An FBI-identified Russian organization may be one of the most active ransomware organizations of 2021.

Document leaks have revealed details about Conti’s leadership, business operations, and size. They also reveal what is believed to be its most valuable possession: its source code for ransomware.

Shmuel Gikhon is a Cyberint security researcher who said that the group was formed in 2020. It has since grown to be one of the largest ransomware groups in the world. According to him, the group comprises 350 members that collectively have earned more than $2.7 Billion in cryptocurrency over two years.

The “Internet Crime Report 2021The FBI stated that Conti’s ransomware is one of the “three top variants” to attack critical infrastructure in America last year. According to the FBI, Conti was most often targeted by the Critical Manufacturing and Commercial Facilities sectors.

Gihon said, “They were the best group up to this point.”

Cyberint posted an analysis of the leaks online and stated that it appears the leaks were an act de revenge. a since-amended post by ContiPublished in the aftermath of Russia’s invasion. Cyberint stated that the group could have been silent but Conti chose, as we suspected, to support Russia.

Four days following Russia’s invasion, the leaks began on February 28, 2014.

Shortly after posting, someone created a Twitter account called “ContiLeaks”, and began leaking thousands more of the group’s internal messages along with pro-Ukrainian statements.

CNBC couldn’t contact the Twitter owner because direct messages were disabled on this account.

Lotem Finkelstein (head of threat intelligence at Check Point Software Technologies) said the owner of this account claims to be “security researcher”.

According to reports, the leaker has now deleted Twitter and written on March 30: My last words…See you after our victory! Ukraine, glory!

Gihon said that the cyber security community suffered enormously from the leak. He also stated that his global colleagues spent many weeks reading through the documents.

Trellix, an American cybersecurity firm, called the leak “a serious security breach.”the Panama Papers of Ransomware“, and “one the most extensive crowd-sourced cyber investigations” ever.”

Conti works underground. He doesn’t make comments to the news media like Anonymous does. But Cyberint, Check Point and other cyber specialistsAccording to those who analysed the messages, they reveal that Conti is a tech company and operates as such.

Finkelstein translated many of these messages into Russian. Check Point Research, his intelligence arm, found that Conti had clear finance, human resource, and management functions. He also noted a classical organizational hierarchy in which team leaders report to higher management.

Cyberint also found evidence that there was research and development (see below) as well as business development units.

Finkelstein said that messages indicated Conti had physical offices in Russia and suggested the group might have connections to the Russian government.

He stated that “our… assumption was that such an enormous organization with physical offices, huge revenue, would not be in a position to act as Russia’s intelligence service without our full approval or cooperation.”

CNBC did not reach out to the Russian Embassy in London for comment. Moscow denies that it participates in cyberattacks.

Check Point Research also found Conti has:

• Salaried workers — some of whom are paid in bitcoin — plus performance reviews and training opportunities
• Negotiators that receive commissions from 0.5% to 1 percent of ransom payments are entitled to commissions
• Referral program for employees, which offers bonuses to those who have recruited other workers who work at least one month.
• A “employee-of the Month” is someone who receives half of their monthly salary as a bonus

Conti, unlike other above-board businesses, fines underperformers according to Check Point Research.

Check Point Research stated that worker identities can be disguised by their handles. These include Stern (the big boss), Buza (the technical manager) and Target (Stern’s partner, effective head of office operation operations).

“When communicating with employees, higher management would often make the case that working for Conti was the deal of a lifetime — high salaries, interesting tasks, career growth(!According to Check Point Research, “

However, some of the messages paint a different picture, with threats of termination for not responding to messages quickly enough — within three hours — and work hours during weekends and holidays, Check Point Research said.

Brian Krebs, an ex-Washington Post reporter and cybersecurity expert, stated that hiring was crucial because, “perhaps unsurprisingly,” the turnover, attrition, and burnout rates were quite high among low-level Conti employees. KrebsOnSecurity.

Check Point Research found that some hires were not even certified computer experts. According to Conti, Conti had hired call-center workers. According to the FBIThe rise of “tech support fraud” has seen scammers pose as well-known corporations to offer assistance with computers and cancel subscriptions.

Check Point Research predicts that the group will rise even though it has suffered some setbacks. Unlike its former rival REvil — whose members Russia said it arrested in January — Conti is still “partially” operating, the company said.

The group has survived other setbacks, including the temporary disabling of Trickbot — a malware program used by Conti — and the arrests of several suspected Trickbot associates in 2021.

The FBI anticipates that ransomware attacks against critical infrastructure will increase in 2022, despite ongoing efforts to counter them.