Ukrainian Researcher Leaks Conti Ransomware Gang DataThe Leak Will Help Researchers Track and Fight Conti and Its Affiliates
A Ukrainian cybersecurity researcher has released 13 months of sensitive data that came from the internal systems of the Conti ransomware gang, a development that may help in the fight against a prevalent ransomware strain.
The researcher, who had access to Conti's systems, released the data after the notorious ransomware gang expressed support for Russia since its invasion of Ukraine, says Alex Holden, CTO of Hold Security, a consultancy that studies ransomware and cybercrime. The security researcher's name cannot be released.
The data, which is in JSON format, includes Jabber chat logs, bitcoin addresses and negotiations between ransomware victims and the Conti attackers. Much of the data is internal chat between members and affiliates of Conti, including personal details, conflicts and accusations. There are also logs related to TrickBot, a botnet that has been used at times to distribute Conti, Holden says. The data covers the period from January 2021 until earlier this month (see: Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware).
The Conti data is "a must-read for any security professional because it gives you an insight of how ransomware really works," Holden says. VX-Underground, a group of malware researchers, has also vetted the data and shared it publicly.
The leaked data represents nearly the entire time Conti has been in existence, says Allan Liska, a threat intelligence analyst with Recorded Future.
There are around 150 bitcoin addresses, chat handles, IP addresses, control panels and other infrastructure data that will be immensely useful for tracking the gang as well as the affiliates who use its malware, Liska says. Conti is a so-called ransomware-as-a-service group. Affiliates sign up to distribute the ransomware, and the profits from successful attacks are shared.
The data should help law enforcement agencies and researchers trace those affiliates.
"A lot of the ransomware groups don't have as good opsec [operational security] as they think they do," Liska says. "Here are definitely ways to learn and understand how they're operating and what they're doing."
Leak May Not Stop Conti
Conti is one of the most prevalent types of ransomware. It was developed by a long-running Russian cybercrime group that's known as Wizard Spider, according to CrowdStrike. The group is believed to be responsible for the TrickBot malware/botnet code as well as the Ryuk and BazarLoader strains of ransomware.
The Conti group and its affiliates have prolifically attacked hundreds of organizations, including Ireland's Health Service Executive in May 2021. The health service, which did not pay the ransom and called on its military to recover, recently said it spent $48 million recovering from the attack. It warned the figure may still rise to $110 million. (see Ransomware Attack: Ireland's Cleanup Costs Hit $48 Million).
Conti is aggressive and antagonizes its victims. If victims refuse to pay the ransom, it slowly leaks their sensitive data on its website. That means that even if an organization has good backups and a disaster recovery plan, they still face pain from leaked data.
Shouting support for Russia amid the global condemnation of the country's attack on Ukraine was a risky move. On Friday, the Conti gang published a short post on a website it uses to leak the data of organizations it has compromised.
It wrote that it fully supported the Russian government and that if anyone organized a cyberattack against Russia, it would use all of its resources to strike back at the "critical infrastructures of an enemy."
By Monday, that post appeared to have been removed. Another post expressing essentially the same sentiment had been published but with a new addition that tried to temper its position: "We do not ally with any government and we condemn the ongoing war."
The leak means that Conti will likely be in temporary disarray, Liska says. But it may not necessarily drive the gang out of business. Liska says that Conti has recovered from other actions that have affected its operations.
The biggest risk coming from the leak is that affiliates and other cybercriminals may not want to work with a gang that has had its infrastructure infiltrated by cybersecurity researchers.
The real impact may be if "threat actors will lose trust in them," Liska says.
The leak will make it difficult for Conti to continue, says Brett Callow, a threat analyst with Emsisoft, a security company headquartered in New Zealand that helps organizations recover from ransomware.
"I’ll be surprised if Conti recovers from this," Callow says. "The leak is devastating for them and, potentially, for anybody connected to them. Affiliates will be wondering how long the operation was compromised for and whether any information was obtained that points to them."