Leaked documents show notorious ransomware group has an HR department, performance reviews and an ‘employee of the month’

Conti — which uses malware to block access to computer data until a “ransom” is paid — operates much like a regular tech company, say cybersecurity specialists who analyzed the group’s leaked documents.

The FBI has identified a Russian group as one of the most prolific groups of the year.

A series of document leaks reveal details about the size, leadership and business operations of the group known as Conti, as well as what is perceived as its most prized possession of all: the source code of its ransomware.

Shmuel Gihon, a security researcher at the threat intelligence company Cyberint, said the group emerged in 2020 and grew into one of the biggest ransomware organizations in the world. The group has 350 members who have collectively made over $2 billion in two years.

The FBI warned that the three top variant of the ransomware that targeted critical infrastructure in the United States last year were from the same group. The Critical Manufacturing, Commercial Facilities, and Food and Agriculture sectors are the most frequently victimized by Conti.

Gihon said that they were the most successful group until now.

Cyberint said in an online post that the leak appears to be an act of revenge after a post was published in the wake of Russia's invasion of Ukraine. The group could have remained silent, but they chose to side with Russia, and this is where it all went south.

Four days after the invasion of Ukraine, the leaks began.

The group's internal messages and pro-Ukrainian statements were leaked by someone who opened a new account on the social networking site.

CNBC was unable to contact its owner because of the disabled direct messages on the account.

Lotem Finkelstein is the head of threat intelligence at Check Point Software Technologies.

The leaker wrote on March 30: "My last words..." After our victory, see you all! Glory to Ukraine!

Gihon said that most of his global colleagues spent weeks poring through the documents from the leak.

The leak of the Panama Papers of Ransomware was called one of the largest cyber investigations ever seen by Trellix.

For instance, Anonymous sometimes will comment on news media in a way that is underground. The messages analyzed by Cyberint, Check Point and other cyber specialists show that the company is organized like a tech company.

Finkelstein said his company's intelligence arm, Check Point Research, determined that the company has clear management, finance and human resource functions, along with a classic organizational hierarchy with team leaders that report to upper management.

There is also evidence of research and development and business development units.

The group may have ties to the Russian government, according to the messages.

It is assumed that such a huge organization, with physical offices and enormous revenue, would not be able to act in Russia without the full approval of the Russian intelligence services.

The Russian embassy in London did not respond to CNBC's requests for comment. Moscow has previously denied taking part in cyberattacks.

Check Point Research also found that he has.

• Salaried workers — some of whom are paid in bitcoin — plus performance reviews and training opportunities
• Negotiators who receive commissions ranging from 0.5% to 1% of paid ransoms
• An employee referral program, with bonuses given to employees who’ve recruited others who worked for at least a month, and
• An “employee of the month” who earns a bonus equal to half their salary

According to Check Point Research, Conti fines its underperformers.

The identities of worker are masked by handles.

Translated messages showing finable offenses at Conti.

According to Check Point Research, higher management would often make the case that working for the company was a good career choice.

Check Point Research said that some of the messages paint a different picture, with threats of dismissal for not responding quickly enough, and work hours during weekends and holidays.

Russian headhunting services and the criminal underground are some of the legitimate sources that Conti hires from.

Alarmingly, we have evidence that not all the employees are fully aware that they are part of a cybercrime group.

It was important to hire because the turnover, attrition and burnout rate was high for low-level employees, according to Brian Krebs, a former Washington Post reporter.

According to Check Point Research, some hires were not computer specialists. The people were hired to work in call centers. Tech support fraud is on the rise, where criminals impersonate well-known companies and offer to fix computer problems or cancel subscription charges.

Some employees think they are working for an ad company, when in fact they are part of a cybercrime group.

Managers lied to job candidates about the organization, with one telling a potential hire that the main direction of the company was software for penetration testers.

Check Point Research said that in a series of messages, Stern explained that the group kept the public in the dark by having them work on one module or part of the software.

According to the translated messages, if employees eventually figure things out, they're offered a pay raise to stay.

According to Check Point Research, Conti was showing signs of distress before the leak.

According to the messages, salary payments stopped around mid-January.

There have been many leaks, there have been arrests, there is no boss, and there is no money.

According to Check Point Research, the group will likely rise again despite being hobbled. The company said that it is still operating, even though Russia said it arrested its members in January.

The group has survived setbacks such as the temporary disabling of the program, the arrests of associates of the program, and the use of the program by the group.

The FBI expects attacks on critical infrastructure to increase.