![](\"https:\/\/media.wired.com\/photos\/62312ee47a22075957fa019c\/master\/pass\/security-randsomewhere.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Matt Burgess| Date: Wed, 16 Mar 2022 11:00:00 +0000<\/strong><\/p>\n Matt Burgess<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n The Conti ransomware<\/span> gang was on top of the world. The sprawling network of cybercriminals extorted $180 million from its victims last year<\/a>, eclipsing the earnings of all other ransomware<\/a> gangs. Then it backed Vladimir Putin\u2019s invasion of Ukraine<\/a>. And it all started falling apart.<\/p>\n Conti\u2019s implosion started with a single post on the group\u2019s website, usually reserved for posting the names of its victims. Hours after Russian troops crossed Ukrainian borders<\/a> on February 24, Conti offered<\/a> its \u201cfull support\u201d to the Russian government and threatened to hack critical infrastructure belonging to anyone who dared to launch cyberattacks against Russia<\/a>.<\/p>\n But while many Conti members live in Russia<\/a>, its scope is international. The war has divided the group; privately, some had railed against Putin\u2019s invasion<\/a>. And while Conti\u2019s ringleaders scrambled to retract their statement, it was too late. The damage had been done. Especially because the dozens of people with access to Conti\u2019s files and internal chat systems included a Ukrainian cybersecurity researcher who had infiltrated the group. They proceeded to rip Conti wide open.<\/p>\n On February 28, a newly created Twitter account called @ContiLeaks released more than 60,000 chat messages<\/a> sent among members of the gang, its source code, and scores of internal Conti documents. The scope and scale of the leak is unprecedented; never before have the daily inner workings of a ransomware group been laid so bare. \u201cGlory to Ukraine,\u201d @ContiLeaks tweeted.<\/p>\n The leaked messages, reviewed in depth by WIRED, provide an unrivaled view into Conti\u2019s operations and expose the ruthless nature of one of the world\u2019s most successful ransomware gangs<\/a>. Among their revelations are the group\u2019s sophisticated businesslike hierarchy, its members\u2019 personalities, how it dodges law enforcement, and details of its ransomware negotiations.<\/p>\n \u201cWe see the gang progressing. We see the gang living. We see the gang committing crimes and changing over the course of several years,\u201d says Alex Holden, whose company Hold Security<\/a> has tracked Conti members for most of the last decade. Holden, who was born in Ukraine but lives in America, says he knows the cybersecurity researcher who leaked the documents but says they are staying anonymous for safety reasons.<\/p>\n The Conti ransomware gang runs like any number of businesses around the world. It has multiple departments, from HR and administrators to coders and researchers. It has policies on how its hackers should process their code, and shares best practices to keep the group\u2019s members hidden from law enforcement.<\/p>\n At the top of the business is Stern, who also goes by Demon and acts as the CEO\u2014Conti members call Stern the \u201cbig boss.\u201d All Conti members have pseudonymous usernames, which can change. Stern regularly chases people on their work and wants to account for their time. "Hello, how are you doing, write the results, successes or failures,\u201d Stern wrote in one message sent to more than 50 Conti members in March 2021.<\/p>\n The Conti chat logs span two years, from the start of 2020 until February 27, 2022\u2014the day before the messages leaked. In February WIRED reported on a small number of the messages<\/a>, after they were provided by another source. The conversations are fragmented\u2014think of taking your WhatsApp or Signal messages out of context\u2014and were released in their original Russian form. WIRED reviewed a machine-translated version of the messages.<\/p>\n Some of the most revealing discussions take place between Stern and Mango, who acts as a general manager within Conti. Mango frequently launches into long monologues in private chats to Stern, either bemoaning team members or providing Stern with updates on the group\u2019s projects. \u201cThey seem to be responsible for procuring different tools for different departments and making sure that the employees are being paid,\u201d says Kimberly Goody, director of cybercrime analysis at security firm Mandiant.