Many members of Conti are believed to be based in Russia or surrounding regions. For years, the Kremlin has largely turned a blind eye to cybercriminals based in the country, making it a homebase for several ransomware groups. The leaked Conti Files revealed some high-level members of the gang appear to have connections to the Russian state and security services. Some members of the group have chatted about working on “political” subjects and knowing members of the Russian hacking group Cozy Bear, also known as Advanced Persistent Threat 29.
“Conti has publicly acknowledged its connection with foreign governments, specifically its support of the Russian government,” says US Air Force major Katrina Cheesman, a spokesperson for the Cyber National Mission Force. “Based on its ties to Conti and other indicators, it is assessed the leadership of the organized crime group known as Wizard Spider likely have a connection to government entities inside of Russia,” Cheesman adds.
Since the Conti Files were leaked in early March, multiple cybersecurity firms have pored over the documents. It is believed that Professor, who is included in the reward program’s call for information and is also involved in Trickbot, oversees much of the ransomware deployment and is a “significant player” in the operation, according to security experts. In other cases, several online monikers used by actors of the Conti group may, in fact, be the same person.
Aside from the Conti Files, there have been other leaks from the wider cybercrime syndicate. Earlier this year, a Twitter account called Trickleaks started posting the alleged names and personal details of Trickbot members. The doxxing, which has not been independently verified but is believed to be at least partly accurate, shows photos of alleged members and their social media accounts, passport details, and more.
Jeremy Kennelly, a senior manager in financial crime analysis at cybersecurity firm Mandiant, says that continued action against Conti and Trickbot is “critical” in helping to stop ransomware groups from making money and attacking businesses. “Stripping anonymity from key players, offering bounties, seizing illicit funds, and making public declarations of intent are important actions that may help to increase the real and perceived risks of engaging in ransomware operations, and may ultimately lead to a chilling effect among some criminal actors and/or organizations,” Kennelly says.
The Rewards for Justice officials say that they will be publishing their call for information about the Conti members in multiple different languages and urge people to get in touch via a Tor link. All of the tips it receives will be verified and multiple steps must be passed before a payment is made. They say it is theoretically possible that multiple $10 million rewards could be issued. They are specifically targeting Russian-language online spaces, saying the reward details will be posted to Russian social network VK and also hacking forums.
In recent weeks, Conti’s activities have dwindled, as it is believed the group is attempting to rebrand following the leaking of its internal chats. However, many of the members are still thought to be active and involved in other cybercrime efforts. These kinds of ransomware attacks can have a huge impact on businesses and wider society.
“While these are not state-sponsored groups, they routinely carry out attacks as impactful as any nation state group and they need to be treated as such,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “This likely won’t lead to the arrest of members of Conti, unless any of them are dumb enough to step foot outside of Russia. The intelligence that might be gathered through this reward could prove to invaluable.”