Since the Conti Files were leaked in early March, multiple cybersecurity firms have pored over the documents. It is believed that Professor, who is included in the reward program’s call for information and is also involved in Trickbot, oversees much of the ransomware deployment and is a “significant player” in the operation, according to security experts. In other cases, several online monikers used by actors of the Conti group may, in fact, refer to the same person.
Aside from the Conti Files, there have been other leaks from the wider cybercrime syndicate. Earlier this year, a Twitter account called Trickleaks started posting the alleged names and personal details of Trickbot members. The doxxing, which has not been independently verified but is believed to be at least partly accurate, shows photos of alleged members and their social media accounts, passport details, and more.
Jeremy Kennelly, a senior manager in financial crime analysis at cybersecurity firm Mandiant, says that continued action against Conti and Trickbot is “critical” in helping prevent ransomware groups from making money and attacking businesses. “Stripping anonymity from key players, offering bounties, seizing illicit funds, and making public declarations of intent are important actions that may help to increase the real and perceived risks of engaging in ransomware operations and may ultimately lead to a chilling effect among some criminal actors and/or organizations,” Kennelly says.
The Rewards for Justice officials say that they will be publishing their call for information about the Conti members in multiple languages and urge people to get in touch via a Tor link. All of the tips they receive will be verified, and any lead must pass multiple steps before a payment is made. They say it is theoretically possible that multiple $10 million rewards could be issued. The officials are specifically targeting Russian-language online spaces, saying the reward details will be posted to Russian social network VK and also hacking forums.
In recent weeks, Conti’s activities have dwindled, as it is believed the group is attempting to rebrand following the leak of its internal chats. However, many of the members are still thought to be active and involved in other cybercrime efforts. These kinds of ransomware attacks can have a huge impact on businesses and wider society.
“While these are not state-sponsored groups, they routinely carry out attacks as impactful as any nation-state group, and they need to be treated as such,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “This likely won’t lead to the arrest of members of Conti, unless any of them are dumb enough to step foot outside of Russia. The intelligence that might be gathered through this reward could prove to be invaluable.”