To no one’s surprise, the infamous Conti ransomware gang, known for having close ties with Russian intelligence, announced that it was in “full support” of Russia during the conflict.
Their announcement comes after a surge of cyberattacks against Russian websites, with volunteers from all over the world, including the famous Anonymous group getting involved. Ukraine has also set up an ‘IT army‘ of hacktivists, with additional help from the EU’s cyber defense team.
The announcement by Conti, which was posted on Friday, also included threats of retaliation, saying the group would use “all possible resources to strike back at the critical infrastructures” of entities that engage in cyberattacks against Russia. The threats also extended to activities outside cyberspace.
However, in a dramatic twist, the message was later edited, removing the part about ‘targeting critical infrastructure.’ Instead, the hackers took a more conservative stance, saying they’re against “Western warmongering and the American threats to use cyber warfare against the citizens of Russian Federation.” The message also stated that Conti does: “not ally with any government, and we condemn the ongoing war.”
Who Are They?
Cyber experts believe that the gang is based in Russia. In just one year, dating from late 2020 to late 2021, Conti has been involved in over 400 attacks, against U.S. targets, including 16 health providers.
The group runs ‘double extortion’ attacks, where they steal and encrypt confidential data. If the victim does not pay the ransom, they threaten to expose the data.
Historically, Conti has targeted critical infrastructure in the U.S. and other Western countries, aiming to disrupt everyday operations. Some of their victims include:
- Railway stations
- Police departments
- Government organizations
- Businesses and more.
Based on what people know about the gang, their announcement in support of Russia came to no surprise for cyber experts around the world. However, there are differing opinions on how dangerous the threat is, at least for the outcome of this war.
“Conti has built strong ransomware capabilities, and it is a focused threat actor with precision to attack bigger targets. It is an adversary that can create significant harm, even if their maturity is not at the Nation-State level,” said Ondrej Krehel, VP of DFIR operations at SecurityScorecard.
Ukrainian Conti Member Leaks Chats
Following the announcement by Conti’s higher ups, a Ukrainian member of the gang leaked over 60,000 internal chats in retaliation. Conti has several Ukrainian members, and it would be no surprise to see some internal conflict regarding this issue.
The chats were leaked by email to various security researchers and journalists from a member who has or gained access to the backend of the gang’s XMPP chat server.
The leaked chats date from January 2021 to February 27th, 2022, and are a large chunk of all Conti chats, as the group became active in July 2020.
The leakers said there would be an additional file leak and that the chats were only a small part of what’s to come.
Having these chats made available is valuable for cybersecurity researchers, who can use them to better understand crime group TTPs (Tactics, Techniques, and Procedures).
Any Ukraine-based company for the next 6 months can get entirely free access to SecurityScorecard’s enterprise license to protect themselves from malware resilience in light of ongoing cyber-attacks. We are also providing them free access to SecurityScorecard forensics remediation team to deal with ransomware issues or to recover from any outage. Simply email Ukraine@securityscorecard.io
Our Threat Research & Intelligence team has been analyzing the scope, impact, and attribution of cyber-attacks involving both Russia and Ukraine. We are partnering with U.S. authorities to further aid their efforts.