Days after the Conti ransomware group broadcasted a pro-Russian message pledging its allegiance to Vladimir Putin’s ongoing invasion of Ukraine, an anonymous security researcher using the Twitter handle @ContiLeaks has leaked the syndicate’s internal chats.
The file dump, published by malware research group VX-Underground, is said to contain 13 months of chat logs between affiliates and administrators of the Russia-affiliated ransomware group from June 2020 to February 2022, in a move that’s expected to offer unprecedented insight into the criminal enterprise’s inner workings.
“Glory to Ukraine,” the leaker said in their message.
The shared conversations show that Conti used fake front companies to attempt to schedule product demos with security firms like CarbonBlack and Sophos to obtain code signing certificates, with the operators working in scrum sprints to complete the software development tasks.
Additionally, the messages confirm the shutdown of the TrickBot botnet last week as well as highlight the Conti group’s close relationship with the TrickBot and Emotet malware gangs, the latter of which was resurrected late last year through TrickBot.
A message sent by one of the members of the group on February 14, 2022 goes: “TrickBot does not work. The project was closed.”
On top of that, the leaker is also believed to have released the source code associated with TrickBot’s command dispatcher and data collector modules, not to mention the ransomware group’s internal documentation, its administrative panel, and a password-protected archive containing the source code for the locker, decryptor, and the builder.
images from Hacker News