A cache of chat logs belonging to the Conti ransomware group have leaked online thanks to an apparent insider, who claimed to have objected to the group’s support for the Russian invasion of Ukraine.
The leak was shared with VX-Underground, a malware research group that collects malware samples and data. The leaked data set has about 400 files containing tens of thousands of internal chat logs of the Conti group in their native Russian. The files hold about a year’s worth of messages dating back to January 2021, some six months after the group first formed in mid-2020.
Ransomware experts are already poring over the files to learn more about the internal operations of the group. Security researcher Bill Demirkapi translated the files into English.
“Glory to Ukraine,” the leaker said in their message.
Conti is a ransomware-as-a-service (RaaS) group, which allows affiliates to rent access to its infrastructure to launch attacks. Experts say Conti is based in Russia and may have ties to Russian intelligence.
Earlier this week, Conti said in a blog post — first reported by Reuters and also seen by TechCrunch — that it had “full support” for the Russian invasion of neighboring Ukraine, and vowed to retaliate against critical infrastructure if Russia is hit with cyber or military attacks. In an updated post, the group claimed it is not allied with any government, but reiterated: “We will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression.”
Conti has been blamed for ransomware attacks targeting dozens of businesses, including Fat Face and Shutterfly, as well as critical infrastructure, like emergency dispatch centers and first-responders networks. Last May, Conti knocked out the networks of the Irish healthcare service, forcing a nationwide shutdown of IT systems that led to severe delays across the country and cost the government more than $100 million in recovery costs.
According to Ransomware, a crowdsourced ransomware tracking site, Conti has collected more than $30.1 million in ransomware payments to date.
“The leak is a significant blow for Conti, not least because their affiliates and other associates will have lost confidence in the operation,” said Brett Callow, a ransomware expert and threat analyst at Emsisoft. “They’ll undoubtedly be wondering when the operation was compromised, whether law enforcement was involved and whether there are any breadcrumbs which could lead to them.”
“Lots of RaaS operations have connections to Ukraine, including those that are based in Russia. It is, therefore, a tactical blunder for an operation to publicly take sides as they risk pissing off individuals who have inside knowledge of their operations,” said Callow.
The leak of Conti’s files is part of a wider effort by hacktivists and security allies, including the formation of Ukraine’s “IT army,” targeting Russian sites, services and infrastructure in response to the Kremlin’s invasion.