Conti ransomware leak shows group operates like a normal tech company

A Russian group identified by the FBI as one of the most prolific ransomware groups of 2021 may now understand how it feels to be the victim of cyber espionage.

A series of document leaks reveal details about the size, leadership and business operations of the group known as Conti, as well as what’s perceived as its most prized possession of all: the source code of its ransomware.

Shmuel Gihon, a security researcher at the threat intelligence company Cyberint, said the group emerged in 2020 and grew into one of the biggest ransomware organizations in the world. He estimates the group has around 350 members who collectively have made some $2.7 billion in cryptocurrency in only two years.

In its “Internet Crime Report 2021,” the FBI warned that Conti’s ransomware was among “the three top variants” that targeted critical infrastructure in the United States last year. Conti “most frequently victimized the Critical Manufacturing, Commercial Facilities, and Food and Agriculture sectors,” the bureau said.

“They were the most successful group up until this moment,” said Gihon.

In an online post analyzing the leaks, Cyberint said the leak appears to be an act of revenge, prompted by a since-amended post by Conti published in the wake of Russia’s invasion of Ukraine. The group could have remained silent, but “as we suspected, Conti chose to side with Russia, and this is where it all went south,” Cyberint said.

The leaks started on Feb. 28, four days after Russia’s invasion of Ukraine.

Soon after the post, someone opened a Twitter account named “ContiLeaks” and started leaking thousands of the group’s internal messages alongside pro-Ukrainian statements.

The Twitter account has disabled direct messages, so CNBC was unable to contact its owner.

The account’s owner claims to be a “security researcher,” said Lotem Finkelstein, the head of threat intelligence at Check Point Software Technologies.

The leaker appears to have stepped back from Twitter, writing on March 30: “My last words… See you all after our victory! Glory to Ukraine!”

The impact of the leak on the cybersecurity community was huge, said Gihon, who added that most of his global colleagues spent weeks poring through the documents.

The American cybersecurity company Trellix called the leak “the Panama Papers of Ransomware” and “one of the largest ‘crowd-sourced cyber investigations’ ever seen.”

Conti is completely underground and doesn’t comment to news media the way that, for instance, Anonymous sometimes will. But Cyberint, Check Point and other cyber specialists who analyzed the messages said they show Conti operates and is organized like a regular tech company.

After translating many of the messages, which were written in Russian, Finkelstein said his company’s intelligence arm, Check Point Research, determined Conti has clear management, finance and human resource functions, along with a classic organizational hierarchy with team leaders that report to upper management .

There’s also evidence of research and development (“RND” below) and business development units, according to Cyberint’s findings.

The messages showed Conti has physical offices in Russia, said Finkelstein, adding that the group may have ties to the Russian government.

“Our … assumption is that such a huge organization, with physical offices and enormous revenue would not be able to act in Russia without the full approval, or even some cooperation, with Russian intelligence services,” he said.

The Russian embassy in London did not respond to CNBC’s request for comment. Moscow has previously denied that it takes part in cyberattacks.

Check Point Research also found With you you have:

• Salaried workers — some of whom are paid in bitcoin — plus performance reviews and training opportunities
• Negotiators who receive commissions ranging from 0.5% to 1% of paid ransoms
• An employee referral program, with bonuses given to employees who’ve recruited others who worked for at least a month, and
• An “employee of the month” who earns a bonus equal to half their salary

Unlike above-board companies, Conti fins its underperformers, according to Check Point Research.

Worker identities are also masked by handles, such as Stern (the “big boss”), Buza (the “technical manager”) and Target (“Stern’s partner and effective head of office operations”), Check Point Research said.

“When communicating with employees, higher management would often make the case that working for Conti was the deal of a lifetime — high salaries, interesting tasks, career growth(!),” according to Check Point Research.

However, some of the messages paint a different picture, with threats of termination for not responding to messages quickly enough — within three hours — and work hours during weekends and holidays, Check Point Research said.

Hiring was important because “perhaps unsurprisingly, the turnover, attrition and burnout rate was quite high for low-level Conti employees,” wrote Brian Krebs, a former Washington Post reporter, on his cybersecurity website KrebsOnSecurity.

Some hires weren’t even computer specialists, according to Check Point Research. Conti hired people to work in call centers, it said. According to the FBI“tech support fraud” is on the rise, where scammers impersonate well-known companies, offer to fix computer problems or cancel subscription charges.

Though the group has been hobbled, it will likely rise again, according to Check Point Research. Unlike its former rival REvil — whose members Russia said it arrested in January — Conti is still “partially” operating, the company said.

The group has survived other setbacks, including the temporary disabling of Trickbot — a malware program used by Conti — and the arrests of several suspected Trickbot associates in 2021.

Despite ongoing efforts to combat ransomware groups, the FBI expects attacks on critical infrastructure to increase in 2022.