A Ukrainian security researcher this week leaked several years of internal chat logs and other sensitive data tied to Conti, an aggressive and ruthless Russian cybercrime group that focuses on deploying its ransomware to companies with more than $100 million in annual revenue. The chat logs offer a fascinating glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also provide insight into how Conti has dealt with its own internal breaches and attacks from private security firms and foreign governments.

Conti makes international news headlines each week when it publishes to its dark web blog new information stolen from ransomware victims who refuse to pay an extortion demand. In response to Russia’s invasion of Ukraine, Conti published a statement announcing its “full support.”

“If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy,” the Conti blog post read.

On Sunday, Feb. 27, a new Twitter account “Contileaks” posted links to an archive of chat messages taken from Conti’s private communications infrastructure, dating from January 29, 2021 to the present day. Shouting “Glory for Ukraine,” the Contileaks account has since published additional Conti employee conversations from June 22, 2020 to Nov. 16, 2020.

The Contileaks account did not respond to requests for comment. But Alex Holden, the Ukrainian-born founder of the Milwaukee-based cyber intelligence firm Hold Security, said the person who leaked the information is not a former Conti affiliate — as many on Twitter have assumed. Rather, he said, the leaker is a Ukrainian security researcher who has chosen to stay in his country and fight.

“The person releasing this is a Ukrainian and a patriot,” Holden said. “He’s seeing that Conti is supporting Russia in its invasion of Ukraine, and this is his way to stop them in his mind at least.”

GAP #1

The temporal gaps in these chat records roughly correspond to times when Conti’s IT infrastructure was dismantled and/or infiltrated by security researchers, private companies, law enforcement, and national intelligence agencies. The holes in the chat logs also match up with periods of relative quiescence from the group, as it sought to re-establish its network of infected systems and dismiss its low-level staff as a security precaution.

On Sept. 22, 2020, the U.S. National Security Agency (NSA) began a weeks-long operation in which it seized control over the Trickbot botnet, a malware crime machine that has infected millions of computers and is often used to spread ransomware. Conti is one of several cybercrime groups that has regularly used Trickbot to deploy malware.

Once in control over Trickbot, the NSA’s hackers sent all infected systems a command telling them to disconnect themselves from the Internet servers the Trickbot overlords used to control compromised Microsoft Windows computers. On top of that, the NSA stuffed millions of bogus records about new victims into the Trickbot database.

News of the Trickbot compromise was first published here on Oct. 2, 2020, but the leaked Conti chats show that the group’s core leadership detected something was seriously wrong with their crime machine just a few hours after the initial compromise of Trickbot’s infrastructure on Sept. 22.

“The one who made this garbage did it very well,” wrote “Hof,” the handle chosen by a top Conti leader, commenting on the Trickbot malware implant that was supplied by the NSA and quickly spread to the rest of the botnet. “He knew how the bot works, i.e. he probably saw the source code, or reversed it. Plus, he somehow encrypted the config, i.e. he had an encoder and a private key, plus uploaded it all to the admin panel. It’s just some kind of sabotage.”

“Moreover, the bots have been flooded with such a config that they will simply work idle,” Hof explained to his team on Sept. 23, 2020. Hof noted that the intruder even kneecapped Trickbot’s built-in failsafe recovery mechanism. Trickbot was configured so that if none of the botnet’s control servers were reachable, the bots could still be recaptured and controlled by registering a pre-computed domain name on EmerDNS, a decentralized domain name system based on the Emercoin virtual currency.

“After a while they will download a new config via emercoin, but they will not be able to apply this config, because this saboteur has uploaded the config with the maximum number, and the bot is checking that the new config should be larger than the old one,” Hof wrote. “Sorry, but this is fucked up. I don’t know how to get them back.”

