Inside the Conti leaks rattling the cybercrime underground
Leaked internal message traffic makes the ruthless Conti ransomware gang look like any other struggling agile software startup — complete with millennial buzzwords and complaints about pay and working conditions. But the data dump puts the Conti group at the center of a geopolitical earthquake that’s shaking the foundations of the Russian-speaking cybercrime underworld, with unpredictable results.
Late last month, an anonymous Twitter account, @ContiLeaks, began airing the dirty laundry of the Conti ransomware gang in an embarrassingly public fashion: Dumping a year’s worth of internal message traffic from the group’s Jabber server.
The dumps, which continued for days and featured hundreds of thousands of messages exchanged using the open-source messaging system, included a separate message cache from the Rocket Chat server used by the gang’s technical teams. There were also smaller troves of Jabber messages dated after the original dump, indicating that even when Conti system administrators knew about the leak, they were unable to kick the eavesdropper out.
“It’s a goldmine” for law enforcement agencies and cybersecurity researchers, Canada-based threat analyst Brett Callow told README. He said the leaks offer “a completely unprecedented level of detailed insight into the day to day operations of a very successful cybercrime group.”
Callow, who works for New Zealand cybersecurity outfit Emsisoft, has been poring over the dumps, which also include source code for and screenshots of the gang’s command-and-control admin dashboard. That’s the backend software through which Conti members control the eponymous malware they distribute through a network of affiliates, who in turn hack into company systems to install it and share in any payouts under a Ransomware-as-a-Service (RaaS) criminal business model.
The trove contains hundreds of different Bitcoin wallet addresses and numerous indicators of compromise, according to Evelyn French, a senior analyst with Flashpoint who also has been reviewing the dumps. “You can dump hundreds and hundreds of different URLs out of the chat logs, you can just go through them [searching] for CVEs — and that will give you an idea of the vulnerabilities they are interested in,” she said.
CISA has updated its September 2021 Conti advisory twice to reflect new material from the dumps.
“As the information in these dumps is correlated and combined with other information [in the hands of law enforcement and security researchers], it will probably be possible to identify individuals and certainly infrastructure,” Callow said.
Indeed, some researchers have already begun that work of identifying Conti gang leaders. A new anonymous twitter account — @TrickBotLeaks, any relation to @ContiLeaks unclear — last week began doxing some of the individuals featured in the message logs, tweeting out their names, photographs and pictures of identity documents. The account was swiftly suspended, but other researchers have taken up the task.
“It’s the most valuable data dump ever about ransomware,” Callow concluded.
Conti scrambles to respond
Some researchers predicted Conti’s imminent demise. But that hasn’t happened so far.
On March 2, four days after the leaks began, a Conti user with the handle Tort reported to Mango — a mid-level manager active in the Jabber chat — “Hi, I deleted all VM [virtual machine] servers, cleaned up discs and shut down servers.”
After three minutes without a reply, Tort messaged another user: “Hi, how are things with us? I deleted all the VMs and turned off the servers. Do you need my backup [files]?”
As hurriedly as they tore down their compromised infrastructure, members of the gang were able to stand up new servers elsewhere and by this week were already successfully attacking new victims, according to security researchers cited by CyberScoop on Tuesday. The next day, BleepingComputer reported that, since the beginning of March, more than two dozen new victim companies had been added to the ContiNews website, where the gang exposes companies that refuse to pay to have their data decrypted. Organizations that don’t succumb to this intimidation often find their stolen data posted there as well, allowing Conti to double-dip its extortion: Victims must pay full price for the key to decrypt their data, but even if they don’t need it, many pay a smaller fee so Conti won’t publicly expose their files.
The gang’s resiliency should not come as a surprise. Blockchain analytics company Chainalysis pegged Conti’s revenue last year at $180 million. But Chainalysis reached that number by tracking cryptocurrency payments from companies that publicly disclosed they’d been attacked, so it’s almost certainly on the low side. The dumped logs contain multiple references to U.S. companies that have never acknowledged being attacked, let alone paying a ransom.
Moreover, the logs show Conti is in many ways a highly professionalized and efficient operation. The group has survived a previous data dump. It was also able to reconstitute its infrastructure once before after it was destroyed by U.S. Cyber Command in fall 2020, as cybersecurity journalist Brian Krebs reported.
