russian invasion of Ukraine? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email joseph.cox@vice.com.

“Obviously the logs came out very recently, so I have not gone through all of it, but in my professional opinion I do believe they are authentic,” Demirkapi said.

Demirkapi said the leak included screenshots of internal Conti tools, access to servers hosting stolen data, and discussions around the potential purchase of specific exploits. One message included someone offering to sell a zero-day exploit impacting certain Windows systems for $60,000.

Advertisement

“From what I've read so far, the logs shine light into the internal workings of the Conti ransomware group, such as their technical infrastructure and how they operate together,” Demirkapi added.

Conti, like many other ransomware groups, is based on an affiliate system, where a core group of people make and develop the malware, while those who deploy or otherwise use it may be based elsewhere. In Conti’s case, the main group is likely based in Russia, while their affiliates are around the world, with a number of affiliates known to be based in Ukraine, Allan Liska, an intelligence analyst at cybersecurity firm Recorded Future, told Motherboard in an online chat. 

“Whoever released the data clearly was part of Conti’s inner circle, whether it was an affiliate or a security researcher who had managed to socially engineer their way in I am not sure,” he said. Liska mentioned the leak also included “links to Conti’s admin panels, some potential targets, and Bitcoin wallets.”

Like many other groups, Conti often publicly releases data stolen from victims to try to blackmail them further into paying a ransom. Last year, the group apologized to Arab royal families after it released thousands of files stolen from the UK jewelry store Graff. The data included files belonging to David Beckham, Donald Trump, and Oprah Winfrey. After Conti released the data, the group realized it also contained information belonging to the UAE, Qatar, and Saudi royal families. The group then issued the apology. 

Recently Conti took control over the widespread Trickbot malware. Earlier this month, Wired published an investigation based on messages stolen from inside the Trickbot group itself.  

“Glory to Ukraine!” the message announcing the leak adds.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.