Ride the Lightning

Conti Ransomware Group Has an HR Department, Performance Reviews and an ‘Employee of the Month’

April 20, 2022

CNBC reported on April 13^th that internal documents leaked from the ransomware group Conti, presumably an act of revenge over Conti’s support of Russia’s war against Ukraine, revealed details about the notorious hacker group’s size, leadership and operations.

The messages show that Conti operates much like a regular company, with salaried workers, bonuses, performance reviews and “employees of the month.”

Cybersecurity experts say some workers were told they were working for an ad company and likely were unaware who was employing them.

Conti uses malware to block access to computer data until a ransom is paid.

Conti is one of the most prolific ransomware groups of 2021. Among the data leaked was its crown jewel, the source code of its ransomware.

Shmuel Gihon, a security researcher at the threat intelligence company Cyberint, said the group emerged in 2020 and grew into one of the biggest ransomware organizations in the world. He estimates the group has around 350 members who collectively have made some $2.7 billion in cryptocurrency in only two years.

In its “Internet Crime Report 2021,” the FBI warned that Conti’s ransomware was among “the three top variants” that targeted critical infrastructure in the United States last year. Conti “most frequently victimized the Critical Manufacturing, Commercial Facilities, and Food and Agriculture sectors,” the bureau said.

Cyberint said the leak appeared to be an act of revenge, prompted by a since-amended post by Conti published in the wake of Russia’s invasion of Ukraine. The group could have remained silent, but “as we suspected, Conti chose to side with Russia, and this is where it all went south,” Cyberint said.

The leaks started on Feb. 28, four days after Russia’s invasion of Ukraine.

Soon after the post, someone opened a Twitter account named “ContiLeaks” and started leaking thousands of the group’s internal messages along with pro-Ukrainian statements.

The American cybersecurity company Trellix called the leak “the Panama Papers of Ransomware” and “one of the largest ‘crowd-sourced cyber investigations’ ever seen.”

The data revealed that Conti has physical offices in Russia and the group may have ties to the Russian government. Not precisely unexpected.

Even before the leak, Conti was showing signs of distress, according to Check Point Research.

Around mid-January, the leader of the group went silent and salary payments stopped, according to the messages.

Days before the leak, an internal message stated: “There have been many leaks, there have been … arrests … there is no boss, there is no clarity … there is no money either … I have to ask all of you to take a 2-3 month vacation.”

Though the group has been hobbled, it will likely rise again, according to Check Point Research. Unlike its former rival REvil — whose members Russia said it arrested in January — Conti is still “partially” operating, the company said.

Conti has survived other setbacks, including the temporary disabling of Trickbot — a malware program used by Conti — and the arrests of several suspected Trickbot associates in 2021.

Despite the many efforts to combat ransomware groups, the FBI expects attacks on critical infrastructure to increase in 2022.

Hat tip to Dave Ries

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson