A Russian-language ransomware gang’s internal communications have leaked online and exposed private information about the group just days after the hackers vowed to retaliate against anyone who targeted Moscow with cyberattacks.
The leak appears to be the latest skirmish in a growing cyber conflict between groups supporting Moscow and Kyiv, and like the war on the ground in Ukraine, is now drawing in volunteers.
A malware research group that calls itself vx-underground posted a link to the leaked conversations on Twitter and said they belonged to Conti, a ransomware gang that has extorted millions from victims world-wide. The files were leaked by a Conti member, according to the Twitter account, who said they were accompanied by a message of hostility to the Russian government that also read: “Glory to Ukraine!”
Several cybersecurity experts have said the leaked chat logs, which are in Russian, appear authentic and expose details about Conti’s victims and its hacking tools. Bill Demirkapi, a security researcher, posted an English translation of the files after running them through a Google Translate script.
On Friday, Conti said it was supporting the Kremlin and threatened to respond forcefully to cyberattacks against Russia.
“If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy,” the Conti group, which has extracted millions in ransom payments from U.S. and European victims, said in a blog post.
Conti is among the most notorious strains of Russia-linked ransomware that has plagued victims across the globe. Last year, Conti ransomware was used in attacks on Ireland’s public-health infrastructure and 16 targeted attacks on U.S. emergency responders, including hospitals and 911 call centers, according to the Federal Bureau of Investigation.
Like many ransomware groups, Conti relies on a sort of revenue-sharing model where those who develop the ransomware code share it with so-called affiliates who engage in attacking victims. While Conti is believed to be based in Russia, some of its affiliates might reside in other Eastern European countries, such as Ukraine, experts have said.
The leak came amid a flurry of reports of low-level cyber activity during Russia’s invasion of Ukraine that appears in many cases not directly connected to either government. The main Kremlin website and other Russian government websites have been intermittently inaccessible in recent days, as Anonymous, a loosely organized group that says it engages in hacktivism, took credit. Separately, a hacking group that claims it is based in Belarus said it was targeting Russian troops heading toward Ukraine via the Russia-allied country to slow their movements.
Mykhailo Fedorov, Ukraine’s vice prime minister for digital transformation, said Saturday the country was enlisting a volunteer “IT army” and inviting those interested to join a Telegram channel.
“There will be tasks for everyone,” Mr. Fedorov said. “We continue to fight on the cyber front.”