Leaked documents show notorious ransomware group has an HR department, performance reviews and an ’employee of the month’

A Russian group identified by the FBI as one of the most prolific ransomware groups of 2021 may now understand how it feels to be the victim of cyber espionage.

A series of document leaks reveal details about the size, leadership and business operations of the group known as Conti, as well as what’s perceived as its most prized possession of all: the source code of its ransomware.

Shmuel Gihon, a security researcher at the threat intelligence company Cyberint, said the group emerged in 2020 and grew into one of the biggest ransomware organizations in the world. He estimates the group has around 350 members who collectively have made some $2.7 billion in cryptocurrency in only two years.

In its “Internet Crime Report 2021,” the FBI warned that Conti’s ransomware was among “the three top variants” that targeted critical infrastructure in the United States last year. Conti “most frequently victimized the Critical Manufacturing, Commercial Facilities, and Food and Agriculture sectors,” the bureau said.

“They were the most successful group up until this moment,” said Gihon.

In an online post analyzing the leaks, Cyberint said the leak appears to be an act of revenge, prompted by a since-amended post by Conti published in the wake of Russia’s invasion of Ukraine. The group could have remained silent, but “as we suspected, Conti chose to side with Russia, and this is where it all went south,” Cyberint said.

The leaks started on Feb. 28, four days after Russia’s invasion of Ukraine.

Soon after the post, someone opened a Twitter account named “ContiLeaks” and started leaking thousands of the group’s internal messages alongside pro-Ukrainian statements.

The Twitter account has disabled direct messages, so CNBC was unable to contact its owner.

The account’s owner claims to be a “security researcher,” said Lotem Finkelstein, the head of threat intelligence at Check Point Software Technologies.

The leaker appears to have stepped back from Twitter, writing on March 30: “My last words… See you all after our victory! Glory to Ukraine!”

The impact of the leak on the cybersecurity community was huge, said Gihon, who added that most of his global colleagues spent weeks poring through the documents.

The American cybersecurity company Trellix called the leak “the Panama Papers of Ransomware” and “one of the largest ‘crowd-sourced cyber investigations’ ever seen.”

Conti is completely underground and doesn’t comment to news media the way that, for instance, Anonymous sometimes will. But Cyberint, Check Point and other cyber specialists who analyzed the messages said they show Conti operates and is organized like a regular tech company.

After translating many of the messages, which were written in Russian, Finkelstein said his company’s intelligence arm, Check Point Research, determined Conti has clear management, finance and human resource functions, along with a classic organizational hierarchy with team leaders that report to upper management.

There’s also evidence of research and development (“RND” below) and business development units, according to Cyberint’s findings.

The messages showed Conti has physical offices in Russia, said Finkelstein, adding that the group may have ties to the Russian government.

“Our … assumption is that such a huge organization, with physical offices and enormous revenue would not be able to act in Russia without the full approval, or even some cooperation, with Russian intelligence services,” he said.

The Russian embassy in London did not respond to CNBC requests for comment. Moscow has previously denied that it takes part in cyberattacks.

Check Point Research also found Conti has:

• Salaried workers — some of whom are paid in bitcoin — plus performance reviews and training opportunities
• Negotiators who receive commissions ranging from 0.5% to 1% of paid ransoms
• An employee referral program, with bonuses given to employees who’ve recruited others who worked for at least a month, and
• An “employee of the month” who earns a bonus equal to half their salary

Unlike above-board companies, Conti fines its underperformers, according to Check Point Research.

Worker identities are also masked by handles, such as Stern (the “big boss”), Buza (the “technical manager”) and Target (“Stern’s partner and effective head of office operations”), Check Point Research said.

“When communicating with employees, higher management would often make the case that working for Conti was the deal of a lifetime — high salaries, interesting tasks, career growth(!),” according to Check Point Research.

However, some of the messages paint a different picture, with threats of termination for not responding to messages quickly enough — within three hours — and work hours during weekends and holidays, Check Point Research said.

Conti hires from both legitimate sources, such as Russian headhunting services, and the criminal underground, said Finkelstein.

Hiring was important because “perhaps unsurprisingly, the turnover, attrition and burnout rate was quite high for low-level Conti employees,” wrote Brian Krebs, a former Washington Post reporter, on his cybersecurity website KrebsOnSecurity.

Some hires weren’t even computer specialists, according to Check Point Research. Conti hired people to work in call centers, it said. According to the FBI, “tech support fraud” is on the rise, where scammers impersonate well-known companies, offer to fix computer problems or cancel subscription charges.

“Alarmingly, we have evidence that not all the employees are fully aware that they are part of a cybercrime group,” said Finkelstein. “These employees think they are working for an ad company, when in fact they are working for a notorious ransomware group.”

The messages show managers lied to job candidates about the organization, with one telling a potential hire: “Everything is anonymous here, the main direction of the company is software for pentesters” — referring to penetration testers, who are legitimate cybersecurity specialists who simulate cyberattacks against their own companies’ computer networks.

In a series of messages, Stern explained that the group kept coders in the dark by having them work on one module, or part of the software, rather than the whole program, said Check Point Research.

If employees eventually figure things out, Stern said, they’re offered a pay raise to stay, according to the translated messages.

Even before the leak, Conti was showing signs of distress, according to Check Point Research.  

Stern went silent around mid-January, and salary payments stopped, according to the messages.  

Days before the leak, an internal message stated: “There have been many leaks, there have been … arrests … there is no boss, there is no clarity … there is no money either … I have to ask all of you to take a 2-3 month vacation.”

Though the group has been hobbled, it will likely rise again, according to Check Point Research. Unlike its former rival REvil — whose members Russia said it arrested in January — Conti is still “partially” operating, the company said.

The group has survived other setbacks, including the temporary disabling of Trickbot — a malware program used by Conti — and the arrests of several suspected Trickbot associates in 2021.

Despite ongoing efforts to combat ransomware groups, the FBI expects attacks on critical infrastructure to increase in 2022.