<\/p>\n The main Conti team consisted of 62 people, Mango told Stern in the middle of 2021. The exact number of Conti members fluctuates over time\u2014at some points reaching around 100\u2014as people join and leave the group. In one instance Stern says they are thinking of recruiting 100 more participants. \u201cThe group is so big that there are still middle managers,\u201d group member Revers tells Meatball in June 2021.<\/p>\n Potential workers are funneled into Conti\u2019s recruitment system from hacker forums and also legitimate job websites across the web. There\u2019s even something of an onboarding process: When one new member joins the group they\u2019re introduced to their team leader who will dish out their tasks. \u201cI will hold a planning meeting in the evening and appoint you to the team,\u201d Revers says in another message.<\/p>\n \u201cWhat could be striking at first glance is the size, structure, and hierarchy of the organization,\u201d says Soufiane Tahiri, a security researcher who has been reviewing the documents<\/a>. \u201cThey operate pretty much like a software development company, and contrary to popular belief it seems that many coders have salaries and do not take part in the paid ransom.\u201d<\/p>\n Rank-and-file programmers are paid around $1,500 to $2,000 per month for their work, but those negotiating ransom payments can take a cut of the profits. The group even claimed to have an unnamed journalist on its payroll<\/a> in April 2021, who would get a 5 percent cut by helping put pressure on victims to pay up. \u201cWe have salaries on the 1st and 15th, usually 2 times a month,\u201d Mango tells one member of the group. Sometimes Conti members ask for extra money due to family problems\u2014one claims they need more because their mother suffered from a heart attack\u2014or because they\u2019re cash-strapped.<\/p>\n Money is a frequent subject of discussion within Conti\u2014both a personal and group level. They debate the ransoms, often into millions of dollars, that they plan to charge businesses for providing them with decryption keys for their files. They discuss budgets available for buying equipment and the expenses of running physical offices and servers. \u201cThey also share a Google doc spreadsheet that contains a list of expenses,\u201d Goody says of one instance.<\/p>\n But some Conti members display the bombast of cybercriminals caught driving luxury cars and storing piles of cash<\/a>. Bio brags they have \u201c80k\u201d in their bank account and that they\u2019ve \u201cearned more this month with you than in 10 years.\u201d They quickly backtrack, saying they probably exaggerated. On another occasion Skippy says they purchased a 27-inch iMac with their earnings\u2014\u201cwanted all my life.\u201d<\/p>\n Skippy was also excited about taking a holiday from work. In November 2021 they said they planned to fly abroad in the new year but were warned by Mango they could be arrested. \u201cIt's up to you, of course, but I wouldn't fly abroad,\u201d Mango said. Skippy replied asking if they are meant to \u201csit in Russia\u201d for the rest of their life. Mango advised making sure their phone is \u201cclean\u201d and not taking their laptop. On other occasions, gang members ask their superiors if the holiday they requested has been approved and if they can finish early.<\/p>\n \u201cWe found through our logs that they have the full plethora of manuals of how they should maintain team spirit,\u201d says Vitali Kremez, the CEO of security company AdvIntel. Kremez\u2019s research is name-checked<\/a> by Conti multiple times throughout the chats. \u201cThey are not just making money, they are thinking about people and how to be more successful in the environment they have created.\u201d<\/p>\n Many of the conversations are dull, daily chatter as group members become acquainted and even friendly with each other. On New Years Eve 2021 some wished each other the best for 2022; members tell others they have caught Covid-19; they have issues with connectivity ("damn sorry my internet is dead"); and they bond with conversations about their partners or exes. The water cooler conversations are a stark contrast to Conti\u2019s dark work.<\/p>\n Despite some camaraderie, staff turnover is high. Members appear to frequently leave, which necessitates constant recruitment. As WIRED previously reported, during 2020 the Conti members, as part of the wider Trickbot cybercrime gang, discussed opening six offices in St. Petersburg<\/a> for new recruits. In July 2021, Mango messaged Stern and said they were interested in moving onto Moscow \u201ctime\u201d and starting a new company. Echoing the rise in remote working over the last two years, Stern replied: "now it's better to manage the team from a laptop."