Working for a ransomware gang is surprisingly mundane, according to these leaks

Someone leaked months of Conti ransomware gang internal chat logs, which show the day-to-day reality of its operations.
Written by Danny Palmer, Senior Writer

A choice of office-based, hybrid or remote work, a human resources team with a strict hiring process, performance reviews, career progression and bonuses – it all sounds like the standard set up at any software development team. 

But these aren't the working conditions at a software company, but instead at Conti, a major ransomware group responsible for a string of high-profile incidents around the world, including cyberattacks that have disrupted businesses, hospitals, government agencies and more. 

Last month, Conti, which many cybersecurity experts believes operates out of Russia, came out in support of the Russian invasion of Ukraine. This annoyed someone who then leaked months of Conti's internal chat logs, providing inside information on the day-to-day operations of one of the most prolific ransomware operations on the planet.

SEE: There's a critical shortage of women in cybersecurity, and we need to do something about it

And while Conti's actions – hacking into networks, encrypting files and demanding ransom payments of millions of dollars for a decryption key – could have a dramatic impact on the organisations that fall victim, the leaks paint a relatively mundane picture of an organisation with coders, testers, system administrations, HR personnel and other staff. 

The researchers were able to identify a range of different job roles across the organisation from the HR team responsible for making new hires, to the malware coders, testers, 'crypters' who work on code obfuscation, sysadmins who build the attack infrastructure, as well as the gang's offensive team who aim to turn a breach into a full capture of the targeted network – and the negotiation staff who try to make a deal with the victims.

Many of those involved in Conti will become involved via advertisements on dark web underground forums, but some are approached using more traditional means, like Russian recruitment websites, head-hunting services and word of mouth. Like any other hiring process, the applicants will be interviewed in order to ensure they have the right skills and would be a good fit for the group. 

According to analysis of the leaks by cybersecurity researchers at Check Point, some people recruited by Conti aren't even aware they're working for an illegal operation, at least initially – the leaks suggest that some of those brought in for interviews are told they're helping to develop software for penetration testers. 

One leaked chat reveals how one member of the Conti staff who, unlike almost every other member of the group mentions his real name, was confused about what the software they were working on actually did, and why the people he worked with tried to protect their identities so much.  

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

In this case, his manager tells the employee he's helping to build the backend for analytics software. And this wasn't a one-off; there are many members of the Conti gang who seemingly don't grasp how they're involved in cybercrime. 

"There are dozens of employees that were hired via legitimate job processes and not via underground forums. It is tough to tell how many of them don't understand at all what they are doing, but many of them for sure don't understand the real scope of the operation and what exactly their employer is doing," Sergey Shykevich, threat intelligence group manager at Check Point Software, told ZDNet. 

Sometimes these initially-unwitting accomplices to cybercrime later discovered what they were helping to build. In these cases, the managers attempt to reassured their employees with the offer of a pay rise – many opted to stay, the lucrative nature of the work being more appealing than quitting to find another job.

While many of the roles are purely online, Conti's chat logs reveal that it isn't unusual for members of the group to work from communal offices and workspaces in Russian cities. Once again, the chat logs reveal some of the day-to-day events and incidents that the employees face – for example, someone sent messages asking their colleagues to let them in because a door was jammed from the outside.

The leaks have provided cybersecurity researchers with valuable insight into how one of the world's most notorious ransomware operations works, as well as the tools and techniques it uses to extort ransoms out of victims. 

But despite the embarrassment for a ransomware operation of having so much internal data leaked – especially given how a key tactic of Conti is to threaten to publish stolen data if their victims don't pay the ransom – it's unlikely to be the end of the group, which is still publishing information on new victims. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

Some employees might leave, but even for those who unwittingly signed up to cybercrime, the lure of reliable income could still be enough to encourage them to stay – especially as sanctions against Russia could potentially restrict their employment opportunities. 

"I don't see any scenario that they will stop with the cybercrime activity completely," said Shykevich  

"The availability of potential positions in the legitimate tech sector in Russia for developers and pen testers have become much lower, so I think even the unwitting employees that now understand what they are doing, will move to cybercrime, as it will be difficult for them to find a legit job," he added. 

Ransomware remains a major cybersecurity threat that can cause a huge amount of disruption to organisations of all kinds. The best way to defend against ransomware is to ensure that the network is as protected from cyberattacks as possible, with appropriate levels of security, including the use of multi-factor authentication across the network. 

It's also vital for organisations to apply security updates and patches for known software vulnerabilities as soon as possible, as these, along with weak usernames and passwords, are some of the key entry points exploited to help launch ransomware attacks.


Editorial standards