The logs reveal remarkable details about Conti’s makeup: its size (62 people in a single team, one of five or six in the whole organization); the fact that it has several physical offices; its constant struggle to recruit and retain talent; its overhead burn rate ($6 million a year, according to one estimate); and its tactics, techniques and procedures.
The leaks also reveal the human side of an otherwise inhumane organization: The HR manager who warns their boss they may be offline for up to three days owing to flooding and begs not to have his pay docked for it; the team leader who asks for time off to recover from COVID.
A schism in the cyber underworld
Dramatic and revealing as the leaks are, they’re just a symptom of a larger earthquake that’s “shaking the very foundations of the Russian-speaking criminal underground,” according to Adam Darrah, director of intelligence services for ZeroFox.
Darrah, a fluent Russian speaker and former U.S. government intelligence analyst, said the unfolding war in Ukraine is essential context for understanding the leaks’ significance.
Three days before the leaks began and just 24 hours after Russian tanks rolled into Ukraine, Conti posted an extraordinary message on the public board it uses to post stolen data.
“The Conti Team is officially announcing a full support of [the] Russian government,” it stated. “If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.”
To many observers, it amounted to a declaration of war.
“We’re seeing people choosing sides, which is very uncommon in the criminal underground,” Darrah said.
Other ransomware operators in the Commonwealth of Independent States or CIS, an international association for the nations that formerly made up the USSR, followed suit: Some declaring for Russia, others staying silent and many — like the Lockbit gang — declaring neutrality.
“For us it is just business and we are all apolitical. We are only interested in money for our harmless and useful work,” Lockbit wrote in a message translated into eight different languages.
Flashpoint analysts, monitoring message traffic on cyber crime forums, had seen Lockbit affiliates trying to poach Conti loyalists away, using neutrality as a selling point, according to French.
Within hours, Conti took down its original post, replacing it with a less overtly pro-Russian statement: “We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well-being and safety of peaceful citizens will be at stake due to American cyber aggression,” the new version read.
Darrah said he believes the group’s leaders either realized or were told that their initial declaration effectively made them combatants — participants in a war who could be legally targeted with lethal force. “Either they were told to walk it back, or they figured it out on their own, [realizing they’d] just declared that they’re going to attack U.S. infrastructure as part of a Russian military campaign, which technically makes them an in-bounds target of the United States military,” he said.
Either way, the damage had already been done. Two days later, a new Twitter account, @ContiLeaks began posting and emailing links to the first Jabber dump, signing off their initial announcement, “Glory to Ukraine!”
Sweeping away the old rules
For two decades or more, the Russian-speaking criminal underground has flourished, based on what Darrah called “an unwritten agreement” that the gangs don’t target victims in CIS countries. In return, law enforcement turns a blind eye to their activities. Under those tacit rules, “if you live in Kazakhstan, you can’t try to hack [IT networks in] Belarus,” he said. “If you live in Russia, you can’t develop a tool that’s aimed at Ukraine and vice versa.”
Even in former CIS nations that — like Ukraine after 2014 — moved to align with the West, authorities often lacked the capacity to investigate and prosecute cybercrime, concentrating resources on criminals victimizing their own citizens over those robbing faceless American corporations.
There was one other element to this culture, Darrah added, at least for the gangs based in Russia proper: Informal links to the Russian intelligence services, lubricated on the one hand with occasional bribes and on the other with a blind eye toward cybercriminal activity.
This benign neglect allowed for an extraordinarily complex ecosystem to flourish, Darrah said. The ContiLeaks messages show at least six different teams were part of the gang’s core operations. And then there are the affiliates, associated crimeware operations like TrickBot and Ryuk,and various facilitators, hangers-on and fixers, all operating in a highly distributed environment with very little knowledge about each other. The message logs, for instance, include several exchanges that make it obvious the conversants don’t know where their opposite numbers are located.
When Mango, the mid-level manager, looked for help for a developer called Zula to move money from the U.S. into Russia without paying the hefty commissions charged by middlemen, he approached a user called Vampire for advice.
“I haven’t been in Russia for five years,” Vampire replied, adding, “I’ll help you leave if needed.”
The deep interconnections among cybercrime operators mirrored an above-ground set of relationships tying together citizens and businesses of current and former CIS states. Nowhere was this more true than between Russia and Ukraine, at least until 2014, when Russia invaded and annexed the Ukrainian region of Crimea.
“These two nations are really close,” said Darrah of Ukraine and Russia. “It’s not an accident that [the potential schism between Russian and Ukrainian cybercriminals] was completely lost on Conti. It never would have crossed their minds in normal times that there was any difference between a Ukrainian hacker and a Russian hacker.”