It would take the Conti gang several weeks to rebuild its malware infrastructure, and infect tens of thousands of new Microsoft Windows systems. By late October 2020, Conti’s network of infected systems had grown to include 428 medical facilities throughout the United States. The gang’s leaders saw an opportunity to create widespread panic — if not also chaos — by deploying their ransomware simultaneously to hundreds of American healthcare organizations already struggling amid a worldwide pandemic.

“Fuck the clinics in the USA this week,” wrote Conti manager “Target” on Oct. 26, 2020. “There will be panic. 428 hospitals.”

On October 28, the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”

Follow-up reporting confirmed that at least a dozen healthcare organizations were hit with ransomware that week, but the carnage apparently was not much worse than a typical week in the healthcare sector. One information security leader in the healthcare industry told KrebsOnSecurity at the time that it wasn’t uncommon for the industry to see at least one hospital or health care facility hit with ransomware each day.

GAP #2

The more recent gap in the Conti chat logs corresponds to a Jan. 26, 2021 international law enforcement operation to seize control of Emotet, a prolific malware strain and cybercrime-as-a-service platform that was used heavily by Conti. Following the Emotet takedown, the Conti group once again reorganized, with everyone forced to pick new nicknames and passwords.

The logs show Conti made a special effort to help one of its older members — All Witte — a 55-year-old Latvian woman arrested last year on suspicion of working as a programmer for the Trickbot group. The chat records indicate Witte became something of a maternal figure for many of Conti’s younger personnel, and after her arrest Conti’s leadership began scheming a way to pay for her legal defense.

“They gave me a lawyer, they said the best one, plus excellent connections, he knows the investigator, he knows the judge, he is a federal lawyer there, licensed, etc., etc.,” wrote Mango” — a mid-level manager within Conti — to “Stern,” a much higher-up Conti manager and taskmaster who frequently asked various units of the gang for updates on their daily assignments.

Stern agreed that this was the best course of action, but it’s unclear if it was successfully carried out. Also, the entire scheme may not have been as altruistic as it seemed: Mango suggested that paying Witte’s attorney fees might also give the group inside access to information about the government’s ongoing investigation of Trickbot.

“Let’s try to find a way to her lawyer right now and offer him to directly sell the data bypassing her,” Mango suggests to Stern on June 23, 2021.

The FBI has been investigating Trickbot for years, and it is clear that at some point the U.S. government shared information with the Russians about the hackers they suspected were behind Trickbot. It is also clear from reading these logs that the Russians did little with this information until October 2021, when Conti’s top generals began receiving tips from their Russian law enforcement sources that the investigation was being rekindled.

“Our old case was resumed,” wrote the Conti member “Kagas” in a message to Stern on Oct. 6, 2021. “The investigator said why it was resumed: The Americans officially requested information about Russian hackers, not only about us, but in general who was caught around the country. Actually, they are interested in the Trickbot, and some other viruses. Next Tuesday, the investigator called us for a conversation, but for now, it’s like [we’re being called on as] witnesses. That way if the case is suspended, they can’t interrogate us in any way, and, in fact, because of this, they resumed it. We have already contacted our lawyers.”

Incredibly, another Conti member pipes into the discussion and says the group has been assured that the investigation will go nowhere from the Russian side, and that the entire inquiry from local investigators would be closed by mid-November 2021.

It appears Russian investigators were more interested in going after a top Conti competitor — REvil, an equally ruthless Russian ransomware group that likewise mainly targeted large organizations that could pay large ransom demands.

On Jan. 14, 2022, the Russian government announced the arrest of 14 people accused of working for REvil. The Russian Federal Security Service (FSB) said the actions were taken in response to a request from U.S. officials, but many experts believe the crackdown was part of a cynical ploy to assuage (or distract) public concerns over Russian President Vladimir Putin’s bellicose actions in the weeks before his invasion of Ukraine.

The leaked Conti messages show that TrickBot was effectively shut down earlier this month. As Catalin Cimpanu at The Record points out, the messages also contain copious ransom negotiations and payments from companies that had not disclosed a breach or ransomware incident (and indeed had paid Conti to ensure their silence). In addition, there are hundreds of bitcoin addresses in these chats that will no doubt prove useful to law enforcement organizations seeking to track the group’s profits.

