Conti, a Russia-based cyber crime gang centered in St. Petersburg, has emerged in recent years as the world’s most dangerous ransomware-as-a-service purveyor. More than just thieves, experts believe the gang also has ties to Russian intelligence.
Hacker collectives come and go, as far as their notoriety and effectiveness is concerned, often disappearing and then rebranding to begin anew. However, Conti has remained a stable power player for a number of years.
What is the Conti ransomware gang, what makes them so dangerous and how are they able to continue to operate so effectively?
A recent leak of chat logs from within the gang reveal a great deal about Conti’s inner workings and day to day operations.
How did the Conti leak happen?
At the onset of Russia’s war with Ukraine, Conti made a bold statement that proclaimed the group’s loyalty to Putin and pledged its “full support” to the Russian government. Conti threatened to wage cyber war on the infrastructure of any country that attempted to thwart Putin’s march into Ukraine with their own cyberattacks.
While the statement was made on the group’s website, typically reserved for publicizing the names of its victims, the declaration did not sit well with all members of the group, many of whom do not support the war or Putin’s regime.
Divided, and now on the international radar as the world watched Putin’s actions with disgust, Conti attempted to retract or soften the statement. However, the backpedaling would prove to be too late.
A Ukrainian cyber researcher had secretly infiltrated the group previously and seized the opportunity to begin leaking troves of chat logs between Conti members as retaliation for the gang’s support of Russia.
Using the Twitter handle @ContiLeaks, the individual published around 400 files containing 60,000 internal chat logs that not only allowed people an inside look into the group’s workings but also provide important information that can be used by law enforcement to identify, locate and apprehend members of the gang.
Conti’s operation and structure revealed
Many people think of hackers as lone wolves, lodging attacks in secret from private locations for whatever personal reasons that compel them.
In some cases, this is true. However, Conti is actually a sophisticated criminal enterprise.
In 2021, the main Conti team consisted of 62 individuals. The number of members associated with the group fluctuates due to a high rate of turnover, at times reaching nearly 100 and possibly containing many more.
The group operates in much the same way as a typical software development company. There is a middle management team and most employees receive salaries of $1,000 to $2,000 a month.
Cuts of any illegally obtained funds are reserved for those who help to negotiate ransoms.
Leaked Google docs containing budgetary info with regard to equipment purchases, office space rentals and server operations are unremarkable and commonplace. Workers ask to get time off approved, wish one another well for holidays and work to maintain team spirit.
Like any normal company, Conti is also always on the lookout for new talent. They recruit members from hacker message boards and even with ads on legitimate job seeking sites.
The leaked chat logs reveal that, aside from the high level criminal work taking place, Conti’s daily operations have all the dullness and mundanity of a regular office, complaints about long hours and fellow coworkers included.
Conti’s acting “CEO” is known by their handle of either “Stern” or “Demon.”
They communicate with another individual known as “Mango,” who appears to act as the group’s general manager.
Aside from operations-related messaging, the chat logs also revealed messages that see group members split on Putin’s invasion of Ukraine, antisemitic comments (some of which are directed towards Ukrainian President Volodomir Zelenksy, ironic considering that Mosow is allegedly invading Ukraine to “rid the country of Nazis”) and mentions of child abuse.
Who has Conti hacked?
Conti has a long list of victims large and small. The gang is believed to have collected $180 million in extortion payments over the last year alone.
While Conti has a code of ethics that forbid its wares from being used against hospitals, Ireland saw a critical blow to their healthcare system due to the gang’s ransomware, as did a number of US medical and first responder networks.
In leaked chat logs, one can see mention of a member called “Dollar” who received harsh words from upper management for disregarding Conti’s rules regarding attacks on healthcare systems.
It is unknown what attacks these chats may be specifically related to, although Dollar was reprimanded for tarnishing the group’s reputation.
The Karakurt connection
Karakurt is a data extortion group based in Russia. The gang steals data from victim organizations and then threatens to leak it online. This is different from a ransomware gang’s usual tactic of encrypting a victim’s data and then charging for the key to unlock it.
Researchers have recently discovered that Karakurt is actually a bit of a “side project” of Conti’s, as both organizations seem to have connections to an individual that they believe is in charge of both groups.
As it turns out, when Conti is unable to encrypt a target’s data for a ransomware attack they will instead turn the info over to Karakurt where they will attempt to instead extort the victim.
What’s next for Conti?
While other ransomware gangs and dark web enterprises tend to fall apart or regroup after a leak or law enforcement breach, Conti continues to operate and carry out attacks.
Researchers do feel, however, that the leak has caused the group to take a hit.
Outsiders considering using their services are now left to wonder who within the group may have been compromised by authorities, and it may still be possible that Conti loses steam as a result and has difficulty maintaining its status.
It is also a possibility that the leak may have already caused Conti to fall out of favor with Moscow.
Russia has a historically hands-off approach to cybercrime syndicates operating within its borders as long as they do not attack Russian entities.
Blurring the line between government agencies and organized crime, many hacks originating from Russian gangs are believed to be state-sponsored. This allows the Russian government to carry out cyberattacks while still maintaining plausible deniability with regard to their meddling in the networks, infrastructure and elections of rival nations.
As is typical in criminal arrangements, tensions are consistently high and relationships are often based on convenience and usability.
In January of this year, the world saw Russia hand over the members of REvil, a similarly powerful ransomware gang operating within the country that had lodged attacks on US politicians, celebrities and companies.
This turnover is largely assumed to have been a political maneuver, as Putin turned REvil into a valuable distraction for US authorities as he continued to amass his forces around the border of Ukraine in preparation for a full scale invasion.
Has Conti’s breach put them on the chopping block as well?
Given current relations, it is unlikely that Putin will be making any grand gestures towards the US in the form of Conti’s surrender.
However, it is likely that members of Conti are giving their current employment arrangements a second thought.
- The Workaday Life of Conti, the World’s Most Dangerous Ransomware Gang by Matt Burgess, 16 March 2022, WIRED
- Conti ransomware gang’s internal chats leaked online after declaring support for Russian invasion by Zack Whittaker, 28 Feb 2022, TechCrunch
- Ransomware: Conti gang is still in business, despite its own massive data leak by Danny Palmer, 6 April 2022, ZDNet
- FBI warns Conti ransomware hit Ireland system, targeted 16 US medical, emergency networks by Heather Landi, 24 May 2021, Fierce Healthcare
- Karakurt revealed as data extortion arm of Conti cybercrime syndicate by Ionut Ilascu, 15 April 2022, BleepingComputer