Underlining that point, the Justice Department this week announced the extradition and arraignment of Yaroslav Vasinskyi, an alleged member of the Sodinokibi/REvil ransomware gang. The agency’s wordy description of Vasinkkyi illustrates the multinational nature of this criminal underground.
“Vasinskyi, a Ukrainian national with ties to a ransomware group linked to Russia-based actors, was taken into custody in Poland,” DOJ declared.
But now, Darrah said, both that informal agreement and the ecosystem it had allowed to flourish, have been undermined by war. “What we’re seeing is that those rules, that stability, the premise on which all these criminal enterprises are built upon, is crumbling,” he said. “It’s going to be very muddy and interesting.”
Ian McGinley, a former federal prosecutor in Manhattan who specialized in complex cyber cases, compares the upheaval the Ukraine war has provoked to the internecine conflicts within traditional criminal groups, like the mafia.
He said the Conti leaks offer “a huge opportunity for law enforcement… to get insight into the inner workings” of a closed criminal group.
Vitali Kremez, the CEO of threat intelligence firm Advintel, has said he knows the leaker’s identity and that they are a researcher, not a turncoat affiliate. But he has not explained how he knows the leaker or how they got hold of the Conti data dumps in the first place. Kremez didn’t immediately respond to questions sent by email.
“They’re just like us”
The provenance of the dumps is important, researchers said. Without knowing where the data came from and how it came to be released, it’s impossible to know how likely it is to have been tampered with — perhaps to direct law enforcement attention to chosen scapegoats, rather than the real kingpins.
“Unfortunately, even if we’re convinced these are genuine, there’s no way to tell whether they’ve been edited or even had material added,” Callow said. Besides, he added, they are criminals who probably routinely lie to and cheat one another, “so it’s hard to take any of the specifics at face value.”
Tens of thousands of the messages appear to have been sent using some kind of encryption — possibly an encrypted Jabber client like Off-The-Record — and thus, though the sender, receiver and timestamp are preserved, the text of the message is replaced with an error message.
Darrah said he is less interested in specific details in the message dumps, which he called “banal bad guy chats,” but he acknowledged that there is a great deal to be learned from the leaks overall — not least about the culture of a successful ransomware gang.
“It should really enlighten all of us [cybersecurity] researchers, because the culture of these underground communities of people … what we’re gonna find is: Oh, my goodness! They’re not these alien beings from another galaxy. We are just like them. They are just like us,” he said.
For instance, Darrah said, there is a millennial quality to some of the chats. “Done bro,” says Mango, after a user called Stakan asks for a favor, “Yeah, thnx bro,” Stakan replies.
“My guess would be, they are mostly in their mid/late 20s. Overwhelmingly male,” said Darrah. “They’re very unfiltered and very raw and very uncouth in their everyday language.”
Attacking the healthcare sector
One of the most notorious attacks using Conti targeted Ireland’s socialized national health provider, the Health Service Executive, in May 2021. In addition to the headquarters networks of HSE, the hackers, who were members of a Conti affiliate that security researchers dubbed Wizard Spider, pivoted to at least seven individual hospital networks, according to a candid after-action report issued in December by auditors PWC.
A spokesman for An Garda Síochána, the Irish national police, declined to directly address a question about whether they were mining the data dump to aid in their investigation.
“An Garda Síochána, with international partners, are pursuing every avenue available in investigating those responsible for the Ransomware attack on the HSE,” Seán Mac Seoin told README via email.
The healthcare threat wasn’t confined to Ireland: Last May, the FBI issued a public warning saying it had identified 16 Conti ransomware attacks targeting U.S. healthcare and first responder networks. At the time, the bureau said there were more than 400 Conti victims worldwide, 290-plus of them in the U.S.
The attack on the HSE apparently led to questions from Conti gang members. A week later on May 21, a user with the handle Alter broadcast a message denying involvement. “None of those present here have anything to do with this attack, we DO NOT attack public resources, hospitals, airports and anything like that, and we will not,” Alter wrote.
Other chats appear to show that at least some managers adhered to this policy. On June 16, a manager called Reshaev told a user with the handle Pin that they were not going to attack a target he had infiltrated because of the ban. When Pin countered that the network belonged to a sports clinic, Reshaev replied, “But we decided not to touch the healthcare sector at all, even like that, so let’s avoid them now.”