This is the first of several stories about the inner workings of Conti, based on the leaked chat records. Part II will be told through the private messages exchanged by Conti employees working in different operational units, and it explores some of the more unique and persistent challenges facing large-scale cybercriminal organizations today.

President Biden joined European leaders this week in enacting economic sanctions against Russia in response its military invasion of Ukraine. The West has promised tougher sanctions are coming, but experts warn these will almost certainly trigger a Russian retaliation against America and its allies, which could escalate into cyber attacks on Western financial institutions and energy infrastructure.

Michael Daniel is a former cybersecurity advisor to the White House during the Obama administration who now heads the Cyber Threat Alliance, an industry group focused on sharing threat intelligence among members. Daniel said there are two primary types of cyber threats the group is concerned about potentially coming in response to sanctions on Russia.

The first involves what Daniel called “spillover and collateral damage” — a global malware contagion akin to a NotPeyta event — basically some type of cyber weapon that has self-propagating capabilities and may even leverage a previously unknown security flaw in a widely-used piece of hardware or software.

Russia has been suspected of releasing NotPetya, a large-scale cyberattack in 2017 initially aimed at Ukrainian businesses that mushroomed into an extremely disruptive and expensive global malware outbreak.

“The second level [is that] in retaliation for sanctions or perceived interference, Russia steps up more direct attacks on Western organizations,” Daniel said. “The Russians have shown themselves to be incredibly ingenious and creative in terms of how they come up with targets that seem to catch us by surprise. If the situation escalates in cyberspace, there could be some unanticipated organizations that end up in the crosshairs.”

What kinds of attacks are experts most concerned about? In part because the Russian economy is so dependent on energy exports, Russia has invested heavily in probing for weaknesses in the cyber systems that support bulk power production and distribution.

Ukraine has long been used as the testing grounds for Russian offensive hacking capabilities targeting power infrastructure. State-backed Russian hackers have been blamed for the Dec. 23, 2015 cyberattack on Ukraine’s power grid that left 230,000 customers shivering in the dark.

Experts warn that Russia could just as easily use its arsenal of sneaky cyber exploits against energy systems that support U.S. and European nations. In 2014, then National Security Agency Director Mike Rogers told lawmakers that hackers had been breaking into U.S. power utilities to probe for weaknesses, and that Russia had been caught planting malware in the same kind of industrial computers used by power utilities.

“All of that leads me to believe it is only a matter of when, not if, we are going to see something dramatic,” Rogers said at the time.

That haunting prophecy is ringing anew as European leaders work on hammering out additional sanctions, which the European Commission president says will restrict the Russian economy’s ability to function by starving it of important technology and access to finance.

A draft of the new penalties obtained by The New York Times would see the European Union ban the export of aircraft and spare parts that are necessary for the maintenance of Russian fleets.

“The bloc will also ban the export of specialized oil-refining technology as well as semiconductors, and it will penalize more banks — although it will stop short of targeting VTB, Russia’s second-largest bank, which is already crippled by American and British sanctions,” The Times wrote.

Dmitri Alperovitch is co-founder and former chief technology officer at the security firm CrowdStrike. Writing for The Economist, Alperovitch said America must tailor its response carefully to avoid initiating a pattern of escalation that could result in a potentially devastating hot war with Russia.

“The proposed combination of sanctions on top Russian banks and implementation of export controls on semiconductors would be likely to severely debilitate the Russian economy,” Alperovitch wrote. “And although many in the West may initially cheer this outcome as righteous punishment for Russia’s blatant violation of Ukrainian sovereignty, these measures will probably trigger significant Russian retaliation against America. That prospect all but guarantees that the conflict will not come to an end with an invasion of Ukraine.”

