Conti Ransomware Group Victim of Major Leak

Leaked documents show that the Conti ransomware group operates like a normal company, even having an official HR department and “employee of the month”.

The new information regarding the notorious Conti ransomware group was the result of a huge leak of internal documents, believed to be due to Conti’s pro-Russia stance. Conti was identified by the FBI as one of the most serious ransomware groups of 2021, and ironically, they are now themselves the victims of a data leak. What’s particularly interesting is that as well as details about the size and scope of the group, the source code of its ransomware has also been leaked.

The FBI warned in 2021 that Conti was one of the “top three variants” targeting critical infrastructure in the US, in particular, critical manufacturing and food production. The leak appears to have started from a Twitter account named ContiLeaks, and started leaking thousands of internal messages from the ransomware group. The leaks started days into Russia’s invasion of Ukraine, on 28th February. At the beginning of the invasion, Conti posted an unequivocally pro-Russian statement, saying they would use cyberattacks to defend Russia.

The American cybersecurity company Trellix has dubbed the leak “the Panama Papers of Ransomware”. Lotem Finkelstein, the head of threat intelligence at Check Point Software Technologies, has translated many of the messages, which were written in Russian. Remarkably, it appears that Conti operates like any other company, with HR, finance, research and development and business development departments all seemingly existing within the ransomware group. The messages also indicate that Conti may have a physical office in Russia, as well as links to the Russian government.

The leak has also shown that Conti has salaried workers, paid in Bitcoin, an employee referral scheme, with bonuses given to successful workers, and an “employee of the month” scheme, where the recipient receives a bonus worth half of their salary.