Stock Groups

Conti ransomware leak shows group operates like a normal tech company


Conti — which uses malware to block access to computer data until a “ransom” is paid — operates much like a regular tech company, say cybersecurity specialists who analyzed the group’s leaked documents.


An FBI-identified Russian organization may be one of the most active ransomware organizations of 2021.

Document leaks have revealed details about Conti’s leadership, business operations, and size. They also reveal what is believed to be its most valuable possession: its source code for ransomware.

Shmuel Gikhon is a Cyberint security researcher who said that the group was formed in 2020. It has since grown to be one of the largest ransomware groups in the world. According to him, the group comprises 350 members that collectively have earned more than $2.7 Billion in cryptocurrency over two years.

The “Internet Crime Report 2021The FBI stated that Conti’s ransomware is one of the “three top variants” to attack critical infrastructure in America last year. According to the FBI, Conti was most often targeted by the Critical Manufacturing and Commercial Facilities sectors.

Gihon said, “They were the best group up to this point.”


Cyberint posted an analysis of the leaks online and stated that it appears the leaks were an act de revenge. a since-amended post by ContiPublished in the aftermath of Russia’s invasion. Cyberint stated that the group could have been silent but Conti chose, as we suspected, to support Russia.

Four days following Russia’s invasion, the leaks began on February 28, 2014.

Shortly after posting, someone created a Twitter account called “ContiLeaks”, and began leaking thousands more of the group’s internal messages along with pro-Ukrainian statements.

CNBC couldn’t contact the Twitter owner because direct messages were disabled on this account.

Lotem Finkelstein (head of threat intelligence at Check Point Software Technologies) said the owner of this account claims to be “security researcher”.

According to reports, the leaker has now deleted Twitter and written on March 30: My last words…See you after our victory! Ukraine, glory!

Gihon said that the cyber security community suffered enormously from the leak. He also stated that his global colleagues spent many weeks reading through the documents.

Trellix, an American cybersecurity firm, called the leak “a serious security breach.”the Panama Papers of Ransomware“, and “one the most extensive crowd-sourced cyber investigations” ever.”

The classic organizational hierarchy

Conti works underground. He doesn’t make comments to the news media like Anonymous does. But Cyberint, Check Point and other cyber specialistsAccording to those who analysed the messages, they reveal that Conti is a tech company and operates as such.

Finkelstein translated many of these messages into Russian. Check Point Research, his intelligence arm, found that Conti had clear finance, human resource, and management functions. He also noted a classical organizational hierarchy in which team leaders report to higher management.

Cyberint also found evidence that there was research and development (see below) as well as business development units.

Finkelstein said that messages indicated Conti had physical offices in Russia and suggested the group might have connections to the Russian government.

He stated that “our… assumption was that such an enormous organization with physical offices, huge revenue, would not be in a position to act as Russia’s intelligence service without our full approval or cooperation.”

CNBC did not reach out to the Russian Embassy in London for comment. Moscow denies that it participates in cyberattacks.

The ‘Employees’ of the Month

Check Point Research also found Conti has:

  • Salaried workers — some of whom are paid in bitcoin — plus performance reviews and training opportunities
  • Negotiators that receive commissions from 0.5% to 1 percent of ransom payments are entitled to commissions
  • Referral program for employees, which offers bonuses to those who have recruited other workers who work at least one month.
  • A “employee-of the Month” is someone who receives half of their monthly salary as a bonus

Conti, unlike other above-board businesses, fines underperformers according to Check Point Research.

Check Point Research stated that worker identities can be disguised by their handles. These include Stern (the big boss), Buza (the technical manager) and Target (Stern’s partner, effective head of office operation operations).

Conti has translated messages that show finable offenses

Source: Check Point Research

“When communicating with employees, higher management would often make the case that working for Conti was the deal of a lifetime — high salaries, interesting tasks, career growth(!According to Check Point Research, “

However, some of the messages paint a different picture, with threats of termination for not responding to messages quickly enough — within three hours — and work hours during weekends and holidays, Check Point Research said.

The process of hiring

Finkelstein stated that Conti can hire from legitimate sources like Russian headhunting services and the criminal underground.

Alarmingly we know that not everyone is aware they are part in a group that deals with cybercrime.

Lotem Finkelstein

Check Point Software Technologies

Brian Krebs, an ex-Washington Post reporter and cybersecurity expert, stated that hiring was crucial because, “perhaps unsurprisingly,” the turnover, attrition, and burnout rates were quite high among low-level Conti employees. KrebsOnSecurity.

Check Point Research found that some hires were not even certified computer experts. According to Conti, Conti had hired call-center workers. According to the FBIThe rise of “tech support fraud” has seen scammers pose as well-known corporations to offer assistance with computers and cancel subscriptions.

The dark side of the employees

Finkelstein said that there is alarming evidence to suggest that not all employees know they’re part of a cybercrime organization. Finkelstein said that employees mistakenly believe they are working at an ad agency when, in reality they are running a notorious ransomware operation.

The messages show managers lied to job candidates about the organization, with one telling a potential hire: “Everything is anonymous here, the main direction of the company is software for pentesters” — referring to penetration testers, who are legitimate cybersecurity specialists who simulate cyberattacks against their own companies’ computer networks.

Stern explained in a series messages that they kept the coders guessing by having them focus on one part or module of the program rather than the entire program. Check Point Research said Stern.

Stern indicated that employees will be able to resolve their problems if they accept a pay increase to continue, as per the translation messages.

Are you down but not out?

According to Check Point Research, Conti showed signs of distress even before the leak.  

According to messages, Stern became silent in January and the salary payments were stopped.  

Days before the leak, an internal message stated: “There have been many leaks, there have been … arrests … there is no boss, there is no clarity … there is no money either … I have to ask all of you to take a 2-3 month vacation.”

Check Point Research predicts that the group will rise even though it has suffered some setbacks. Unlike its former rival REvil — whose members Russia said it arrested in January — Conti is still “partially” operating, the company said.

The group has survived other setbacks, including the temporary disabling of Trickbot — a malware program used by Conti — and the arrests of several suspected Trickbot associates in 2021.

The FBI anticipates that ransomware attacks against critical infrastructure will increase in 2022, despite ongoing efforts to counter them.