Faced with a potentially existential threat to its economic well-being — and seeing itself as having nothing more to lose — Russia will have several tools at its disposal with which to respond, he said: One of those will be carrying out cyber-attacks against American and European financial institutions and energy infrastructure.

“Having already exhausted the power of economic sanctions, America and its European allies would have few choices other than to respond to these attacks with offensive cyber-strikes of their own,” Alperovitch wrote. “This pattern of tit-for-tat cyber retaliation could place Russia and the West on a worrying path. It could end with the conflict spilling out of cyberspace and into the realm of a hot conflict. This outcome—a hot conflict between two nuclear powers with extensive cyber capabilities—is one that everyone in the world should be anxious to avoid.”

In May 2021, Russian cybercriminals unleashed a ransomware attack against Colonial Pipeline, a major fuel distributor in the United States. The resulting outage caused fuel shortages and price spikes across the nation. Alperovitch says a retaliation from Russia in response to sanctions could make the Colonial Pipeline attack seem paltry by comparison.

“The colonial pipeline is going to be like child’s play if the Russians truly unleash all their capability,” Alperovitch told CNBC this week.

For example, having your organization’s computers and servers locked by ransomware may seem like a day at the park compared to getting hit with “wiper” malware that simply overwrites or corrupts data on infected systems.

Kim Zetter, a veteran Wired reporter who now runs her own cybersecurity-focused Substack newsletter, has painstakingly documented two separate wiper attacks launched in the lead-up to the Russian invasion that targeted Ukrainian government and contractor networks, as well as systems in Latvia and Lithuania.

One contractor interviewed by Zetter said the wiper attacks appeared to be extremely targeted, going after organizations that support the Ukrainian government — regardless of where those organizations are physically located.

“The wiper, dubbed HermeticaWiper, appears to have been in the works for months but was only released on computers today,” Zetter wrote. “It follows on a previous wiper attack that struck Ukrainian systems in January called WhisperGate. Like that previous infection, HermeticaWiper is designed to overwrite files on systems to render them inoperable.”

A joint advisory last week by the FBI, National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) warned that Russian cyber actors have been targeting cleared defense contractors, and that since January 2020 and continuing through this month, the cyber actors had maintained a persistent presence on those contractor networks. The advisory said the attackers exfiltrated email and data, and were able to “acquire sensitive, unclassified information, as well as proprietary and export-controlled technology.”

A report Thursday by NBC News suggested President Biden had been presented with options for massive cyberattacks against Russia, including the disruption of Internet access across Russia, shutting off the power, and stopping trains in their tracks.

But White House National Security Council spokesperson Emily Home told Reuters the NBC News report was “wildly off base and does not reflect what is actually being discussed in any shape or form.”

That’s good news, according to Jim Lewis, director of the public policy program at the Center for Strategic and International Studies. Lewis said the United States and its allies have far more to lose if the West gets embroiled in an escalation of cyber attacks with Russia over sanctions.

“The asymmetry in pressure points makes the idea of us doing something probably not a good idea,” Lewis told KrebsOnSecurity. “If Putin hasn’t gone completely nuts, he’ll be cautious of doing anything that might be construed under international law as the use of force through cyber means.”

Lewis said a more likely response from Russia would include enlisting cybercriminals throughout Russia and the Commonwealth of Independent States to step up ransomware and other disruptive attacks against high-impact targets in specific industries.

“The pressure points for Putin are his political support — the oligarchs and security services,” Lewis said. “If we want to squeeze him, that’s where we have to squeeze, things like seizing all their real estate in Miami Beach, or putting them on no-fly lists. If you want to hurt Putin, a cyberattack probably wouldn’t do it. Unless it was against his bank account.”

In a call to action issued earlier this week dubbed “Shields Up,” CISA warned that Russia could escalate its destabilizing actions in ways that may impact others outside of Ukraine. CISA also published a new catalog of free public and private sector cybersecurity services.

