The Conti Leaks Part 2: Insights into the targets of a highly organized ransomware group

by the Crystal investigations team

May 24, 2022

Read through the avalanche of data leaks triggered by a post about Conti’s pro-Russian stance

The FBI identified a Russian criminal organization known as Conti Group as one of the most advanced ransomware groups of 2021. A series of document leaks in February 2022 revealed in cyber espionage offers details about the group’s size, administration, and business processes and the source code of its ransomware.


This massive leak of internal documents — thought to be an act of revenge over Conti’s pro-Russia stance — revealed the notorious hacker group’s size, leadership, and operations.

The data leak appears to be an act of revenge, initiated by a post published by Conti and concerning Russia’s invasion of Ukraine. The Conti group chose to side with Russia’s authorities leaving space for the data leak. The leak began on February 28, which was only four days after Russia’s invasion of Ukraine. Soon after the post, the leaks started from a Twitter account named “ContiLeaks,” revealing thousands of internal documents from the group with pro-Ukraine statements.

The messages show that Conti operates much like a regular company, with salaried workers, bonuses, performance reviews, and even “employees of the month.” Cybersecurity experts say some workers were told they were working for an ad company and likely were unaware of who was employing them. After a thorough analysis of the leaked documents, it was determined that Conti has management, finance, and human resources departments, along with a classic corporate hierarchy with team leaders that report to upper-level management. There is also evidence that supports the existence of the entire RnD department within the underground organization


Crystal’s team has been examining the leaked data to understand this group’s inner workings and solve crimes committed by Conti. Conti ransomware reports will be released in series – as we dig deeper into the leaked data logs. In Part One, we reviewed the records from 2021. 

Since the first report, we have come into possession of Conti chat logs from 2020, which offer further insights into this group’s malicious and truly inhumane intentions as they targeted “clients” for ransom. The first part of the series by the Crystal analytics and investigations team, “The Conti Leaks Part One: A Modern Criminal Network Unveiled,” introduces the Conti group. 

We described who they were when they got discovered first and what cybercrimes they worked with. The key source for this report series is the leaked internal chat logs by one of the members following Conti’s support of the Russian invasion of Ukraine.

Conti is referred to as a Ransomware-as-a-Service (RaaS) network with connections in the criminal underworld. Their targets were mostly US companies with high revenues. Conti conducted thorough research on its targets before making ransomware moves with ransom requests from 50 Bitcoin (BTC) to 3000 BTC in 2020 and 2021. If successful, they would have targeted up to 7,300 companies a year – if even half of the companies Conti planned to attack agreed to pay even 5 BTC to Conti – it could have come to around 18,250 BTC, which equals USD 714,374,350.

In Part Two we look at what types of companies this cybercriminal group targeted and why.


Similar news...