Conti ransomware gang leak: 60,000 messages online

Activists have reportedly leaked the contents of internal chats from the Russia-affiliated Conti ransomware gang as the Ukraine war continues.

Leaked after the extortionists vowed to support Vladimir Putin's invasion of Ukraine, about 60,000 messages were circulating online today with a message saying "fuck the Russian government, glory to Ukraine!"

While Reg readers should treat the next link with extreme caution (downloading files originating from a ransomware gang is as risky as it sounds), the vx-underground Twitter account is generally regarded as a benign source.

Conti ransomware group previously put out a message siding with the Russian government.

Today a Conti member has begun leaking data with the message "Fuck the Russian government, Glory to Ukraine!"

You can download the leaked Conti data here: https://t.co/BDzHQU5mgw pic.twitter.com/AL7BXnihza

— vx-underground (@vxunderground) February 27, 2022

The file dump is said to contain 13 months of internal conversations from Conti, many of which are in a Cyrillic-scripted language that appears to be Russian if one trusts Google Translate's rendition. The structure of the leaked JSON files suggests they are from the Jabber chat app, according to Cisco Talos researcher Azim Khodjibaev on Twitter.

looks like the #conti leaks of 2022 are indeed chat logs from jabber accounts between affiliates, administrators and admins. Rejoice CTI analysts and data scientists, it is in json form! #busymonday pic.twitter.com/DiyqNoymsD

— Azim Khodjibaev (@AShukuhi) February 27, 2022

The leaks prompted excitement among infosec pros as the cache, if genuine, would seem to offer unrivalled insight into Conti's inner workings. To give one example of an incident of interest, last year the WizardSpider criminal crew used the Conti ransomware to lock up the whole of Ireland's state-run health service, causing months of disruption and millions in damage – not to say health impacts on Irish citizens – after a phishing email hit its mark. Internal chats from the time of that attack would be invaluable to law enforcement agencies.

A different ransomware gang appears to have paid full attention to the Conti leaks and declared themselves "apolitical", or uninterested in publicly backing the Russian government. Given that most ransomware gangs operate openly from Russia with officials (mostly) turning a blind eye, this is a significant development.

The Lockbit ransomware gang, rumoured to have described themselves as "post-paid pentesters" in a piece of wordplay suggesting confidence with the English language, said in a note posted to their Tor blog that what they do "is just business" and that "we are only interested in money." Other cybercrime forums appeared to be doing similar things judging by unverified partial screenshots flying around between infosec researchers on Twitter. Perhaps their admins are realising that not all of their fellow cybercriminals is a Putin-backing Russian nationalist.

Ransomware note encrypted by rival gang

In other Conti news, today Sophos published research identifying how a Canadian healthcare organisation was targeted by two ransomware gangs at the same time. Both Conti and another criminal crew called Karma hit the unidentified org through the ProxyShell exploit – though while Karma left a ransom note demanding payment, having not encrypted the organisation's files in some twisted act of semi-mercy, Conti was deploying its own malware.

• Tech world's Ukraine response mixes evacuation efforts, ad bans, free phones, infosec FUD
• Nvidia probes cyberattack on internal systems
• Nothing to scoff at: Crisps and nuts biz KP Snacks smacked in ransomware hack attack
• Irish Health Service ransomware attack happened after one staffer opened malware-ridden email

"Much of the organization's data was encrypted – as were the Karma ransom notes," noted Sophos, which explained that its incident responders had barely begun deploying their tools and taking stock of the Karma infection before Conti ran rampage.

Conti also dropped a batch script onto the target network to disable Windows Defender, shortly before deploying their full payload. ®