The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

11 big takeaways from the Conti ransomware leaks

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! I, for one, am disheartened that this 17-pound monster was disqualified as the world's largest potato. 

Below: The pipeline industry is frustrated with new cyber rules, and Arizona Republicans have a plan to break up Maricopa County. 

The Conti leak illustrates how hacking gangs are divided over Russia's invasion

A massive leak from inside the Russia-backing Conti ransomware gang is sending shock waves through the cyber research community.

The leak is providing a clearer portrait than ever before of the cybercriminals that have run roughshod over U.S. institutions.

And it's showing how Russia’s invasion of Ukraine has divided the criminal gangs that lock up victim computers and demand payments to unlock them, given it was orchestrated by a Ukraine sympathizer with access to Conti's internal chats and business records

The leak came after Conti's leaders pledged allegiance to the Russian invaders. Conti leaders later tried to make a more neutral statement on the invasion but the damage had been done.

Here are 11 big takeaways. 

1. Ransomware hacking can be pretty boring work

The most common reaction to the chats has been how utterly banal the daily trudge of ransomware hacking can be — much like any desk job. Paychecks come out twice per month and work is divvied up by middle managers, some of whom get testy when subordinates slack off or disappear offline for hours at a time. 

Hackers go by one-word handles in the chats rather than their real names. But many of their comments would be right at home in a typical office Slack channel. 

“Many of the conversations are dull, daily chatter,” Matt Burgess reported in one deep dive for Wired. “Members tell others they have caught Covid-19; they have issues with connectivity … and they bond with conversations about their partners or exes. The water cooler conversations are a stark contrast to Conti’s dark work.”

2. The pay’s not great on the lower rungs

The rank-and-file Conti hackers earned about $1,500 to $2,000 per month and didn’t get a share of the big ransoms. 

That’s not a bad salary in many former Soviet states. But it’s nothing like the top ranks of criminal hackers who have developed a reputation for conspicuous displays of wealth, flashing stacks of cash, driving Lamborghinis and playing with tiger cubs. 

3. But at the top levels, cybercrime definitely pays

The research group Chainalysis estimated Conti’s 2021 revenue as around $180 million — a figure that’s almost certainly low because it’s based only on publicly reported ransomware attacks and many go unreported. Based on data from the leaks, BreachQuest estimated the gang pays about $6 million for salaries and other expenses — just a fraction of its revenue. 

“What would be the venture capital valuation of a Silicon Valley startup with global reach, annual revenue of $180 million, almost triple-digit year-over-year growth and an annual burn rate of $6 million?” Shaun Waterman asks in another deep dive for ReadMe. 

4. Conti made some efforts to avoid the most inhumane hacks

Conti has publicly claimed that it avoids attacking critical infrastructure, such as hospitals, energy firms and airports that could have the highest human cost. That claim was treated dubiously given that Conti ransomware was used in a brutal attack on the Irish health-care system last year that cost $600 million to recover from. 

Yet it does appear that managers routinely urged subordinates against targeting hospitals. One manager even chewed out a subordinate who didn’t follow the rule, saying the subordinate was ruining the gang’s reputation and warning “everyone constantly complains about you and gets angry,” per Wired.

5. But there’s truly no honor among thieves

In one chat reported by ReadMe, a middle manager asks a hacker who used the handle Stern and who appears to be “the big boss” of the operation, several times if he authorized an attack on a hospital carried out by a hacker using the handle Dollar. Stern ultimately replies cryptically, “I usually don’t approve locks.” 

“Several hours later [Stern] sent Dollar an encrypted note. Dollar responded with a series of numbers and sums apparently calculating a 20 percent share of something,” Shaun reports. 

6. Russian sympathizers in the gang bought into Putin’s lies

“The Russian hackers openly repeated Putin’s falsehoods as fact, such as that Ukraine is run by a ‘neo-Nazi junta’ and that its government is seeking nuclear weapons. Members of the chat continually shared news updates that exaggerated Russia’s success so far in the war,” Micah Lee reported for the Intercept. 

The hackers also frequently used anti-Semitic tropes to describe Ukraine’s Jewish president Volodymyr Zelensky

7. Putin’s war may have ended the Pax Romana among cybercrime gangs

One feature of the pre-Ukraine invasion ransomware industry is that — while many hackers were Russian — citizens of other post-Soviet states often joined the ranks. That may be ending as the relations between criminal hackers from Russia and other nations become more divisive.

Ian McGinley, a former federal prosecutor in Manhattan who specialized in complex cyber cases, compares the upheaval the Ukraine war has provoked to the internecine conflicts within traditional criminal groups, like the mafia,” Shaun reports. 

8. Yet, other ransomware gangs played the politics better

The Lockbit gang, for example, came out with a statement on the invasion nearly as quickly as Conti did — but it pledged neutrality. 

Allan Liska, director of threat intelligence at the cybersecurity firm Recorded Future:

9. Law enforcement and researchers are having a field day with the leaks

In addition to what they show about the inside workings of ransomware operations, the leaks will also make it far easier for law enforcement to identify individual members of the gang, perhaps leading to criminal indictments. 

“It’s the most valuable data dump ever about ransomware,” Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, told Shaun. 

