In addition to its chat messages, Conti uses common organizing tools. The team regularly refers to the Tor browser for online logins and GPG and ProtonMail for encrypted emails, uses Privnote for self-destructing messages, and shares files via file.io, qaz.im, and Firefox’s discontinued Send service. They also use databases, such as Crunchbase, to gather information about the businesses they want to target.
Within Conti’s organizational structure, there is a team dedicated to open source intelligence, which involves learning about potential threats. The group tried to buy anti-virus systems from security companies to test their malware versus creating fake companies to do so. They distribute YouTube videos about the latest security research, see what researchers have to say about it, and share news articles about the group. (A Conti member sent Stern a summary in Russian of WIRED’s February story about the Trickbot group the day after it was published).
As with any workplace, Conti members become frustrated with their colleagues. People don’t respond to messages, disappear at work (“went to get a haircut”) and complain about long working hours. “I personally don’t agree with the idea that I have to be connected 24 hours a day,” Driver lamented in March 2021. Working around the clock “is a shortcut to burnout,” they said.
The gang fines members who don’t show up or don’t show up for work, an analysis of chats by security firm CheckPoint shows. “I have 100 people here, half of them, even 10 percent, are not doing what they need to do,” Stern told Mango in the summer of 2021. “And they only want money because they think they’re fucking useful. ” At another point, Stern scolds one person: “everyone works but you.”
Conti’s member dollar is a particular pain. On January 20, 2022 the handle Cyberganster began the Dollar to Mango tirade. “Let’s take the dollar out of the game,” Cyberganster wrote. “He’s a screwed up bastard.” Dollar allegedly targeted hospitals with the group’s ransomware despite being told not to. Conti members say they have a rule not to attack hospitals or medical centres, despite an attack on Ireland’s health service in May 2021. costing the organization $600 million to recover. Six days after the Cybergangster’s complaint, Mango confronts Dollar. “You really do [are] more trouble than good,” said one message in a series of 11. Mango says “everyone keeps complaining about you and getting mad” and accuses Dollar of ruining the gang’s “reputation” by targeting hospitals.
Although their daily working lives are on display, the Conti group has not disappeared. But the messages include a trail of personal data, such as the handles they use online, bitcoin addresses and email addresses. “If this information is true, it definitely makes life easier for law enforcement,” says Tahiri. “By dismantling the group behind Trickbot/Conti, we can be sure that the entire infrastructure will suffer.” This is something the group members know well: “We are already in the news,” read one of the last messages sent before the leak.
More great stories on WIRED
