NEW YORK (BLOOMBERG) - On Feb 25, a notorious ransomware group known as Conti expressed support for Russia as the country invaded Ukraine. It turned out to be a bad idea: Days later, a massive trove of the gang's secrets was leaked.

The data included details on specific hacking campaigns, Bitcoin wallets used by the gang members and ruminations on the future of cryptocurrency as a tool for money laundering.

In one chat message, a member of Conti expressed fury that someone associated with their group had targeted a website inside Russia ("Such d***-heads," this person called colleagues). Another detailed an attempted hack on a contributor to an investigative journalism outlet probing the suspected poisoning of a prominent Kremlin critic ("Bro don't forget about Navalny").

The files also divulged the organised crime equivalent of proprietary secrets: particulars on the gang's use of specific malware tools and insights on its negotiation techniques.

Taken together, experts told Bloomberg News, the Conti leak may have done more to expose its members and undermine its methods than investigations by law enforcement and security firms.

The files expose the group's organisational structure and clues about the techniques used to stay ahead of police, which represents valuable intelligence. While conversations and negotiations with hackers have leaked before, few have matched the Conti trove's scale and detail.

It offers an unprecedented, behind-the-scenes look into a group that used fake e-mail attachments, stolen passwords and phone calls to bilk more than US$200 million (S$272 million) from its victims last year, the cryptocurrency-tracking firm Chainalysis told Bloomberg News.

Multiple security experts confirmed the trove was legitimate. They offered different theories on how Conti's files were made public, with some suggesting a leak by a Ukrainian member of the gang or perhaps a researcher with inside access.

Conti is a type of ransomware and the name of the group behind it. It was first observed in 2020 and uses the "ransomware-as-a-service" model in which new groups of hackers lease malicious software to "affiliates" in exchange for a cut of the proceeds.

It is known for ruthlessness, targeting hospitals during the Covid-19 pandemic and crippling Ireland's healthcare system last year. The hackers used front companies to contact sales representatives from legitimate security vendors Sophos and Carbon Black to obtain samples of antivirus software offerings, documents show.

By testing malware against widely used security tools, Conti could find weak spots in the technology to circumvent popular cyber products, said Mr Dave Kennedy, co-founder of the security firm TrustedSec, who has been tracking Conti for years.

"We've spent countless hours researching this group and where they're from," he said. "This leak provides a lot of data on how they run operations, so we can improve our own defences and figure out how they would operate. It's pretty awesome."

Targets were frequently small and medium-sized firms, or organisations in the developing world, he said.

In response to a request for comment, a Sophos representative said in an e-mail that the company had flagged the Conti account as suspicious when hackers tried purchasing Sophos software, and the group abandoned the transaction. Carbon Black did not respond to a request for comment.

The logs also show how Conti and its affiliates would infiltrate multiple companies each week - trading ideas on the best ruses to get victims to pay. In one leaked conversation, hackers debated whether to send a ransomware victim a sample of stolen data to prove they had breached the firm. At other times, they discussed the likelihood that a victim would be able to download encrypted data from the cloud, eliminating the incentive to pay a ransom.

One hacker, called Professor, told associates he did not want to leak the data of a small California company specialising in agricultural labour contracts because it would have been unrealistic to gather and publish the company's information due to problems with the victim's network. The company did not ultimately pay the ransom, opting instead to restore its data from a recent back-up.

"We just didn't want to pay criminals," said Mr Luis Romero, an office manager at Hall Ag Enterprises, which shuttered for a day in October 2020 after Conti demanded US$700,000, a fee he said the firm could not afford.

Within two days, Conti moved on, setting its sights on Angelica, an Illinois-based healthcare products company. The hackers gathered contract information, company projections and personal data and used them to try intimidating the victim into paying, according to the documents. Angelica did not respond to a request for comment.

Other American firms like Shook Construction, logistics broker Western Overseas and a manufacturer called Varroc Lighting Systems were all in the crosshairs, according to the chat logs. The three companies did not respond to requests seeking comment.

Bloomberg News found several dozen cryptocurrency wallets among the chat logs, which totalled more than US$12 million as at March 9, a figure that has varied with Bitcoin value.

Gang members used the wallets included in the chat logs to reinvest in their technical infrastructure, pay affiliate customers and send Bitcoin to other malware operators, like developers of the TrickBot financial crime tool, said Ms Jackie Koven, cyber threat intelligence lead at Chainalysis.

"We can see from this leak that Conti comprised various gangs and groups, but they are also operating somewhat autonomously," she said.

They had political targets, too, reportedly going after a contributor to the investigative journalism group Bellingcat for looking into the alleged poisoning of Kremlin critic Alexei Navalny.

Bellingcat executive director Christo Grozev confirmed on Twitter that a contributor had been targeted at the time.

Like some other ransomware gangs, Conti appears to avoid Russian targets. The chats indicate that a middle manager named Troy put a stop to one such attempted attack. "Not this one. Removing it," Troy wrote. "They should be beaten up for such a thing. What if I did not notice that? Then we would have been f***ed."

Cyber-security researchers said the pullback was further evidence of the tacit approval that Russia gives to certain cyber criminals - so long as they do not attack entities inside its borders.

Suspected ties between Russian intelligence and cyber criminals have been made public before. The United States Treasury Department in 2019 accused the alleged leader of the hacking group Evil Corp, Maksim Yakubets, of providing "direct assistance" to Kremlin-sponsored cyber efforts. Prosecutors also have charged a number of alleged Russian hackers with cooperating with the Federal Security Service, or FSB, dating back to 2012.

A spokesman for the Russian embassy in Washington did not respond to an inquiry seeking comment. Russia has previously denied engaging in malicious cyber attacks.

"With this particular group, it seems like they had a relationship to a Russian government group," said Mr John Fokker, head of cyber investigations at security firm Trellix and a former member of a Dutch police unit that investigates advanced hackers.

"When you see conversations like, 'We shouldn't hit this organisation because we're going to get screwed', that's not the kind of thing you see often in chats like this."