The U.S. Internal Revenue Service (IRS) said Monday that taxpayers are no longer required to provide facial scans to create an account online at irs.gov. In lieu of providing biometric data, taxpayers can now opt for a live video interview with ID.me, the privately-held Virginia company that runs the agency’s identity proofing system. The IRS also said any biometric data already shared with ID.me would be permanently deleted over the next few weeks, and any biometric data provided for new signups will be destroyed after an account is created.

“Taxpayers will have the option of verifying their identity during a live, virtual interview with agents; no biometric data – including facial recognition – will be required if taxpayers choose to authenticate their identity through a virtual interview,” the IRS said in a Feb. 21 statement.

“Taxpayers will still have the option to verify their identity automatically through the use of biometric verification through ID.me’s self-assistance tool if they choose,” the IRS explained. “For taxpayers who select this option, new requirements are in place to ensure images provided by taxpayers are deleted for the account being created. Any existing biometric data from taxpayers who previously created an IRS Online Account that has already been collected will also be permanently deleted over the course of the next few weeks.”

In addition, the IRS said it planned to roll out Login.gov as an authentication tool for those seeking access to their tax records online. Login.gov is a single sign-on solution already used to access 200 websites run by 28 federal agencies.

“The General Services Administration is currently working with the IRS to achieve the security standards and scale required of Login.Gov, with the goal of moving toward introducing this option after the 2022 filing deadline,” the agency wrote.

The IRS first announced its partnership with ID.me in November, but the press release received little public attention. On Jan. 19, KrebsOnSecurity published the story IRS Will Soon Require Selfies for Online Access, detailing a rocky experience signing up for IRS access via ID.me.

That story went viral, and the ensuing media coverage forced the IRS to answer questions about why it was incentivizing the collection and storage of biometric data by a private company. On Feb. 7, the IRS announced its intention to transition away from requiring biometric data from taxpayers who wish to access their records at the agency’s website, but it left unanswered the question of what would happen with the facial recognition data already collected by ID.me on behalf of the IRS.

In a letter to the IRS this month, Senate Finance Committee Chairman Ron Wyden (D-Ore.) challenged the Treasury Department and IRS to reconsider the biometric requirements, saying login.gov is perfectly up to the task if given all of the resources and funding it deserves.

“Unfortunately, login.gov has not yet reached its full potential, in part because many agencies have flouted the Congressional mandate that they use it, and because successive Administrations have failed to prioritize digital identity,” Wyden wrote. “The cost of this inaction has been billions of dollars in fraud, which has in turn fueled a black market for stolen personal data, and enabled companies like ID.me to commercialize what should be a core government service.”

Missouri Governor Mike Parson made headlines last year when he vowed to criminally prosecute a journalist for reporting a security flaw in a state website that exposed personal information of more than 100,000 teachers. But Missouri prosecutors now say they will not pursue charges following revelations that the data had been exposed since 2011 — two years after responsibility for securing the state’s IT systems was centralized within Parson’s own Office of Administration.

In October 2021, St. Louis Post-Dispatch reporter Josh Renaud alerted Missouri education department officials that their website was exposing the Social Security numbers of more than 100,000 primary and secondary teachers in the state. Renaud found teachers’ SSNs were accessible in the HTML source code of some Missouri education department webpages.

After confirming that state IT officials had secured the exposed teacher data, the Post-Dispatch ran a story about their findings. Gov. Parson responded by holding a press conference in which he vowed his administration would seek to prosecute and investigate “the hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.”

“The state is committed to bringing to justice anyone who hacked our systems or anyone who aided them to do so,” Parson said in October. “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.”

Parson tasked the Missouri Highway Patrol to produce a report on their investigation into “the hackers.”  On Monday, Feb. 21, The Post-Dispatch published the 158-page report (PDF), which concluded after 175 hours of investigation that Renaud did nothing wrong and only accessed information that was publicly available.

