A notorious ransomware outfit has been given a taste of its own medicine after a vast trove of internal chat data was leaked by a Ukrainian researcher.
The leaks were posted online yesterday with rough Google Translate versions of the text in English here.
They amount to tens of thousands of messages taken from Conti’s Jabber server. Recorded Future confirmed the authenticity of the leaks, which cover over a year’s worth of internal communications from January 2021 until February 2022.
While the group appears to have been under surveillance by researchers for some time, they decided to show their hand after Conti released an aggressively pro-Russian statement on Friday.
“If anybody will decide to organize a cyber-attack or any war activities against Russia we are going to use all our possible resources to strike back at the critical infrastructures of an enemy,” it warned.
Interestingly, the group tried to backtrack with a new statement on Sunday, saying that “we do not ally with any government and we condemn the ongoing war.” However, it was too late by then.
Although eagle-eyed researchers are still trawling through the logs, they’re likely to be a treasure trove of intelligence for defenders and law enforcers keen to know more about Conti’s members and operational processes.
It also promises other revelations. Flashpoint’s Vitali Kremez pointed to one conversation in which the group appears to be planning financial support for Alla Witte, a Latvian woman indicted in the US for developing malware for the infamous Trickbot group.
The pledge of $10,000 for her legal defense appears to show the strong ties between Trickbot and Conti.
The incident shows deepening fault lines between the two groups due to the ongoing war that may end up helping the cybersecurity community in surprising ways.