Security Experts:

Connect with us

Hi, what are you looking for?



Conti Chats Leaked After Ransomware Gang Expresses Support for Russia

Hundreds of files storing tens of thousands of messages exchanged between Conti ransomware operators have been leaked online after the cybercrime group expressed support for Russia as it launched an invasion of Ukraine last week.

Hundreds of files storing tens of thousands of messages exchanged between Conti ransomware operators have been leaked online after the cybercrime group expressed support for Russia as it launched an invasion of Ukraine last week.

Shortly after Russia sent its troops into Ukraine and the world started showing its support for Ukraine, the notorious Conti ransomware group issued a statement on its website warning that it would use its “full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.” The cybercrime group has threatened to “strike back at the critical infrastructures of any enemy.”

The black hat hackers later revised their statement to say, “We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression.”

Conti ransomware support for Russia

In comparison, the LockBit ransomware group, which also has many members in Russia, clarified that it will not get involved, pointing out that it also has members from Ukraine and many other countries around the world, including the United States.

[ READ: Russia vs Ukraine – The War in Cyberspace ]

Shortly after Conti announced its support for Russia, someone made available hundreds of files allegedly stolen from the ransomware gang. Some said the files were made public by a Ukrainian security researcher, while others claimed it was a Ukrainian member of the Conti group who leaked the files.

There are nearly 400 JSON files dated between January 2021 and February 27, 2022, and they each store hundreds of messages exchanged between members of the Conti group.

While analyzing all the files will take some time, researchers have so far identified chats mentioning Emotet, TrickBot and Ryuk malware. It’s worth noting that Conti recently “acquired” TrickBot and its developers as the group thrived amid recent crackdowns on other cybercrime gangs.

In the leaked files, researchers also found more than 200 Bitcoin addresses that hold roughly $13 million in ransomware payments. Messages exchanged between members of the group (including conflicts and personal details), conversations with victims, IP addresses, and other infrastructure data are also included in the dumped files.

“The data dump may aggravate Conti but doesn’t necessarily mean it will stop the gang,” an expert said.

The individual who leaked the Conti chats said more files taken from the hackers will be made public in the upcoming period.

This would not be the first time Conti infrastructure got hacked. In November 2021, Prodaft researchers exploited a vulnerability in Conti’s recovery servers, which enabled them to obtain information on the cybercrime operation’s inner workings.

Just before Russia launched its invasion, Ukraine was hit by DDoS and malware attacks that have been attributed to state-sponsored threat actors. However, it seems that Ukraine has also been targeted by patriotic hackers, including employees of a Russian cybersecurity firm.

Related: FBI: 16 Conti Ransomware Attacks Targeted Healthcare, First Responders in U.S.

Related: Financially Motivated Hackers Use Leaked Conti Ransomware Techniques

Related: U.S. Issues Conti Alert as Second Farming Cooperative Hit by Ransomware

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...