For months, members of Conti — one of the most ruthless of the dozens of ransomware gangs in existence — have rejoiced in publicly sharing the data they stole from the victims they hacked. Now members are learning what it’s like to be on the receiving end of a major breach where all their dirty laundry is spilled – not just once, but repeatedly.
The unfolding series of leaks began on Sunday when @ContiLeaksa newly created Twitter account, started posting links to logs of internal chat messages Conti members had sent among themselves.
Two days later, ContiLeaks published a new installment of messages.
burn it down
On Wednesday ContiLeaks was back with more leaked chats† The latest transmission showed headers with data from Tuesday and Wednesday, an indication that the unknown leaker still had access to the gang’s internal Jabber/XMPP server.
“Hello, how are we?” a Conti employee named Tort wrote in a message to a gang colleague named Green Wednesday, according to Google Translate. Tort went on to report that someone “shredded all the farms and cleaned the servers.” One such move suggested that Conti was dismantling its significant infrastructure for fear the leaks would expose members to law enforcement investigators around the world.
In another tweet, wrote ContiLeaks: “Glory to Ukraine!” This implied that the leak was motivated, at least in part, to respond to a statement posted on Conti’s dark web site that group members “would use our full capacity to retaliate in the event that the Western warmongers attempt to target on critical infrastructure in Russia or any Russian-speaking area of the world.”
KrebsOnSecurity, citing Alex Holden, the Ukrainian-born founder of Milwaukee-based cyber intelligence firm Hold Security, has reported that the ContiLeaks is a Ukrainian security researcher. “This is his way of at least putting them in his mind,” adds KrebsOnSecurity. Other investigators speculate that the leaker is a Ukrainian employee or business partner of Conti who broke with Conti’s Russia-based leaders when they pledged support to the Kremlin.
In total, the leaks — which are archived here — detail nearly two years of the group’s inner workings. For example, on September 22, 2020, a Conti leader using the Court handle revealed that something appeared to be terribly wrong with Trickbot, a for-hire botnet that Conti and other crime groups used to deploy their malware.
“Whoever made this mess did a really good job,” Hof wrote, delving into a mysterious implant someone had installed to ensure that Trickbot-infected machines disconnect from the command and control server that instructs them. gave. “He knew how the bot works, i.e. he probably saw or flipped the source code. In addition, he somehow encrypted the configuration ie he had an encoder and a private key, and uploaded it all to the admin panel. It’s just kind of sabotage.”
There will be panic… and crawling
Seventeen days after Hof delivered the analysis, The Washington Post reported that the sabotage was the work of the US Cyber Command, a division of the Department of Defense headed by the director of the National Security Agency.
When Conti members attempted to rebuild their malware infrastructure in late October, the network of infected systems suddenly expanded to 428 medical facilities in the US, KrebsOnSecurity reported. The leadership decided to take the opportunity to restart Conti’s operations by simultaneously deploying the ransomware to healthcare organizations that were succumbing to the pressures of a global pandemic.
“Fuck the clinics in the US this week,” wrote a Conti executive with the Target handle on Oct. 26, 2020. “There will be panic. 428 hospitals.”
Other chat logs analyzed by KrebsOnSecurity show Conti employees grumbling about low pay, long hours, grueling work routines and bureaucratic inefficiency.
For example, on March 1, 2021, a low-level Conti employee named Carter reported to superiors that the bitcoin fund used to pay for VPN subscriptions, antivirus product licenses, new servers and domain registrations was $1,240 short.
Eight months later, Carter was crawling again.
“Hello, we are out of bitcoins,” Carter wrote. “Four new servers, three VPN subscriptions and 22 renewals are out. Two weeks for renewals for $960 in bitcoin 0.017. Please send some bitcoins to this wallet, thanks.”
