One of the most successful ransomware groups has experienced a massive leak of internal data after it sided with Russia in the Ukrainian conflict.
The data leak from Conti, a cybercriminal group believed to be based in Russia, included attack infrastructure details, addresses, as well as internal conflicts and accusations, in the form of chat logs and internal recriminations.
“I’ve found 150-plus Bitcoin wallets, there’s a whole lot of analysis to be done with that,” intelligence analyst at cybersecurity firm Recorded Future Allan Liska. He emphasized that an understanding of the back-end infrastructure could be a game-changer, which will enable “governments or cybersecurity companies to start poking to find weaknesses.” Although internal structures could still be amended, “now we know what the back-end structure looks like, and we know what to scan for, what to look for when they move it,” he added.
Hold Security’s Alex Holden went into further details about what the leak revealed. “We see the financial operations, we see their aspirations, for example, they talk about building their own cryptocurrency, we see them fighting with each other,” he said. “One of them recently encrypted a hospital filled with cerebral palsy patients, and we see how they are trying to kick this person out for breaking their code.”
Taking sides
Conti was one of the most successful ransomware groups last year, extorting over $180 million in revenue from victims in cryptocurrency. Its success has been based around its ransomware-as-a-service (RaaS) business model, where it provides affiliates with malware to utilize in exchange for a percentage of the ransom, which is spreading to other ransomware groups. However, “most Russian-language underground forums don’t allow discussions related to political topics,” said Oleg Bondarenko, a senior director on the research team at Mandiant Inc.
This is why Conti surprised many last week by firmly establishing itself in line with Russian President Vladimir Putin, stating it would use “all possible resources to strike back at the critical infrastructures of an enemy.” It later issued a more muted announcement, claiming that it didn’t align with any government, but would target “Western warmongers.”
Yet, as a global decentralized operation, it counts many nationalities among its membership, including Ukrainians. “Ransomware is a global operation,” said Allan Liska, “You may be based in Russia but you have to take into account all of the affiliates that are spread out all over the world right now, most likely, who are not fans of Russia.” While the identity of the leaker is still unclear, Alex Holden believes it could have been a Ukrainian cybersecurity researcher.
