On Sunday, February 27th, an individual or group calling themselves “ContiLeaks” on Twitter emailed multiple journalists with a link to download an archive that allegedly contained leaked chat messages from the private Jabber server used by the Conti Ransomware group. The messages were from the timeframe January 2021 through February 27th, 2022. Review of the messages by security researchers, including intelligence analysts at Binary Defense, confirmed many of them to match with known information about Conti ransomware victims, and the content of the messages overall appeared to be consistent with Conti threat actors and affiliates.
The person who leaked the messages claimed that they were motivated by loyalty to Ukraine, and that they did so because the Conti threat group posted on their private blog on February 25th that Conti supported the Russian invasion of Ukraine, threatening retaliation by attacks against the critical infrastructure of any country that opposed Russia and supported Ukraine. Reporting to date indicates that it may be a private cybersecurity researcher based in Ukraine who decided to leak the chat data publicly.
The notes to journalists promised more leaks would be coming in the future but did not provide any specific details or timeline. The content of the chat messages has already proven to be a treasure trove of intelligence information about the inner workings of the Conti ransomware group and their plans, including information about their plans in May 2021 to pay a defense attorney a $10,000 retainer to represent Alla Witte, an alleged software developer for Conti and Latvian national who was criminally charged by the US Department of Justice and arrested when she visited Florida.
Binary Defense analysts obtained copies of the chat messages and began analysis of the contents. There were over 60,000 individual messages, mainly in Russian language, but only about 25,000 unique messages because of many repeated messages, quoted messages, and one-to-many messages that were broadcast to the group (such as announcements).
The data included information about IP addresses, usernames and passwords for infrastructure, some belonging to the threat group but most belonging to alleged victims of their crimes. Some of the chats show how the Conti group interviewed applicants for support roles such as Systems Administrator by asking basic knowledge questions over Jabber chat, quickly deciding to hire them, and making arrangements for payment.
The data also included many Bitcoin addresses and context of the surrounding chat to understand how those addresses were used, mostly for victim payments. Some URLs and screenshot images referenced in the chats provided more visual evidence of the group’s activity, including dashboards that showed the current numbers of victims and statistics about endpoint security products in use and what countries the victims were located in.
Studying the Conti chats will continue to provide valuable information to threat researchers for quite some time to come.
conti jabber leaks https://t.co/0FzXiXhI2d
— conti leaks (@ContiLeaks) February 27, 2022
2022-02-28:👁️Most fascinating detail yet reveals the Conti/TrickBot cybercrime group plan to support extradited 🇱🇻Latvian national "Allka" aka Alla Witte legal defense with $10K while she is being transferred from FL to OH
— Vitali Kremez (@VK_Intel) February 28, 2022