<\/p>\n Most of the leaked Conti chat messages are DMs sent with Jabber, but the group coordinates attacks using Rocket.Chat, a slack-style platform that can be easily encrypted. Like Slack or Microsoft Teams, Rocket.Chat lists a group\u2019s channels down a left-hand panel.<\/p>\n \u201cThere were channels created specifically for potential victims or infected victims,\u201d says \u00c9milio Gonzalez, a Canadian security researcher who studied the Conti files and re-created the group\u2019s Rocket.Chat conversations<\/a>. Companies are listed as \u201cdead\u201d or \u201cdone\u201d in channel names. Each channel has two to four participants with different levels of seniority and responsibilities, Gonzalez says. \u201cThe conversation usually starts with credentials or access to a specific machine on the network of the victim.\u201d The attacks then progress from there. A review of February 2022 RocketChat messages by The Intercept<\/a> shows the group discussing drug use and child sexual abuse content in general channels, and making anti-Semitic comments about Ukrainian president Volodymyr Zelensky.<\/p>\n Beyond its chat messages, Conti uses common tools to organize. The team regularly references the Tor browser<\/a> for getting online and GPG and ProtonMail for encrypted emails, uses Privnote for self-destructing messages, and shares files through file.io<\/a>, qaz.im<\/a>, and Firefox\u2019s discontinued Send service. They also use databases, such as Crunchbase, to gather intelligence on the businesses they want to target.<\/p>\n Within Conti\u2019s organizational structure is a team dedicated to open source intelligence that includes learning about potential threats. The group tried to purchase antivirus systems from security companies to test their malware against\u2014creating fake companies to do so<\/a>. They circulate YouTube videos about the latest security research, watch what researchers say about them, and share news articles about the group. (One Conti member sent Stern a Russian summary of WIRED\u2019s February story about the Trickbot group<\/a> the day after it was published).<\/p>\n As with any workplace, Conti members get frustrated with their colleagues. People don\u2019t reply to messages, they vanish while working (\u201che went to get a haircut\u201d), and they complain about long working hours. \u201cFor my part, I do not agree with the idea that I should be in touch 24 hours,\u201d Driver complained in March 2021. Working all hours of the day \u201cis a direct path to burnout,\u201d they said.<\/p>\n The gang fines members who underperform or don\u2019t show up for work, analysis of the chats<\/a> by security firm CheckPoint shows. \u201cI have 100 people here, half of them, even 10 percent, do not do what they need,\u201d Stern said to Mango in the summer of 2021. \u201cAnd they only ask for money, because they think that they are fucking useful.\u201d At another point, Stern scolds one person: \u201ceveryone works except for you.\u201d<\/p>\n The Conti member Dollar is a particular pain. On January 20, 2022, the handle Cyberganster launched into a tirade about Dollar to Mango. \u201cLet's get the dollar out of the game,\u201d Cyberganster writes. \u201cHe is a fucked up bastard.\u201d It\u2019s claimed that Dollar targeted hospitals with the group\u2019s ransomware despite being told not to. Conti members say they have a rule of not attacking hospitals or medical centers, although a May 2021 attack against Ireland\u2019s health service cost<\/a> the organization $600 million to recover from. Six days after the complaint from Cybergangster, Mango confronts Dollar. \u201cYou really [are] more problems than good,\u201d one message in a series of 11 says. Mango says \u201ceveryone constantly complains about you and gets angry\u201d and accuses Dollar of spoiling the gang\u2019s \u201creputation\u201d by targeting hospitals.<\/p>\n Despite their everyday work life being exposed, the Conti group hasn\u2019t gone away. But the messages include a trail of personal details, such as the handles they use online, Bitcoin addresses, and email addresses. \u201cIf this information is true, it definitely makes life easier for law enforcement,\u201d says Tahiri. \u201cBy dismantling the group behind Trickbot\/Conti we can be sure that the whole infrastructure will suffer.\u201d It\u2019s something the group\u2019s members are well aware of: \u201cWe are already in the news,\u201d read one of the last messages sent before the leak.<\/p>\n