Many of Conte’s members are believed to live in Russia or the surrounding area. For years, the Kremlin has largely turned a blind eye to the country’s cybercriminals, making it a base for several ransomware groups. Leaked Conti documents show that some senior members of the gang appear to have ties to Russian state and security services. Some members of the group talked about working on “political” topics and met members of the Russian hacking group Cozy Bear, also known as Advanced Persistent Threat 29.
“Conte has openly acknowledged ties to foreign governments, particularly support for the Russian government,” said U.S. Air Force Major Katrina Cheesman, a spokeswoman for the Cyber National Mission Force. “Based on its links to Conti and other indicators, it has been assessed that the leadership of the organised crime group known as the Wizard Spider may have ties to government entities within Russia,” Cheesman added.
Since the Conti documents leaked in early March, multiple cybersecurity firms have scrutinized the documents. According to security experts, the professor is believed to be involved in the solicitation of information for the reward program, as well as Trickbot, who oversaw much of the ransomware deployment and was a “significant player” in the operation. In other cases, several online nicknames used by Conti Group actors may actually be the same person.
In addition to the Conti files, there are other leaks from the wider cybercriminal group. Earlier this year, a Twitter account called Trickleaks began posting the names and personal details of alleged Trickbot members. The human flesh search, which has not been independently verified but is believed to be at least partially accurate, revealed photos of alleged members along with their social media accounts, passport details and more.
Jeremy Kennelly, senior manager of financial crime analysis at cybersecurity firm Mandiant, said continued action against Conti and Trickbot is “critical” to helping stop ransomware groups from making money and attacking businesses. “Depriving key actors of anonymity, offering bounties, confiscating illicit funds, and publicly declaring intent are important actions that may help increase the actual and perceived risk of participating in ransomware operations, and may ultimately lead to a chilling effect for some criminals. actors and/or organizations,” Kennelly said.
Rewards for Justice officials said they would be issuing calls for information about Conti members in many different languages and urged people to get in touch via a Tor link. All prompts it receives will be verified and multiple steps must be passed before payment. They say it is theoretically possible to issue multiple $10 million in rewards. They specifically target the Russian-speaking online space, saying that details of the reward will be posted to the Russian social network VK and hacker forums.
Conti’s activity has dwindled in recent weeks as the group is believed to be trying to rebrand after its internal chats were leaked. However, many members are still considered active and involved in other cybercriminal activities. These types of ransomware attacks can have a huge impact on businesses and wider society.
“While these are not state-sponsored groups, they typically conduct attacks as influential as any nation-state group, and they need to be treated the same,” said Alan Leigh, an analyst at Recorded Future, a security firm specializing in ransomware. Allan Liska said. “It most likely won’t lead to the arrest of Conte members unless any of them are stupid enough to walk out of Russia. The intelligence that might be gathered through this kind of reward could prove invaluable.”