Conti leaks: Life inside a ransomware criminal gang is not that different to a regular office

Headshot of Aaron Patrick
Aaron Patrick
The Nightly
The everyday life inside Russia’s notorious ransomware gang shared a lot of similarities with regular office jobs.
The everyday life inside Russia’s notorious ransomware gang shared a lot of similarities with regular office jobs. Credit: Artwork by Olivia Desianti/The Nightly

Working at one of Russia’s leading online-extortion businesses was remarkably similar to life in a regular company: a strict hierarchy, influential human resources department, organisational stuff-ups and a stream of repetitive bureaucratic emails.

For a while the group, known as Conti, was one of the world’s most successful ransomware gangs.

From early 2020 to mid-2022, when it stopped operating, Conti generated an estimated $250 million to $300 million revenue. Among its victims were hospitals across the US and Europe, including the Irish national health service, which suffered a catastrophic IT failure in 2021 that cost almost $1 billion to fix.

Sign up to The Nightly's newsletters.

Get the first look at the digital newspaper, curated daily stories and breaking headlines delivered to your inbox.

Email Us
By continuing you agree to our Terms and Privacy Policy.

Several Australian companies fell victim to Conti too, including a Queensland government power business, CS Energy.

On Friday, four Australian criminologists published an in-depth analysis of the gang’s internal communications, based on 168,740 messages leaked in 2022. The researchers concluded Conti was structured like a typical hierarchical company.

Admin staff

A CEO, known as Stern, managed three senior managers who had responsibility for human resources, operations and programming. Below them were four mid-level managers responsible for overseeing departments that created and tested the ransomware, identified targets, inserted the malicious software onto their computer systems, negotiated ransom payments and used contractors to launder the money.

There were even six administrative staff responsible for paying invoices, keeping internal computer systems running and providing regular IT support, including resetting passwords.

“Here is a sophisticated cyber criminal group that resembles what we would expect to see for a medium-sized software company in terms of its structures and processes,” co-author Chad Whelan said in an interview.

Researchers hope that by studying ransomware gangs, who steal data and attack computer systems, they can help law-enforcement agencies work out how to fight back against one of the criminal world’s fastest-growing industries.

Often carried out from countries beyond the reach of Western police forces, including Russia, China and North Korea, the average ransom paid by Australian companies over the past five years was $1.35 million, according to McGrathNicol, a business-advice firm. Of the companies that agreed to participate in its survey, 69 per cent reported being targeted by a ransomware attack.

‘We’re out of bitcoins’

The Conti leaks showed how a criminal business operates in supportive countries, advertising for staff, opening offices and paying commercial suppliers.

Many Conti workers found the work mundane. On September 23, 2020, a low-level employee identified as Carter wrote to the CEO: “Forgot to pay for the anchor domain, and as a result, when trying to renew it was abused and we /probably/ f---ed up the bots.”

Six months later Carter complained a bitcoin fund used to pay for VPN (an internet service which masks the location of the user) subscriptions, antivirus software licenses, new computer servers and internet domain registrations was short $US1,240, according to Brian Krebs, a US computer-security commentator who conducted a separate review of the messages.

“Hello, we’re out of bitcoins, four new servers, three vpn subscriptions and 22 renewals are out,” Carter wrote in November, 2021. “Two weeks ahead of renewals for $960 in bitcoin 0.017. Please send some bitcoins to this wallet, thanks.”

Hiring staff

The Australia researchers, from Deakin University in Victoria, were able to identify the functions of 104 of the approximately 450 people who worked at Conti.

Six people were identified as being responsible for recruiting and processing new employees, who were typically paid $US10,000 ($15,000) to $US20,000 a month, depending on their experience.

One of the HR managers wrote to his or her colleagues: “Hi everyone, send me your reports. Also write down these numbers: 1) How many people are waiting for an interview. 2)Which of the system administrators fell off without waiting for the interview.”

In July, 2021, an employee called “Mango” told Stern they were posting ads on Russian-language cybercrime forums for more workers, according to Mr Krebs.

“The salary is $2k in the announcement, but there are a lot of comments that we are recruiting galley slaves,” Mango wrote. “Of course, we dispute that and say those who work and bring results can earn more, but there are examples of coders who work normally and earn $5-$10k salary.”

An intelligence analyst was assigned to find potential targets using the internet. The business was so busy it hired two negotiators to haggle with victims for payment in a cryptocurrency. “So, if our offer is unreasonable for you, we can give you a serious discount,” one wrote. “Now your price is 2,000,000”

The negotiators were assisted by an operations support team, which told the negotiators how much to ask for and provided them with decryption keys, which victims used to retake control of their computers.

The end

The messages showed that Conti was very good at identifying ransomware targets, and conducted numerous internal debates over how much the corporate victims should pay, according to Mr Krebs.

The end was triggered not by an external investigation but an internal leak.

On 25 February 2022, Conti published a message on the darknet pledging support for Russia’s invasion of Ukraine, which had begun the day before. The show of support for President Vladimir Putin was the beginning of the end for the group, according to the Global Initiative Against Transnational Organised Crime.

Two days later a Twitter profile using the handle @ContiLeaks began releasing the group’s communications onto the internet. Some thought the files, dubbed the “Panama Papers of ransomware”, came from a Ukrainian security researcher or an anti-war protest group.

With Conti’s profile rising, the US government offered $US10 million for the identification or location of five key operators, including Stern. The business disintegrated, despite pulling off one more big attack against the Costa Rican government.

Micro-manager

Vitaly Nikolayevich Kovalev.
Vitaly Nikolayevich Kovalev. Credit: supplied/United States Secret Service

Four weeks ago Germany’s federal police agency alleged that Stern is a 36-year-old Russian named Vi­ta­ly Kovalev, who has been wanted since 2012 by the US Secret Service for allegedly stealing more than $1 million from three US banks when he was 21.

The German police said the Conti messages helped them identify Mr Kovalev. He is now on Interpol’s wanted list.

The Australian criminologists found Mr Kovalev communicated more with Conti’s coders, developers and testers than his senior managers, suggesting he is a micro-manager CEO. He also spent a lot of time sending messages to his HR and administration department.

The middle managers communicated extensively with the senior managers, perhaps demonstrating that the pressure to manage upwards is universal.

Comments

Latest Edition

The Nightly cover for 01-08-2025

Latest Edition

Edition Edition 1 August 20251 August 2025

Albanese’s under-the-radar diplomacy with a side of beef pays off in trade win.