Conti Ransomware Operation

Conti Ransomware Operation Sees its Internal Chats Linked: Cybersecurity Trends

According to a report by Bleeping Computer, a Ukrainian security researcher has leaked over 60,000 internal messages belonging to the Conti ransomware operation after the gang initially sided with Russia over the invasion of Ukraine.

In their article (Conti ransomware’s internal chats leaked after siding with Russia, written by Lawrence Abrams), they stated that BleepingComputer has independently confirmed the validity of these messages from internal conversations previously shared with BleepingComputer regarding Conti’s attack on Shutterfly.

AdvIntel CEO Vitali Kremez, who has been tracking the Conti/TrickBot operation over the last couple of years, also confirmed to BleepingComputer that the leaked messages are valid and were taken from a log server for the Jabber communication system used by the Conti ransomware operation.

In total, there are 393 leaked JSON files containing a total of 60,694 messages since January 21, 2021, through today. Conti launched their operation in July 2020, so while it contains a big chunk of their internal conversations, it is not all of them. Nonetheless, these conversations contain various information about the gang’s activities, including previously unreported victims, private data leak URLs, bitcoin addresses, and discussions about their operations.

There are also conversations about Conti/TrickBot’s Diavol ransomware operation and 239 bitcoin addresses containing $13 million in payments, which were added to the Ransomwhere site.

Earlier this week, the Conti ransomware operation published a blog post announcing their full support for the Russian government’s attack on Ukraine. They also warned that if anyone organized a cyberattack against Russia, the Conti gang would strike back at critical infrastructure. But, after Ukrainian Conti affiliates grew upset over the siding with Russia, the Conti ransomware operation replaced their message with another one, stating that they “do not ally with any government” and that they “condemn the ongoing war”, while still threatening to strike back against any American cyberattacks.

However, their change of heart came too late, and a Ukrainian security researcher who reportedly had access to Conti’s backend XMPP server emailed BleepingComputer and other journalists tonight with a link to the leaked data.

Support of Russia isn’t even popular with cyberhackers these days.

There’s a lot more in the article about the Conti ransomware operation leak, so check it out.

Speaking of Russia and lack of support, we’re seeing plenty of companies cutting off ties to Russia and Russian companies. We’re even seeing some states telling liquor stores to remove Russian vodka off their shelves (eegads!) even though many of them are now distilled in several other countries besides Russia. With that in mind, Peter Mercer, the CEO of eDiscovery Today partner Vound Software, has asked to announce that “As of today Vound will not sell to any company in Russia” and that they are calling on other vendors from the forensic and eDiscovery industries to do the same. Plenty more to come on this, I’m sure.

So, what do you think? Are you surprised/happy/intrigued by the Conti ransomware operation leak? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

3 comments

Leave a Reply