Ransomware group Conti, which recently announced its allegiance with Vladimir Putin, is paying a high price for siding with Russia. An insider continues leaking sensitive Conti data, including internal chats, TrickBot source code, and even unmasking its members.
On Monday, more than a year’s worth of private data belonging to the Conti gang was publicly released.
A pro-Ukrainian Conti insider has set up a Twitter account named Conti leaks and continues to expose the ransomware gang, which proved to be a nightmare for many of its victims, including Ireland's HSE, Volkswagen Group, several US cities, counties, and school districts.
“Here is a friendly heads up that the Conti gang has just lost all their s**t,” reads a message accompanying a link to the leaked data. The first batch of leaked data contains chat communications of the Conti ransomware gang.
On Friday, the Conti group, believed to be based in the second largest Russian city of Saint Petersburg, said it was announcing its "full support" for Vladimir Putin. "If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy," the Conti blog post reads [original wording and punctuation are kept.]
The identity of the Ukrainian supporter behind the leaks is unknown both to the public and to the Conti ransomware gang itself. It might be an infiltrated activist or simply a former Conti cybercriminal who’s now simply switched sides.
“There are more dumps coming, stay tuned. [...] Glory to Ukraine,” the message said.
And he kept his promise. Conti leaks account on Twitter continues exposing the ransomware gang. New dumps include group’s chat, Trickbot’s (computer malware) source code, login details to what seems to be an Emotet server. Emotet banking trojan recently came back from the dead a year after international operation disrupted the botnet.
The leaks also unmask one of the developers working for Conti. As researchers are working their way around the information, and more data keeps coming in, we can expect more identities of the ransomware gang exposed, and, potentially, its activities disrupted.
Conti started operating in late 2019, and it runs Conti.News data leak site. The group gets initial access through stolen RDP credentials, phishing emails with malicious attachments.
Experts believe that Conti attacks resemble tactics seen in nation-state attacks. The groups also rely on human-operated attacks instead of increasingly popular automated intrusions. Conti attempts to find a buyer for the data before posting it on the site.
Ireland's HSE, Volkswagen Group, several US cities, counties, and school districts were affected by Conti. Conti has been observed to be in the networks for anywhere between a few days to even weeks before actually launching ransomware.
The group is believed to be based in the second largest Russian city of Saint Petersburg. It's also speculated that people behind Conti used to be in charge of another prominent ransomware cartel, Ryuk.
The group has been particularly active recently, with the FBI and CISA issuing a warning over 400 Conti ransomware attacks aimed at stealing sensitive data.
As with many modern extortion gangs, Conti offers Ransomware-as-a-Service (RaaS) package, selling its malware to affiliates. The core team takes 20-30% of a ransom payment, while the affiliates keep the rest of the loot.
More from Cybernews:
Subscribe to our newsletter