But the ban apparently wasn’t upheld universally. On October 25, Reshaev bluntly asked Stern — described by other users as “the big boss” and clearly the most senior manager in the chats — if he approved a ransomware attack against a hospital by an affiliate called Dollar. “Did you give the green light to the hospital lock to Dollar?” He didn’t appear to receive a reply and the following day, Reshaev asked again.
“I usually don’t approve locks,” replied Stern. Several hours later he sent Dollar an encrypted note. Dollar responded with a series of numbers and sums apparently calculating a 20 percent share of something.
Stern didn’t seem to trust his colleagues. When Zula was looking for ways to move a relatively small amount of money from the U.S. to Russia without paying commissions, he asked Stern for help. Stern suggested asking Mango, but when Zula asked if Mango could be trusted, Stern replied, “I guarantee he won’t [cheat] you [in any transaction] up to 60k” –a sum just a little higher than Mango’s $54k monthly Conti salary.
Follow the money
The chats contain thousands of messages about payments of various kinds, mostly salaries and expense reimbursements. Some staffers are paid as little as $1000 a month, and managers regularly fine or dock team members for being absent or for shoddy work.
In January 2022, a manager called Frances broadcast a message to all the technical staff in the Rocket Chat: “Friends! I’ve noticed lately a sad trend among some of our colleagues,” he wrote, complaining that people only show up to get paid. “So,” he continued, “Your next salary depends on my good mood and your [being] online,” imposing a three-hour deadline to respond to any messages. Two failures “and we say goodbye.”
Austin Turecek, another senior analyst at Flashpoint, observed that many users complained their working hours were long and at times inflexible.
In September, for example, a middle manager called Van messaged his supervisor: “Hello. I got sick. Covid.” Van said he worked for three days through a fever — “everyone needs crypts” — but now he needed time off. “I will write on Monday,” he promised, finishing, “Kindly write to Franz and Bentley. Collin still needs to be informed. Thanks.”
In another message to Stern, middle manager Mango listed the monthly costs of salaries and expenses for his team of 62, totalling $164.8k a month. Using this and other data in the dump, Rapid7 analysts estimate Conti’s annual bill for wages and expenses is about $6 million.
What would be the venture capital valuation of a Silicon Valley startup with global reach, annual revenue of $180 million, almost triple-digit year-over-year growth and an annual burn rate of $6 million?
The looming cybercrime crisis
In the immediate future, the Conti leaks could usher in a cybercrime “downtick,” said Marcus Fowler, senior vice president for strategic engagements and threats at Darktrace. As the war in Ukraine unfolds, groups that have declared themselves neutral or stayed silent may wait on the sidelines until they can assess the new geopolitical landscape.
“Imagine if the Colonial Pipeline attack — and remember, they didn’t plan to shut down the pipeline, they just wanted the money — imagine that had happened just as the tanks were rolling in [to Ukraine],” said Fowler, who ran cyber operations for the CIA for 15 years. “What would that have looked like? What reaction would it have provoked?”
He said he expects cybercrime gangs will exercise prudent caution to avoid becoming collateral damage in any developing cyber conflict.
“Some of these groups will pause. They might go on holiday. They might work on their code,” said Fowler. “Remember, these guys are all about the money. They don’t want to get swept into a war. They don’t want the global spotlight on them.”
But in the longer term, other analysts believe the cybercrime problem will only get worse.
“The current pace of Western businesses exodus including technology companies will leave many IT talents in Russia without a legitimate income,” noted tech industry threat intelligence analyst Ondra Rojčík. Other experts pointed out it may take months for these effects to work themselves through the economy and produce more fully onboarded worker bees for crime hives like Conti.
Rojčík also predicted that the growing isolation of the Russian economy due to Western sanctions could “in the worst case lead to the North Korean scenario [where we’ll] see a growth of state sponsored attacks including financially motivated [ones] as other economic options [for the Kremlin] will be drying out.”
In some scenarios, Ukraine itself will become a less governed state, if not a completely ungoverned one, at least for the duration of the conflict. This could make the country, which has long had a large cyber underworld, a haven for cybercriminals. The Russian-occupied region of Donbas has reportedly already become such a haven.
For the time being, Conti looks to have weathered the storm. In its latest update to its advisory about the gang, CISA notes that members of the cybercriminal gang “remain active” and that the number of reported global victims has more than doubled since the FBI warning in May, to more than 1,000.