



Many Conti members are believed to be based in Russia or surrounding regions. For years, the Kremlin has largely turned a blind eye to cybercriminals based in the country, making it a base for several ransomware groups. Leaked Conti files revealed that some high-level members of the gang appear to have ties to the Russian state and security services. Members of the group discussed their work on political topics and knowledge of members of the Russian hacking group Cozy Bear, also known as Advanced Persistent Threat 29.

Conti has publicly acknowledged his ties to foreign governments, particularly his support for the Russian government, said U.S. Air Force Maj. Katrina Cheesman, spokeswoman for the Cyber ​​National Mission Force. Based on his ties to Conti and other indicators, it is believed that the leaders of the organized crime group known as the Wizard Spider likely have a connection to government entities inside Russia, Cheesman adds.

Since the leak of the Conti files in early March, several cybersecurity firms have looked into the documents. The professor, who is included in the reward programs’ information calls and is also involved with Trickbot, is believed to be overseeing much of the ransomware’s rollout and is a key player in the operation, according to security experts. In other cases, multiple online nicknames used by Conti Group actors may, in fact, refer to the same person.

Besides the Conti files, there have been other leaks from the wider cybercrime syndicate. Earlier this year, a Twitter account called Trickleaks began posting the alleged names and personal details of Trickbot members. The doxxing, which has not been independently verified but is believed to be at least partly accurate, shows photos of alleged members and their social media accounts, passport details, and more.

Jeremy Kennelly, senior manager of financial crime analysis at cybersecurity firm Mandiant, says pursuing actions against Conti and Trickbot is key to stopping ransomware groups from making money and attacking businesses. Stripping the anonymity of key players, offering bounties, seizing illicit funds, and making public statements of intent are important actions that can help increase the real and perceived risks of engaging in ransomware operations and can ultimately have a chilling effect on certain criminal actors and/or organizations, says Kennelly.

Rewards for Justice officials say they will post their call for Conti member information in multiple languages ​​and urge people to get in touch via a Tor link. All advice they receive will be verified and any prospect must go through several stages before a payment is made. They say it’s theoretically possible that multiple $10 million awards could be issued. Officials are specifically targeting Russian-language online spaces, saying details of the reward will be posted on Russian social network VK and also on hacking forums.

In recent weeks, Contis’ activities have dwindled as the group is believed to be trying to change their name following the leak of their internal chats. However, many members are still believed to be active and involved in other cybercrime efforts. These types of ransomware attacks can have a huge impact on businesses and society in general.

Although they are not state-sponsored groups, they regularly carry out attacks as hard-hitting as any nation-state group, and they should be treated as such, says Allan Liska, analyst for the security company Recorded Future, which specializes in ransomware. This probably won’t lead to arrests of Conti members unless one of them is stupid enough to set foot outside of Russia. The intelligence that could be garnered from this reward could prove invaluable.