Emails later obtained by the Post-Dispatch showed that the FBI told state cybersecurity officials that there was “not an actual network intrusion” and the state database was “misconfigured.” The emails also revealed the proposed message when education department leaders initially prepared to respond in October:

“We are grateful to the member of the media who brought this to the state’s attention,” was the proposed quote attributed to the state’s education commissioner before Parson began shooting the messenger.

The Missouri Highway Patrol report includes an interview with Mallory McGowin, the chief communications officer for the state’s Department of Elementary and Secondary Education (DESE). McGowin told police the website weakness actually exposed 576,000 teacher Social Security numbers, and the data would have been publicly exposed for a decade.

McGowin also said the DESE’s website was developed and maintained by the Office of Administration’s Information Technology Services Division (ITSD) — which the governor’s office controls directly.

“I asked Mrs. McGowin if I was correct in saying the website was for DESE but it was maintained by ITSD, and she indicated that was correct,” the Highway Patrol investigator wrote. “I asked her if the ITSD was within the Office of Administration, or if DESE had their on-information technology section, and she indicated it was within the Office of Administration. She stated in 2009, policy was changed to move all information technology services to the Office of Administration.”

The report was a vindication for Renaud and for University of Missouri-St. Louis professor Shaji Khan, who helped the Post-Dispatch verify that the security flaw existed. Khan was also a target of Parson’s vow to prosecute “the hackers.” Khan’s attorney Elad Gross told the publication his client was not being charged, and that “state officials committed all of the wrongdoing here.”

“They failed to follow basic security procedures for years, failed to protect teachers’ Social Security numbers, and failed to take responsibility, instead choosing to instigate a baseless investigation into two Missourians who did the right thing and reported the problem,” Gross told The Post-Dispatch. “We thank the Missouri State Highway Patrol and the Cole County Prosecutor’s Office for their diligent work on a case that never should have been sent to them.”

A network intrusion at the International Committee for the Red Cross (ICRC) in January led to the theft of personal information on more than 500,000 people receiving assistance from the group. KrebsOnSecurity has learned that the email address used by a cybercriminal actor who offered to sell the stolen ICRC data also was used to register multiple domain names the FBI says are tied to a sprawling media influence operation originating from Iran.

On Jan. 19, the ICRC disclosed the compromise of servers hosting the personal information of more than 500,000 people receiving services from the Red Cross and Red Crescent Movement. The ICRC said the hacked servers contained data relating to the organization’s Restoring Family Links services, which works to reconnect people separated by war, violence, migration and other causes.

The same day the ICRC went public with its breach, someone using the nickname “Sheriff” on the English-language cybercrime forum RaidForums advertised the sale of data from the Red Cross and Red Crescent Movement. Sheriff’s sales thread suggests the ICRC was asked to pay a ransom to guarantee the data wouldn’t be leaked or sold online.

“Mr. Mardini, your words have been heard,” Sheriff wrote, posting a link to the Twitter profile of ICRC General Director Robert Mardini and urging forum members to tell him to check his email. “Check your email and send a figure you can pay.”

In their online statement about the hack (updated on Feb. 7) the ICRC said it had not had any contact with the hackers, and no ransom demand had been made.

“In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action,” the ICRC statement reads.

Asked to comment on Sheriff’s claims, the ICRC issued the following statement:

“Right now, we do not have any conclusive evidence that this information from the data breach has been published or is being traded. Our cybersecurity team has looked into any reported allegation of data being available on the dark web.”

The email address that Sheriff used to register at RaidForums — kelvinmiddelkoop@hotmail.com — appears in an affidavit for a search warrant filed by the FBI roughly a year ago. That FBI warrant came on the heels of an investigation published by security firm FireEye, which examined an Iranian-based network of inauthentic news sites and social media accounts aimed at the United States., U.K. and other western audiences.

“This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests,” FireEye researchers wrote. “These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran.”

