‘I can fight with a keyboard’: How one Ukrainian IT specialist exposed a notorious Russian ransomware gang

By Sean Lyngaas, CNN

As Russian artillery began raining down on his homeland previous month, a person Ukrainian laptop researcher resolved to fight again the ideal way he knew how — by sabotaging 1 of the most formidable ransomware gangs in Russia.

Four times into Russia’s invasion, the researcher commenced publishing the most significant leak ever of files and information from Conti, a syndicate of Russian and Jap Europe cybercriminals desired by the FBI for conducting attacks on hundreds of US companies and causing thousands and thousands of pounds in losses.

The hundreds of internal files and communications consist of proof that appears to recommend Conti operatives have contacts within just the Russian governing administration, which include the FSB intelligence assistance. That supports a longstanding US allegation that Moscow has colluded with cybercriminals for strategic benefit.

The Ukrainian pc expert guiding the leak spoke solely to CNN and explained his inspiration for trying to find revenge immediately after Conti operatives revealed a statement in assist of the Russian federal government straight away after the invasion of Ukraine. He also explained his determined endeavours to monitor down beloved types in Ukraine in modern months.

To defend his id, CNN agreed to refer to him by a pseudonym: Danylo.

“I can not shoot something, but I can struggle with a keyboard and mouse,” Danylo told CNN.

The trove of facts Danylo leaked in late February illustrates why cybersecurity has been this sort of a fraught issue in US-Russia relations. It consists of cryptocurrency accounts the Conti hackers used to allegedly enjoy tens of millions of dollars in ransom payments, their discussions of how to extort US organizations and their apparent concentrating on of a journalist investigating the poisoning of Kremlin critic Alexey Navalny.

But it also demonstrates how hard it can be to disable ransomware functions. In spite of Danylo unmasking their operations, the hackers keep on to announce new target companies.

Danylo, who has labored as a cybersecurity researcher for years and analyzed the underground cybercriminal economic system in Europe, is just 1 vigilante in a shadow war that has emerged involving hackers and cybersecurity executives who have pledged support for the Ukrainian and Russian governments as the major land war in Europe due to the fact Environment War II drags on.

But by disrupting a group as infamous as Conti, Danylo has attained far more notice than many others. The FBI, Danylo mentioned, contacted him right after he began to leak the Conti information, inquiring him to stop leaking.

The FBI declined to remark.

CNN corroborated Danylo’s declare that he was the leaker by examining evidence that he experienced access to the Twitter account that was publishing the Conti knowledge, as perfectly as a internet site that Danylo and an additional individual, who was granted anonymity for their protection, were making use of to share info contained in the leaks.

Danylo hasn’t spoken with the media about his motives — until eventually now. He did so while navigating a war-ravaged state he experienced only not too long ago returned to and could hardly understand.

“It’s my country,” he reported in a cell phone job interview. “If they [the Ukrainian government] provide me weapons, Alright, I’ll go combat. But I’m superior at typing.”

Digital retribution

Danylo promises that he initially attained access to laptop techniques employed by what would turn into the Conti syndicate in 2016. Nevertheless he declined to demonstrate in detail how he did this, impartial security authorities have verified to CNN the dataset belongs to the hackers. (Conti is the two the title of destructive application and the cybercriminal syndicate that works by using it. The team is also affiliated with TrickBot, one more hacking instrument made use of in numerous ransomware attacks.)

“Sometimes they make faults,” Danylo mentioned, referring to ransomware teams. “You require to capture them when they make a oversight. I just was in the appropriate area at the right time. I was monitoring them.”

For several years, Danylo claimed, he quietly lurked on the hackers’ laptop servers and would pass alongside details on the group’s operations to European law enforcement officials.

Conti ransomware has been rampant in the past two years, with the hackers proclaiming a lot of victims a 7 days.

In September 2020, the hackers claimed to have stolen circumstance files from a district court docket in Louisiana. In March 2021, Conti ransomware was utilized in a hack that hobbled the laptop networks of Ireland’s $25 billion general public health procedure, disrupting a maternity ward in Dublin.

The darkish get the job done was valuable: hackers utilizing the Conti ransomware been given at the very least $25.5 million in ransom payments in the span of just 4 months in 2021, in accordance to Elliptic, a firm that tracks cryptocurrency transactions.

But something snapped in Danylo on February 25, 2022, when Conti operatives released a assertion pledging their “full support” for the Russian govt as it attacked Ukraine.

A Russian airstrike had landed not significantly from a relatives member’s property. The cybersecurity researcher grew up in Ukraine when it was element of the Soviet Union. He did not want to see it slip back into Russian fingers.

Conti members experimented with to walk their statement back, declaring they weren’t supporting any governing administration, but Danylo experienced heard enough.

Questioned once again why he dumped the Conti knowledge, Danylo reported with a giggle: “To demonstrate that they are motherf**kers.” He was fatigued from a prolonged working day navigating army checkpoints in Ukraine, on the hunt for cigarettes and on the lookout to the sky for signs of the subsequent air raid.

Contacted by the FBI

Conti is accurately the style of prolific ransomware group that President Joe Biden very last year exhorted Russian President Vladimir Putin to provide to heel amid a spate of assaults on US vital infrastructure.

