Security Experts:

Connect with us

Hi, what are you looking for?



U.S. Warns of Conti Ransomware Attacks as Gang Deals With Leak Fallout

The U.S. government has reissued an alert warning organizations about Conti ransomware attacks as the cybercrime group deals with the recent leaks.

The U.S. government has reissued an alert warning organizations about Conti ransomware attacks as the cybercrime group deals with the recent leaks.

An alert originally released in September 2021 was reissued recently by CISA, FBI, NSA and the U.S. Secret Service. The alert contains technical details on Conti attacks, as well as indicators of compromise (IoCs) that can be useful to defenders.

Shortly after Russia launched an invasion of Ukraine, the Conti group announced its support for Russia, threatening to attack the critical infrastructure of “enemies.” They later revised their statement to say that they condemned the war, but the threat to launch cyber operations in response to the West’s actions remained.

Conti deals with leak

A few days after Conti made the announcement, an individual — a Ukrainian security researcher or possibly a rogue member of the Conti group — started leaking files related to the gang’s operations. The leaks started with some chat logs on February 27 and continued with other files, including Conti ransomware source code, on March 1.

The U.S. government said in its updated alert that the Conti threat actors appeared to remain active, with its victim count rising to more than 1,000.

MDR company eSentire this week reported that the Conti group announced attacks against more than 50 organizations between November 27, 2021, and February 28, 2022.

Conti continues to announce new victims on its website, with nine new targets named this week alone, including two on March 10.

On the other hand, the data leak appears to have had at least some impact on Conti, which, as the leaked files show, operates just like a company, with contractors, employees and HR problems.

The leaked files have enabled researchers to conduct a detailed analysis of the group’s tools, methods and projects. Incident response company BreachQuest has published a report describing Conti leadership and hierarchy, organizational infrastructure, Bitcoin transactions, malware and other tools.

BreachQuest’s analysis of the leaked files showed that Conti spent roughly $6 million on employee salaries, tooling and professional services in the past year alone.

Threat intelligence company Cyberint has also conducted an analysis of the leaked files. Its researchers said that while Conti initially appeared unaffected by the leaks, the group’s senior management “decided to mitigate the damage and tried to cover any tracks that might lead to any members of the group.” It’s worth noting that the person who leaked the Conti files has also made public the identity of an individual allegedly involved in malware development.

“After the main leaks, the last conversations that were leaked showed that the decision was made to go off the grid for some time,” Cyberint researchers said. “It seems that the key members of the group are making efforts to ensure that all relevant files are deleted, all links shared within the conversations are dead, all servers used for the organization’s infrastructure are down.”

Based on chatter between members of the cybercrime organization, Cyberint said, a rogue member is believed to be behind the leak.

According to the cybersecurity firm, it’s unclear if the victims named recently on the Conti website are new or if they were compromised before the leak.

“One way or another, Conti will turn their efforts in the coming days or weeks to rebuilding their infrastructure and relocating all their communication channels and sources very carefully, so the Ukrainian research does not infiltrate this infrastructure as well,” Cyberint said.

Related: Conti Ransomware ‘Acquires’ TrickBot as It Thrives Amid Crackdowns

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.