I’ve read before that malware providers advertise their product roadmaps and availability for testing in underground forums, but this is ridiculous! According to a recent report, the Conti Ransomware Group operates like a typical tech company. They even have an HR department, performance reviews and an ‘employee of the month’!

As reported by Sharon Nelson in her excellent Ride the Lightning blog (Conti Ransomware Group Has an HR Department, Performance Reviews and an ‘Employee of the Month’), CNBC reported on April 13th that internal documents leaked from the ransomware group Conti, presumably an act of revenge over Conti’s support of Russia’s war against Ukraine (which I covered here), revealed details about the notorious hacker group’s size, leadership and operations, showing that the Conti Ransomware Group operates like a typical tech company.

Cybersecurity experts say some workers were told they were working for an ad company and likely were unaware who was employing them.

Conti is one of the most prolific ransomware groups of 2021. Among the data leaked was its crown jewel, the source code of its ransomware.

Shmuel Gihon, a security researcher at the threat intelligence company Cyberint, said the group emerged in 2020 and grew into one of the biggest ransomware organizations in the world. He estimates the group has around 350 members who collectively have made some $2.7 billion in cryptocurrency in only two years.

In its “Internet Crime Report 2021,” the FBI warned that Conti’s ransomware was among “the three top variants” that targeted critical infrastructure in the United States last year. Conti “most frequently victimized the Critical Manufacturing, Commercial Facilities, and Food and Agriculture sectors,” the bureau said.

Cyberint said the leak appeared to be an act of revenge, prompted by a since-amended post by Conti published in the wake of Russia’s invasion of Ukraine. The group could have remained silent, but “as we suspected, Conti chose to side with Russia, and this is where it all went south,” Cyberint said.

The American cybersecurity company Trellix called the leak “the Panama Papers of Ransomware” and “one of the largest ‘crowd-sourced cyber investigations’ ever seen.”

The data revealed that the Conti ransomware group has physical offices in Russia and the group may have ties to the Russian government. Gee, you think? Wonder what it takes to become ‘employee of the month’? 😉

Sharon has much more info in her blog post, which you can check out here.

So, what do you think?  Are you surprised how malware companies like Conti are operated? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.