Ransomware Group Conti Faces Data Leak of Its Own

Written by: Joseph Stepina, Esq.

Notorious ransomware group Conti has, itself, been the target of cyberattacks after it announced its allegiance to Russia and its support of Russia’s ongoing invasion of Ukraine.  Conti is famous for conducting ransomware attacks on a variety of business and governmental entities including Ireland’s national health service, Shutterfly, and fashion retailer FatFace.  In May of 2021, the Federal Bureau of Investigation issued a warning to U.S. healthcare networks that Conti had initiated sixteen (16) attacks on healthcare networks in the previous twelve (12) months.

In the cyberattacks against it, Conti has had its source code for its ransomware encryptor, decryptor and builder leaked.  Conti uses this source code to conduct its own ransomware attacks, but Conti is also a ransomware-as-a-service group and allows other groups to utilize its ransomware code for their own attacks.  In addition, the archives of over one year’s worth of internal chat logs were leaked.  The chat logs were published by a group that collects malware source code and other data, VX-Underground.

Conti’s main Bitcoin address was also leaked.  The group reportedly received ransoms amounting to over 65,000 Bitcoin between April 2017 and February 28 of this year – equivalent to nearly $3 billion.

Following the leaks of its chat logs and source code, Conti walked back its support of the Russian war in Ukraine.  Whether Conti’s move to distance itself from the Russian government is to protect itself from future cyber attacks or to protect its pocketbook is unclear.  Other threat actors, including those suspected to also be based in Russia, have announced their neutrality regarding the conflict in Ukraine and their broader apolitical nature.

The source code leaks will allow security researchers to dissect Conti’s malware and determine methods to protect against it.  In the short term, however, various copycat threat actors will likely try to implement the code into their own operations.  Although these leaks may have slowed Conti for now, it is also likely that Conti will reemerge as a new group in the future.

Messages from the Conti leak revealed that when facing a well-secured victim, the group will likely move on to target an organization with inadequate security.  Businesses should remain vigilant against ransomware attacks by ensuring that their security measures are up-to-date.