Conti ransomware group has internal chats leaked after siding with Russia

Data Breach
(Image credit: Shutterstock)

Russian ransomware operators Conti has had thousands of sensitive internal chat logs leaked to journalists, law enforcement agencies and cybersecurity researchers, apparently by a disgruntled employee. 

The leak reportedly comes as retaliation for the group recently choosing to side with the Russian government following its invasion of Ukraine. 

The news was first broken by BleepingComputer, which said the ransomware group published a short announcement in the first days of the invasion expressing its full support for the Russian government, and threatening any cybersecurity or cybercrime groups who decide to use their skills to disrupt the Russian operation.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Bitcoin addresses and previously unreported victims

However, Conti seems to have plenty of Ukraine-based affiliates, and after what seems to be a severe backlash, the group changed its stance, condemning the ongoing war and claiming not to be taking any sides. However it did add that it will utilize its full force in the battle against “western warmongering and American threats”.

The as-yet-unnamed Ukrainian culprit behind the leak said the Conti gang has “lost all their sh*t”, before dumping more than 60,000 internal chat messages, the authenticity of which has now been confirmed by independent cybersecurity researchers.

For now the media have only shared relatively benign chat logs in order to prove the authenticity of the leak. 

However, there seems to be plenty of dirty laundry among the chat logs, some of which might even lead to arrests. Initial investigations suggest the chat logs disclose details such as previously unreported victims, private data leak URLs, bitcoin addresses, and discussions about their operations.

Conti is an active ransomware group, which only recently hit American cookware distributor Meyer, stealing sensitive employee information. The group seems to have taken Meyer employees’ full names, physical addresses, birthdates, gender and ethnicity information, Social Security numbers, health insurance information and data on employee medical conditions, random drug screening results, Covid vaccination cards, driver’s licenses, passport data, government ID numbers, permanent resident cards, immigration status information, and information on dependents.

It was also reported that some of the top members of the notorious TrickBot malware family have also recently joined Conti’s ranks. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.