The Conti Ransomware Leaks: Six Takeaways

Information security, nation-state hacking, ransomware and malware have been front and center of the Russia-Ukraine conflict, with hackers on each side allegedly launching large-scale attacks against the infrastructure of their opponent.

Although Russia is infamous for its hacking activities and ransomware groups long believed to be protected by the country’s government, threat actors in other countries in eastern Europe are also involved in the ransomware-as-a-service industry. That apparently includes Ukraine, as a purportedly Ukrainian affiliate leaked multiple years of chat logs and files from the Conti ransomware group.

The Conti group is one of the most notorious ransomware actors in recent history, so the massive amount of data contained in the leaks gives us an unprecedented look into how the ransomware-as-a-service industry operates.

We spoke with Chester Wisniewski, a principal research scientist at Sophos, for more context on what we can learn from the Conti ransomware leaks.

Ransomware is very lucrative

The Conti ransomware leaks included information about just how lucrative ransomware can be, as the group’s primary Bitcoin wallet has had upwards of $2 billion deposited in the last two years.

The group is apparently so flush with cash that it was able to purchase a Zero Day exploit in Internet Explorer 11 to use as an attack vector in late 2020. This is relevant because Zero Day exploits are very expensive, with many going for several million dollars.

According to Wisniewski, this was always suspected, but there has never been confirmation that a ransomware group purchased zero day exploits.

“’These groups are really rich, so I wonder if they’re buying zero days, was always the narrative before this,” Wisniewski says. “We’ve never had confirmation of a zero day sale with a ransomware group, to my knowledge, so this was kind of interesting.”

Conti, Ryuk and Trickbot

It has long been thought that Conti was somehow affiliated with the Ryuk ransomware and the Trickbot malware operators, but there was never any proof.

The Conti ransomware leaks were being released via a Twitter account called @ContiLeaks, and a new account called @TrickbotLeaks also…