Russian ransomware group Conti hurt by leaks amid Ukraine fighting

A Russian organization known as Conti, which the FBI calls one of the most prolific ransomware groups of 2021, has been damaged by leaks detailing its size, leadership and business operations, as well as the source code of its ransomware, according to a report this week by CNBC citing threat intelligence companies.

Shmuel Gihon, a security researcher at Cyberint, said Conti emerged in 2020 and grew to about 350 members, who have made $2.7 billion in cryptocurrency. “They were the most successful group up until this moment,” Gihon said.

In an online post, Cyberint said the leaks appeared to be an act of revenge prompted by Conti’s support of the Russian invasion of Ukraine. The group could have remained silent, but “as we suspected, Conti chose to side with Russia, and this is where it all went south.” The leaks started four days after Russia’s invasion of Ukraine.

Someone opened an anonymous Twitter account and began leaking thousands of the group’s internal messages alongside pro-Ukrainian statements, CNBC reported. The leaker seems to have since finished, writing on March 30: “My last words… See you all after our victory! Glory to Ukraine!”

The impact was big, said Gihon, adding that many of his global colleagues have spent weeks poring through the documents.

Cyberint, Check Point and other specialists said the messages show Conti operates and is organized along the lines of a normal tech company, with clear management, finance and human resource functions, as well as team leaders who report to upper management.

The messages also showed that Conti has physical offices in Russia and may have ties to the Russian government, Cyberint said.

The Russian embassy in London did not respond to requests by CNBC for comment. Moscow has previously denied that it takes part in cyberattacks.

Though the group has been compromised, it will probably make a comeback, Check Point Research said, adding that it is still “partially” operating.