The Kremlin appeared to dangle the prospect of collaborating with the US to overcome cybercrime this January, when the Russian FSB intelligence agency declared the arrest of multiple accused cybercriminals. But the likelihood of bilateral cooperation on cybercrime have dimmed next the Russian invasion of Ukraine, which has killed extra than 1,000 civilians, in accordance to the United Nations, and built Putin an global pariah.

Immediately after he commenced leaking the details, Danylo explained, an FBI exclusive agent contacted him and asked him to cease. Exposing Conti infrastructure could, in concept, make it extra challenging for the FBI to track the group for the reason that it may possibly set up new personal computer techniques.

Danylo has stopped leaking for now. But he states he nonetheless has obtain to some Conti laptop or computer programs.

At the very least one regulation enforcement formal who spoke to CNN would have most popular that Danylo experienced taken care of that covert access, fairly than notify the ransomware syndicate to his presence by leaking the data.

“Publicly releasing facts like [the leaker did] is reckless,” a US law enforcement formal instructed CNN. “Working cooperatively with legislation enforcement can obtain a extra considerable and lasting effects in disrupting the functions of groups like Conti.”

But John Fokker, a previous cybercrime investigator with the Dutch police, explained the leak could basically be helpful to cops chasing cyber crooks.

“Yes, infrastructure can be burned. On the other hand, the amount of money of knowledge furnished in the leaks make me self-confident that law enforcement received the details they need to have to create indictments on important folks,” stated Fokker, who functions carefully with European regulation enforcement as head of cyber investigations at stability business Trellix.

A catalog of misdeeds

The Conti leaks are a startling catalog of the alleged misdeeds of a multimillion-greenback criminal enterprise.

CNN evaluated and translated the first cache of files that Danylo shared with the world through Twitter.

The communications demonstrate Conti associates, every single likely by aliases in the chat logs, discussing the knowledge of extorting US little companies, seemingly refraining from hacking Russian targets, and having an curiosity in a journalist composing about Navalny, the Russian opposition determine who has been jailed and poisoned.

In April 2021, Conti customers “mango” and “johnyboy77” discussed programs to obtain files belonging to a journalist for investigative outlet Bellingcat, which experienced published a joint investigation with CNN in December 2020 on the alleged purpose of the Russia’s FSB intelligence company in the poisoning of Navalny.

“Bro, really don’t ignore about Navalny, I flagged it to the boss — he’s waiting for specifics,” mango wrote to johnyboy77 in Russian.

It is unclear who “the boss” is in this trade. But Christo Grozev, Bellingcat’s lead Russian investigator, tweeted that the leaked chat corroborated an anonymous suggestion that Bellingcat acquired stating that a “‘global cyber crime group performing on an FSB get has hacked a person of your contributors.’”

Conti operatives refer in their chats to Liteyny Avenue in St. Petersburg, which transpires to be dwelling to neighborhood FSB places of work, according to Kimberly Goody, director of cyber criminal offense examination at security firm Mandiant.

“Generally speaking, it would be rather unsurprising to find out that an procedure as comprehensive as this would not in some way be leveraged as an asset [by the Russian government] at a position in time,” Goody explained to CNN.

The Russian Embassy in Washington did not react to a request for remark. The Russian govt has extensive denied accusations that it turns a blind eye to cybercrime.

There also seems to be a correlation in between the Conti leaks and community warnings from US cybersecurity officials, suggesting that federal authorities have been intently looking at the group.

On Oct 26, 2020, as US hospitals ongoing to reel from coronavirus circumstances, a Conti member with the alias Troy wrote to an additional member in Russian: “F**k clinics in the United states this week … There will be worry. 428 hospitals.”

Two times later on the FBI and US Cybersecurity and Infrastructure Stability Company (CISA) issued a dire warning about ransomware attacks on hospitals, lots of of which employed a piece of malicious computer software that the leaked paperwork tie to Conti operatives. It was unclear what certain intelligence prompted the federal warning about the hospitals, but the timing was placing.

‘It’s my work’

Cyberattacks have played a supporting purpose in the war in Ukraine. The White Dwelling has accused the Russian GRU armed forces intelligence agency of knocking critical Ukrainian govt internet websites offline prior to the invasion. (A charge the Kremlin denies.) US officers are also investigating a hack of a satellite community serving elements of Ukraine, which occurred as the Russian invasion commenced, as a probable Russian state-sponsored hack, CNN previously reported.

For its portion, the Ukrainian governing administration has encouraged an “IT army” of volunteer hackers in Ukraine and overseas to carry out cyberattacks on Russian businesses.

In the free-for-all that is Ukrainian cyberspace, combatants like Danylo interact on their have phrases.

Questioned how he’s been in current times, Danylo’s replies have been reliable: “Still alive.”

Observing properties and educational institutions transform to rubble has drained the vigor from his voice.

Danylo recalled, in the early times of the war, likely into a bunker during a bombing raid, with his laptop, and doing work on the Conti data files. Yet another individual in the bunker was mystified that he was focused on his laptop amid the shelling.

“What the f**k are you accomplishing?” Danylo recalled the individual asking him.

Danylo laughed nervously as he instructed the story. “It’s my perform,” he informed CNN. “[I do it] mainly because I can.”
After months of dwelling the war, Danylo instructed CNN he slipped safely and securely out of Ukraine with his laptop this 7 days.

™ & © 2022 Cable News Community, Inc., a WarnerMedia Company. All rights reserved.

You may also like