10. How the heck were they so careless?

Encryption is the bread and butter of ransomware gangs — the tool they use to lock up victims’ computers and demand ransoms. Yet, the vast majority of chats between Conti members were easily available to the leaker in unencrypted formats. Only a small portion of Conti members used an add-on tool to encrypt their chats on the gang’s server. 

“The dumb part of this is the way they did it in an unencrypted [manner],” a spokesperson for the hacktivist collective Anonymous told the Record’s Dina Temple-Raston. “That’s unthinkable, right? They must be shaking in their boots right now, because a lot of their identities will be revealed through these leaks.”

11. Conti is down but not out

It looked for a minute in early March as if Conti may have been driven out of business by the leaks. But they were up and running again by March 7, CyberScoop’s Suzanne Smalley reports.

“They will reemerge more powerful and better than ever and more bulletproof,” Vitali Kremez, CEO of the cybersecurity firm AdvIntel told Suzanne. “They will adapt, they will improve, some members will relocate. But [Conti] will definitely not be pushed out of the market.”

The keys

The pipeline industry is extremely frustrated with new cybersecurity rules

The Transportation Security Administration (TSA) has been overwhelmed by requests for workarounds to stringent new cybersecurity rules imposed after the Colonial Pipeline hack, operators told Politico’s Eric Geller. 

Industry officials and analysts expressed dismay to The Post after the rules were imposed, warning that implementing them as written could be difficult. Things haven’t improved since then, Geller reports.

The TSA has approved a mere handful of the more than 170 requests to use “alternative measures,” senior officials told Geller.

The rules are ill-suited to industrial cybersecurity and have gotten in the way of more useful security initiatives, experts warned

“There is not a single pipeline operator who has felt positive about the interactions that I’m aware of,” Robert M. Lee, chief executive of the industrial-focused cyber firm Dragos, told Geller. “This has derailed lots of other valuable security efforts.”

Arizona Republicans want to break up Maricopa County

They're backing a bill that would split Maricopa County up into four separate counties — creating three solidly Republican counties and one Democratic one out of a county that helped deliver Joe Biden's victory in 2020.

The county was a locus for Donald Trump’s false claims that his election loss was illegitimate and the site of a partisan and ultimately fruitless audit aiming to disprove the election results. 

Critics say the bill is punishment for county officials pushing back against Trump’s claims, Griff Witte reports. Election experts also say the proposal could help lay the groundwork for challenges to the 2024 contest.

The bill has passed in committee, but it appears to have stalled for now as Republicans navigate a tight majority in the state House and Senate. 

“This is about putting more chips on the roulette table so you can win your bet,” state Rep. Lorenzo Sierra, a Democrat, argued. “One of these three counties, I’m sure, would decertify this election in a heartbeat.”

State Rep. Jake Hoffman, a Republican who introduced the bill, has denied that it has to do with elections, arguing that it’s about bringing power closer to the people. Hoffman, who declined an interview request, was one of 11 Arizonans who falsely declared that he was empowered to cast Arizona's electoral votes for Trump.

Russia’s government sites are under ‘unprecedented’ digital attack

Some of the attacks appear to be surges of Internet traffic that aim to overwhelm the websites. Russian regulators are filtering Internet traffic coming from abroad to mitigate the power of the digital attacks, Mary Ilyushina reports. The attacks were “two to three times more powerful” than previous ones, the country’s Ministry of Digital Development and Communications said.

Other recent attacks hitting Russia:

  • Hackers replaced the hotline phone number on Russia's Emergency Situations Ministry website to list a number for Russian soldiers to call if they want to defect.
  • They also modified news stories on the page to tell readers not to believe Russian news reports
  • Dozens of Russian judicial sites displayed insults aimed at President Vladimir Putin.
  • Hackers claiming affiliation with Anonymous displayed livestreams of dozens of surveillance cameras inside Russia, Vice reports.

Securing the ballot

Trump White House aide was secret author of report used to push ‘big lie’ (The Guardian)

Republican schism over the 2020 election spills over as Speaker Vos spends a day traveling state to manage party divisions (Milwaukee Journal Sentinel)

Industry report

Cisco insiders worry that pressure from competitors like Microsoft and a complicated sales process could undermine its $4 billion bet on cybersecurity (Insider)

A Big Bet to Kill the Password for Good (Wired)

Global cyberspace

Italy set to curb use of Russian anti-virus software in public sector (Reuters)

China’s DJI and its billionaire chief put in an awkward spot as both sides in Ukraine war use its drones (Forbes)

Hoax caller claiming to be Ukrainian PM got through to UK defence secretary (The Guardian)

Hill happenings

Lawmakers, experts debate whether fears about evasion of cryptocurrency sanctions are overblown (CyberScoop)


  • CISA Director Jen Easterly speaks at the National Women in Cybersecurity Conference today at around 1 p.m. 
  • Senate Homeland Security Committee Chairman Gary Peters (D-Mich.) speaks at an Information Technology Industry Council Bridge for Innovation event on Wednesday at 11 a.m.
  • CISA senior adviser and strategist Allan Friedman speaks at an Institute for Critical Infrastructure Technology event on Thursday at 1 p.m.

Secure log off

A tuber of a gourd? Thanks for reading. See you Monday.