Russian ransomware hackers pledge support to Putin and immediately have secret chats exposed by Ukrainian leaker

A ransomware cabal that pledged support for Russia’s invasion of Ukraine has been hacked.

A cache of chat logs belonging to the Conti ransomware gang leaked online by an insider who objected to their support of Vladimir Putin.

"Fuck the Russian government”, the leaker said in their message. “Glory to Ukraine!"

The leak, shared with malware research group VX-Underground, contained 400 files of tens of thousands of chat logs in Russian dating back to January 2021; the group only formed in mid-2020.

The gang provides ransomware-as-a-service, letting customers buy access to its attack facilities. Estimates suggest the group was received over $30 million in ransomware payments to date. Reportedly, the chat logs contain Bitcoin addresses and payments made to the gang.

It is also possible that the group has ties to Russian intelligence, with reports suggesting that the chat logs confirm a chain of command between the group and Russian agencies.

On 25 February, the group shared a message saying that it had “full support” for Mr Putin.

"If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy," the Conti blog post read.

Two days later, the group uploaded another message in which they claimed to condemn the war but would still support their home country.

“The Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world”, they wrote.

“We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression.”

The Conti ransomware team did not respond to a request for comment from The Independent before time of publication.

It is not clear who leaked the messages as their identity has not been revealed but Alex Holden, founder of cybersecurity company Hold Security and a Ukrainian, said that it had been leaked by a “Ukrainian citizen, a legitimate cybersecurity researcher, who is doing this as part of his war against cybercriminals who support the Russian invasion”.

The leak could be a severe hit for the ransomware group “not least because their affiliates and other associates will have lost confidence in the operation,” said Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch.

“They’ll undoubtedly be wondering when the operation was compromised, whether law enforcement was involved and whether there are any breadcrumbs which could lead to them.”

While Conti supports Russia, other hacking collectives have come in behind Ukraine. This includes members of Anonymous and a group called the Cyber Partisans which encrypted the data of parts of the Belarusian rail network.

Ukraine has also been bolstered by a volunteer ‘IT Army’ which gained around 230,000 subscribers in the days since it was launched, encouraged by members of the Ukrainian government.

There could be, however, deep ramifications for encouraging normal citizens to take on cyber warfare and unforeseen knock-on effects, especially as common cyber attacks such as Distributed Denial of Service (DDoS) which floods websites with traffic to make them unusable have become more easily accessible over time.