A whistleblower has apparently outed the leader behind Trickbot and the infamous Conti ransomware gang.
The Conti ransomware gang gained infamy in recent years, in part due to large-scale attacks on victims that have included backup appliance supplier Exagrid, which paid a $2.6 million ransom to the group; a number of systems belonging to the Costa Rican government; and Ireland’s public healthcare system.
In early 2022, shortly after Russia began its invasion of Ukraine, the group pledged support to Russia and threatened the US, should it target Russian critical infrastructure. This, a $15 million reward from the US State Department, and some high profile leaks connected to the gang appeared to result in the group’s breakup, though its former operators continued to conduct criminal activities.
This in itself is not so surprising, as many individual threat actors work with or for multiple groups. However, it appears the alleged mastermind behind Conti is also behind several other large-scale threat actor operations.
The Conti Gang Architect
Early last month, an anonymous whistleblower under the alias “GangExposed” published leaks identifying the leader of Conti as 36-year-old Vitaly Nikolaevich Kovalev, an individual the US Treasury named in 2023 as a senior figure within the long-running Trickbot gang. GangExposed also named Kovalev, who operates under the alias “Stern,” as responsible for Royal, a ransomware gang operating since 2023 that CISA previously highlighted last year.
GangExposed published alleged leaks related to Kovalev on X and multiple publishing platforms throughout the month, containing personally identifiable information, aliases, photos and videos of multiple group members, front companies, digital footprints, and more. GangExposed claims Kovalev owns more than $500 million in cryptocurrency holdings.
Germany’s Federal Criminal Police Office (BKA) further corroborated these leaks late last month, identifying Kovalev as the operator behind Trickbot.
“The accused is suspected of being the founder of the Trickbot group, also known as ‘Wizard Spider,'” BKA said. “In addition to the Trickbot malware, the group used the malware variants Bazarloader, SystemBC, IcedID, Ryuk, Conti, and Diavol, among others.”
German police estimated Trickbot to have more than 100 members in its ranks.
“The group is responsible for infecting several hundred thousand systems in Germany and worldwide and has obtained millions of dollars through its illegal activities,” BKA said. “The victims include hospitals, public institutions, companies, authorities and private individuals. In Germany alone, the group caused damage of at least 6.8 million euros.”
The Impact of Ransomware Leaks
The latest round of Conti leaks joins a growing number of instances in which threat actors have their personal information exposed to the world. There’s the LockBit name-and-shame campaign, “Operation Cronos,” conducted by British law enforcement, as well as the recent Black Basta chat log leak, to name two.
The use of naming-and-shaming is notable because while many threat actors can shift between multiple groups once one gang goes belly-up in a law enforcement takedown, reputational damage can stick a bit more, particularly in cases where a ransomware-as-a-service (RaaS) group wants to sell its services to affiliates.
Hannah Baumgaertner, head of research at security vendor Silobreaker, tells Dark Reading that regardless of whether GangExposed is a rival criminal group or a researcher, “the individuals who have had their names revealed are likely going to take a short break from any criminal activity until the heat on them cools down, for fear of subsequent law enforcement action.”
She adds, “However, it’s doubtful they will stop with their criminal activities completely. While it may temporarily impede their operations, they are likely to just move on to a new sort of business model once they are no longer a priority for law enforcement. Many criminals are also known to reside in countries lacking extradition treaties, providing them a safe haven to continue their activities.”
GangExposed’s leaks contain specific references to how the gang allegedly carried out threat activity in United Arab Emirates and China, possibly in order to get law enforcement in those countries — which do not extradite to the US — to investigate.
James Shank, director of threat operations at MDR vendor Expel, says he’s unsure whether GangExposed is a cybercriminal or independent researcher. Broadly speaking, he’s advocated for coordinated, legitimate efforts from to “incorporate psychological operations into coordinated actions to disrupt criminal actors before.”
“Threat actors like ‘Stern’ and others have operated under a veil of presumed safety for too long, while their victims are not afforded that same protection,” Shank says. “Cybersecurity is already an asymmetric battle — let’s make sure disruption efforts explore the full gamut of options for removing the factors that favor threat actors.”
