Security Experts:

Conti Chats Leaked After Ransomware Gang Expresses Support for Russia

Hundreds of files storing tens of thousands of messages exchanged between Conti ransomware operators have been leaked online after the cybercrime group expressed support for Russia as it launched an invasion of Ukraine last week.

Shortly after Russia sent its troops into Ukraine and the world started showing its support for Ukraine, the notorious Conti ransomware group issued a statement on its website warning that it would use its “full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.” The cybercrime group has threatened to “strike back at the critical infrastructures of any enemy.”

The black hat hackers later revised their statement to say, “We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression.”

Conti ransomware support for Russia

In comparison, the LockBit ransomware group, which also has many members in Russia, clarified that it will not get involved, pointing out that it also has members from Ukraine and many other countries around the world, including the United States.

[ READ: Russia vs Ukraine - The War in Cyberspace ]

Shortly after Conti announced its support for Russia, someone made available hundreds of files allegedly stolen from the ransomware gang. Some said the files were made public by a Ukrainian security researcher, while others claimed it was a Ukrainian member of the Conti group who leaked the files.

There are nearly 400 JSON files dated between January 2021 and February 27, 2022, and they each store hundreds of messages exchanged between members of the Conti group.

While analyzing all the files will take some time, researchers have so far identified chats mentioning Emotet, TrickBot and Ryuk malware. It’s worth noting that Conti recently “acquired” TrickBot and its developers as the group thrived amid recent crackdowns on other cybercrime gangs.

In the leaked files, researchers also found more than 200 Bitcoin addresses that hold roughly $13 million in ransomware payments. Messages exchanged between members of the group (including conflicts and personal details), conversations with victims, IP addresses, and other infrastructure data are also included in the dumped files.

“The data dump may aggravate Conti but doesn't necessarily mean it will stop the gang,” an expert said.

The individual who leaked the Conti chats said more files taken from the hackers will be made public in the upcoming period.

This would not be the first time Conti infrastructure got hacked. In November 2021, Prodaft researchers exploited a vulnerability in Conti’s recovery servers, which enabled them to obtain information on the cybercrime operation’s inner workings.

Just before Russia launched its invasion, Ukraine was hit by DDoS and malware attacks that have been attributed to state-sponsored threat actors. However, it seems that Ukraine has also been targeted by patriotic hackers, including employees of a Russian cybersecurity firm.

Related: FBI: 16 Conti Ransomware Attacks Targeted Healthcare, First Responders in U.S.

Related: Financially Motivated Hackers Use Leaked Conti Ransomware Techniques

Related: U.S. Issues Conti Alert as Second Farming Cooperative Hit by Ransomware

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.