A Ukrainian security researcher has stolen the chat logs of the ransomware gang Conti and put them on the internet. As a group, Conti previously expressed support for the Russian invasion of Ukraine. The Ukrainian investigator then leaked more than 60,000 chat messages from the Jabber chat service used by the gang. The messages run from January 2021 to February 27, 2022.
The authenticity of the messages has been confirmed by Bleepingcomputer and is further supported by cybersecurity firm Hold Security. It’s likely that the ransomware gang has been followed from the inside by security researchers for some time, but their open support for Russia was the last straw for the Ukrainian researcher.
In the leaked conversations, the gang members discuss their activities. This also brings up unknown victims. In addition, they share links to other unknown data breaches and discuss the overall state of their operation. In the 239 discussed bitcoin addresses, a total of more than 13 million euros can be found.
A leak of this magnitude is rare and gives investigators and law enforcement an intimate look behind the scenes of a professionally run ransomware ring. The leaked data is only part of the total, and the researcher also announced that more information about the gang may be released in the future.
The eventual reason for the action is a blog post posted by Conti in which they indicate that they will use ‘all their available fighting power’ against countries that attack Russia digitally. In doing so, they would target essential infrastructure ‘of the enemy’. This was apparently followed by considerable criticism from affiliates, and Conti’s customers.
After this, they nuanced their message by saying that they do not support any country and condemn the war in Ukraine. They do, however, clearly state that they want to protect Russian-speaking areas against attacks by ‘Western aggressors’. Given the leak of their internal communications, that nuance came too late.
Even in the digital underworld, opinions about the conflict are thus divided. For example, the administrator of the popular surface web hacker forum Raidforum has announced that they will ban Russian IP addresses in response to the situation in Ukraine. At the time of writing, the Raidforum website itself is offline, presumably due to a cyber attack. There is also speculation about an intervention by authorities.
Catch up on more articles here
Follow us on Twitter here