Conti leaks shine light on ransomware’s darkest secrets

In March 2022, the biggest name in ransomware became better known than ever – but perhaps not for reasons it would have wanted.

The Conti ransomware gang made an estimated $180 million from businesses around the world in 2021. But when it backed the Russian invasion of Ukraine, an associate exposed some 60,000 of the group’s chat messages.

The result was a treasure trove of information that gave us a peek into the secret lives of the Conti gang and other ransomware groups. It makes essential reading for anyone in cybersecurity, revealing everything from tactics and structure to salaries – as well as work grumbles and water-cooler gossip.

How ransomware and RaaS work

Ransomware is malware that encrypts data on the system it infects. Ransomware gangs then demand a ransom for the decryption key. They may also demand payment for not releasing the data to the public – a strategy known as extortionware. Conti commonly spreads its malware via a phishing email which carries a Google Drive malware link.

Ransomware-as-a-Service (RaaS) gangs supply their software and expertise to other criminals so that they can launch their own attacks. More sophisticated RaaS operations even offer round-the-clock support, monthly bundles and professional dark-web portals with user reviews, forums and live dashboards that give clients updates on attacks. It’s a big and growing business, with 2021 revenues estimated at $4.52 billion and 64% of Australian businesses suffering disruption from ransomware.

The leaks offer our clearest ever glimpse into a ransomware gang

The Conti leak came just days after the group offered its “full support” to the Russian government. An individual – believed to be a Ukrainian cybersecurity researcher who had infiltrated the gang – responded by releasing tens of thousands of chat messages via Twitter. Strikingly, few of the messages were encrypted.

The leaks, which reach from 2020 to February 2022, also included source code and documents, and give us our clearest ever glimpse into the workings of a ransomware gang. We already knew Conti was a RaaS gang with a twist, with the group receiving a significant share of proceeds from attacks by its affiliates, rather than simply charging them a fee. Now we also know of two ‘leaders’: a “big boss” known as Stern or Demon, and a senior manager called Mango.

Getting the gang together

Stern and Mango seem responsible for recruitment, staff payments, procuring software and accounting for staff time. Every Conti member and affiliate appears to use a pseudonym. And there are a lot of them. The messages come from almost 500 different people, and at one point the gang apparently had over a hundred members, with Stern announcing plans to recruit another hundred.

“What could be striking at first glance is the size, structure, and hierarchy of the organisation,” says Soufiane Tahiri, a researcher who has reviewed the leaks. “They operate pretty much like a software development company, and contrary to popular belief it seems that many coders have salaries and do not take part in the paid ransom.”

Following the money

Staff included coders, testers, system administrators, negotiators, middle managers and even HR. Many appeared to work for a straightforward fortnightly salary, which averaged out at around $1,800 per month. Conti’s operations are believed to be centred in St Petersburg, meaning a Conti worker brings in around triple the average monthly Russian salary of $575. There were bonuses, plus fines for not showing up, while senior members tallied up expenses in a shared worksheet and grumbled about the cost of office space. Others sometimes asked for extra money to cover personal issues – including one employee whose mother suffered a heart attack.

The standard salary is dwarfed by the group’s ransom demands, which average around $750,000 and are frequently in the millions. Middle managers make around $80,000, and some members make far more, with the hackers that secured the initial breach taking a significant chunk of the ransom. Member Bio said he had “earned more this month with you than in ten years”.

RaaS’s office culture features gripes and high turnover

The logs show that life in a RaaS gang can be eerily similar to a regular workplace. Employees tell colleagues they’ve got Covid-19, nip out of the office for a haircut, complain about internet connectivity and request time off. But there’s a darker side too. Anti-semitic jokes about Ukrainian leader Volodymyr Zelensky were shared. When member Skippy announced plans for a holiday overseas, Mango cautioned him against it and told him to make sure his phone was clean and to leave his laptop behind.

Staff turnover is high, and a worker called Dollar was singled out for criticism. Mango told him that “everyone constantly complains about you and gets angry”, and criticised him for targeting hospitals, which goes against company rules. Senior staff don’t just wing it: best-practice research is shared and other ransomware groups (including Emotet, LockBit and IcedID) are consulted.

Conti uses a range of tech – but dreams of more

The messages are mostly from Jabber, with Rocket.Chat used to manage attacks. Its Slack-like interface includes channels on victims and records which staff are responsible. Browser Tor was regularly mentioned, with the encrypted GPG and Protonmail used for email and Crunchbase for research. Conti had an open-source team which looked into threats, and has tried to buy antivirus software to test its tools against.

The group’s ambitions were big too. “We want to create our own crypto system,” said Stern, before opening up a discussion on NFTs and crypto marketplaces. Stern set up a competition on a hacker forum to develop the idea further, although it does not appear to be anywhere near being realised. Crypto platforms are an obvious step for ransomware gangs seeking to move and launder money while staying ahead of the authorities.

Conti’s dream of a crypto platform shows that it, and other ransomware groups, are eager to innovate, stay ahead of the game and build a legacy – Stern and Mango also discussed a trade-based darknet social media network, and even a casino.

What the Conti leaks tells us about ransomware gangs

These leaked messages and documents give us an idea of the strength of ransomware groups, many of whom, like Conti, appear to be based in Russia. It shows that these groups can be almost corporate-like, with some mature enough to have employees, premises, ambitious growth plans and close links with other gangs.

The leak has also dispelled some of the mystique that surrounds Conti. The logs show limitations and frustrations and reveal that the group often falsely claims to have stolen all of the victims’ data when they may have actually only accessed a small part. Conti and groups like them are not going away any time soon – indeed, the group already appears to have pivoted – but law enforcement and security teams have gained a vital glimpse behind the ransomware curtain.