Conti ransomware gang backs Russia, threatens U.S.

The Conti ransomware gang said it will use "retaliatory measures" against the United States should Russian critical infrastructure be attacked by "Western warmongers," according to a post on its leak site.

Conti, first detected in 2020, is a prolific ransomware gang observed in a number of high-profile attacks, including data backup vendor ExaGrid last year. Notably, a string of attacks in early 2020 led to a security alert from the FBI.

Conti initially pledged its support for Russia last week in two statements released on the group's data leak site. In the first, posted Feb. 25, Conti "officially" announced "full support of the Russian government" shortly after the nation invaded neighboring Ukraine. The gang threatened to use "all possible resources" to attack the critical infrastructure of any enemy who organizes "a cyberattack or any war activities."

This post was replaced with a longer one Sunday, which notably featured language that was more defensive in nature; it also did not explicitly pledge "full support" like the first.

"As a response to Western warmongering and American threats to use cyber warfare against the citizens of Russian Federation," it read, "the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.

"We do not ally with any government and we condemn the ongoing war," the new post continued. "However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression."

On Sunday, tens of thousands of alleged internal Jabber messages between Conti gang operators were leaked through an anonymous file dump. The leaker wrote in an attached message that Conti "just lost all their s***" before closing with "Glory to Ukraine!"

It is unclear who exactly leaked the logs. However, AdvIntel CEO Vitali Kremez told SearchSecurity that he believes it was a security researcher rather than a Conti member or affiliate.

"Someone who obtained the server logs from the Jabber infrastructure is highly unlikely to be an affiliate," he said.

The files contain a vast quantity of internal discussions between gang operators, including information on supposed ransomware victims and the presence of a legal department within Conti. Threat analysts from multiple organizations have weighed in on the leaks with a general consensus that they came from Conti.

"The leaked chats appear to be the real deal," Emsisoft threat analyst Brett Callow said. "However, how much of the information contained in them is accurate is an entirely different matter, and it will take time to work out."

Alexander Culafi is a writer, journalist and podcaster based in Boston.