According to the FBI affidavit, the address kelvinmiddelkoop@hotmail.com was used to register at least three different domains for phony news sites, including awdnews[.]com, sachtimes[.]com, and whatsupic[.]com. A reverse WHOIS search on that email address at DomainTools.com (an advertiser on this site) shows it was used to register 17 domains between 2012 and 2021, including moslimyouthmedia[.]com, moslempress[.]com, and realneinovosti[.]net.

A review of Sheriff’s postings to RaidForum reveals he has used two other nicknames since registering on the forum in December 2021: “Unindicted,” and “threat_actor.” In several posts, Sheriff taunts one FireEye employee by name.

In a Jan. 3, 2022 post, Sheriff says their “team” is seeking licenses for the Cobalt Strike penetration testing tool, and that they’re prepared to pay $3,000 – $4,000 per license. Cobalt Strike is a legitimate security product that is sold only to vetted partners, but compromised or ill-gotten Cobalt Strike licenses frequently are used in the run-up to ransomware attacks.

“We will buy constantly, make contact,” Sheriff advised. “Do not ask if we still need)) the team is interested in licenses indefinitely.”

On Jan. 4, 2022, Sheriff tells RaidForums that their team is in need of access to a specific data broker platform, and offers to pay as much as $35,000 for that access. Sheriff says they will only accept offers that are guaranteed through the forum’s escrow account.

The demand for escrow in a sales thread is almost universally a sign that someone means business and they are ready to transact on whatever was advertised or requested. That’s because escrow transactions necessarily force the buyer to make a deposit with the forum’s administrators before proceeding on any transaction.

Sheriff appears to have been part of a group on RaidForums that offered to buy access to organizations that could be extorted with ransomware or threatened with the publication of stolen data (PDF screenshot from threat intelligence firm KELA). In a “scam report” filed against Sheriff by another RaidForums member on Dec. 31, 2021, the claimant says Sheriff bought access from them and agreed to pay 70 percent of any ransom paid by the victim organization.

Instead, the claimant maintains, Sheriff only paid them roughly 25 percent. “The company pay $1.35 million ransom and only payment was made of $350k to me, so i ask for $600k to fix this dispute,” the affiliate wrote.

In another post on RaidForums, a user aptly named “FBI Agent” advised other denizens to steer clear of Sheriff’s ransomware affiliate program, noting that transacting with this person could run afoul of sanctions from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) that restrict commerce with people residing in Iran.

“To make it clear, we don’t work with individuals under the OFAC sanctions list, which @Sheriff is under,” the ransomware affiliate program administrator wrote in reply.

RaidForums says Sheriff was referred to the forum by Pompompurin, the same hacker who used a security hole in the FBI’s website last year to blast a phony alert about a cybercrime investigation to state and local authorities. Pompompurin has been quite active on RaidForums for the past few years, frequently posting databases from newly-hacked organizations, and selling access to stolen information.

Reach via Twitter, Pompompurin said they had no idea who might have offered money and information on Sheriff, and that they would never “snitch” on Sheriff.

“I know who he is but I’m not saying anything,” Pompompurin replied.

The information about Sheriff was brought to my attention by an anonymous person who initially contacted KrebsOnSecurity saying they wanted to make a donation to the publication. When the person offering the gift asked if it was okay that the money came from a ransomware transaction, I naturally declined the offer.

That person then proceeded to share the information about the connection between Sheriff’s email address and the FBI search warrant, as well as the account’s credentials.

The same identity approached several other security researchers and journalists, one of whom was able to validate that the kelvinmiddelkoop@hotmail.com address actually belonged to Sheriff’s account. Those researchers were likewise offered tainted donations, except the individual offering the donation seemed to use a different story with each person about who they were or why they were offering money. Others contacted by the same anonymous user said they also received unsolicited details about Sheriff.

It seems clear that whoever offered that money and information has their own agenda, which may also involve attempts to make members of the news media appear untrustworthy for agreeing to accept stolen funds. However, the information they shared checks out, and since there is precious little public reporting on the source of the ICRC intrusion, the potential connection to hacker groups based in Iran seems worth noting.