Many Conti members are believed to be based in Russia or nearby regions. For years, the Kremlin has largely turned a blind eye to cybercriminals based in the country, making it a base for several ransomware groups. The leak of the Conti files revealed that some high-ranking members of the gang appear to have ties to Russian government and intelligence agencies. Some members of the group have talked about working on “political” topics and are familiar with members of the Russian hacking group Cozy Bear, also known as Advanced Persistent Threat 29.
“Conti has publicly acknowledged his ties to foreign governments, specifically his support for the Russian government,” said US Air Force Maj. Katrina Cheeseman, a spokeswoman for the Cyber National Mission. “Based on the connections with Conti and other indicators, it can be assumed that the leadership of the organized crime group known as Wizard Spider is likely to have ties to government structures in Russia,” Cheeseman adds.
After the Conti files were leaked in early March, several cybersecurity firms reviewed the documents. The Professor, who is involved in the bounty program and also involved in Trickbot, is believed to have overseen much of the ransomware deployment and is a “major player” in the operation, according to security experts. In other cases, multiple online aliases used by Conti Group actors may actually be the same person.
Besides the Conti files, there have been other leaks from the wider cybercriminal syndicate. Earlier this year, a Twitter account called Trickleaks began publishing the alleged names and personal details of Trickbot members. The doxxing, which has not been verified by an independent organization but is believed to be at least partially accurate, shows alleged members’ photos and their social media accounts, passport details and more.
Jeremy Kennelly, senior manager of financial crime analysis at cybersecurity firm Mandiant, says continued action against Conti and Trickbot is “critical” to stopping ransomware groups making money and attacking businesses. “De-anonymizing key players, offering bonuses, confiscating illicit funds and making public statements of intent are important actions that can help increase the real and perceived risks of engaging in ransomware operations and can ultimately lead to a chilling effect among some criminals . actors and/or organizations,” says Kennelly.
Rewards for Justice officials say they will publish their call for information on Conti members in multiple languages and encourage people to get in touch via a Tor link. All tips received will be verified and several steps must be completed before payment. They say it’s theoretically possible to award multiple $10 million awards. They are particularly targeting the Russian-speaking internet space, saying that the details of the reward will be posted on the Russian social network VK, as well as on hacker forums.
Conti’s activity has been reduced in recent weeks as the group is believed to be trying to rebrand itself after its internal chats were leaked. However, many members are still considered active and involved in other cybercrime efforts. Ransomware attacks like these can have a huge impact on businesses and society at large.
“Although these groups are not state-sponsored, they typically carry out attacks as powerful as any nation-state group and should be treated as such,” said Alan Liska, an analyst at security firm Recorded Future who specializes in software- extortionists. “This will most likely not lead to the arrest of Conti members unless one of them is stupid enough to go outside of Russia. The intelligence that can be gleaned from this reward could prove invaluable.”