The Conti Leaks | Insight into a Ransomware Unicorn
Key Findings and Takeaways:
- In late February 2022, the internal chat logs of the Conti ransomware group were disclosed
- The Conti ransomware threat actors are shown to be a multi-layered organization that operates like a company that hires and even fires contractors and salaried employees alike
- Key figureheads and the roles they play to grow Conti’s enterprise will be discussed
- Conti’s overhead costs (tracing bitcoin transactions to employees and funds dispersed for services and tools) have been detailed
- Project Blockchain – An effort to create their own altcoin has been discovered
- Operational details of Conti’s workflow reveals how they compromise, escalate, and receive payments
- The various tools used to spy on and compromise victims are now better documented
Globally, groups, countries, and companies have been bracing for impact from potentially crippling attacks in the wake of last week’s announcement by the global ransomware group Conti to execute cyberattack campaigns supporting Russia’s ongoing invasion of Ukraine. However, in late February 2022, the infosec community began circulating leaks provided by a Ukrainian security researcher that detail multiple years of internal chat logs and more of Conti operations.
Conti is the source of a broad range of ransomware attacks, many of which have been focused on “Big Game Hunting,” looking for large payouts. However, the analysis of the leaks of the chat logs has shown that they do not limit attacks to just large companies or targets and do go after small businesses. The warnings of new attacks comes-off the heels of an anonymous tip believed to be the aforementioned Ukrainian researcher who leaked this treasure trove of data. This blog dissects the internal chat logs that illuminate how Conti’s organizational infrastructure is run details key figureheads, tooling as well as bitcoin transactions. This analysis will help organizations better understand the inner workings of Conti’s organizational infrastructure.
I. Conti Figure Heads
Stern: “The Big Boss”
Stern is the captain of the ship; he is responsible for tasking team leads, the disbursement of wages, and budgeting for the tools and services needed for the organization as a whole. Log analysis shows Stern sending over 4000 messages to various members of the organization.
The operator Salamandra is a critical part of the success of Conti, his role is one of “HR department “ and helps in negotiating with new candidates and their roles. Salamandra also assists with the recruiting services and combs through resumes looking for the right candidates. Salamandra is the conduit to getting people onboarded and put in the right position to excel in their new role.
Bio helps the teams negotiate with the victim organization and writes blogs for Conti. These blogs are usually about the compromised victims and includes their captured information, and the percentage of data released depending upon how ransom payment goes. Bio makes sure that Conti provides the decryptor key to the “customer” to honor the contract if paid in full.
Mango: “Team Lead”
Mango, a very vocal leader responsible for Team C, is seen spearheading many different operations throughout the chat logs. Seen below we can see Mango informing leader Stern on his team’s burn rate for the month.
Revers: “Tech Lead”
Revers is responsible for technical interviews with prospective new hires, helps with onboarding, and ensures his team and new recruits have all the equipment they need for work.
Bentley: “System Admin”
Bentley keeps track of server farms and sends requests to pay for expenses incurred while paying for multiple workers within Conti. He always makes sure that each team pays for their tooling on time and asks for crypto reports from each team lead.
Twin is the person that could potentially be the most vital part of the Conti group, he provides in-depth training and provides new recruits with different scenarios they may encounter when compromising a target’s environment. Twin is the “HOW TO PERSON”
II. Conti’s Organizational Infrastructure
Conti recruits their workers in a few different ways, the first is recommendations from current trusted workers. The other is using recruiting services to find candidates with the skillsets Conti needs to fill. One of the services that Conti uses is hhcdn.ru. This service allows Conti’s HR department to access the resume database to view potential qualified candidates’ information. An analyzed chat from HR “Salamandra” informs “Stern” that the services introduced a significant change in the pricing models but they could get a discounted rate. (hxxps://hhcdn[.]ru/file/16899324.pdf).
Interviewing at Conti is a bit more problematic. Conti has the interviewees wait in a chat room and gives them questions over chat and not via video. The Conti group does not have video as part of this process due to many of the candidates leaving the chat rooms before the interview begins as well as a way to maintain operational security of its members. The candidates that do pass the interview negotiate the terms of salary and the role they will have in the organization. Once they are officially hired, they go through “Newbie Induction Training”. Conti keeps the work that the new candidates will be doing vague to prevent recruits from understanding too much of the organization they are joining. Call it willful ignorance, operational security or skillful recruitment, but it looks like new candidates do not entirely understand the organization they’ve agreed to work for. This may be a contributing factor to Conti’s high turnover rate.
Conti understands that the turnover ratio of workers is also very high due the fact that they are running a criminal organization. The Conti Group has an HR/Recruiter that assists with the continual finding and recruitment of new candidates. Once the candidates begin working on a project, the supervisors begin with onboarding the workers that require training. This usually encompasses training manuals and one-on-one interaction. Stern, the Boss whose role we will go into his in the Conti Figure Heads section, often asks other workers, “how are you doing on recruiting people? can we start recruiting again or are we still training?” In one of the chat logs released users1-8 are training to understand how to use the tools and techniques in the Conti organization’s arsenal. We can see tl1 and tl2 providing direction for certain situations potentially affecting workstations/networks and informing the trainees what they should do if said issues arise.
Conti understands that it needs talent with skills to continue making money through its victims. The leadership of Conti provides the direction the organization will follow. With the Conti Leaks release and the ongoing war in Ukraine, we believe Conti’s leaders will be more motivated to intensify its efforts, as the rubles continue to plummet. Many analysts think that due to sanctions many Russians will be moving to bitcoin until the rubles stabilizes. The Boss, “Stern”, provides payment via bitcoin to all workers under Conti. Many of Conti’s workers ask “Stern” directly for payment via bitcoin throughout the leaks. However, in the chat logs, we also see top-level managers providing burn rate summaries of their team’s workers and asking for payment from Stern.
Teams are divided into groups, and each group is assigned a team leader. If the size of the group exceeds a certain amount, the group may have multiple leaders. Team leaders are responsible for issuing work cases, helping with builds, networks, and other technical issues related to software, providing manuals and guides to newly developed software, and ensuring their workers have the support they need to succeed. The workers are explicitly required to “Listen, Do, Learn, and Ask questions, Follow the guides and instructions, complete the assigned tasks”. The screenshot below is an example of what each group’s workers are expected to do:
Conti is constantly hiring talent. Some messages from team leads have requests for Full Stack developers, Crypto developers, C++ developers and php developers. Once hired they are assigned to a team to create different tools like lockers, spamming, backdoor tools and/or admin panels. Many of the web applications had been previously written in php, and the released software was missing code and was almost impossible to get working. This all had to be fixed. Reverse Engineers are tasked with diffing Microsoft updates to know what changes come after system updates. A recent discussion with the boss to a team lead “We need someone to keep track of fixes from MS and the like to know what changes come after system updates, office updates, etc. Just like they track us, we need to analyze them and be aware of all the current changes right away. What do you think about that?”, they also reverse engineer endpoint protection products to bypass protection that may tamper or inhibit their success in any way. The OSINT teams look for targets by collecting information from openly available sources online with various techniques. Admins assist in managing compromised enterprise networks and collecting victim information critical to their business to extract the maximum amount of payment. Testers help by evaluating and verifying that the Conti tooling does what it is supposed to do in specific environments. The chat logs reveal the daily Windows Defender signature test to ensure that Conti’s tools would not be detected.
Hunting For What Matters
When Conti compromises an organization, they follow specific processes that they’ve used in the past to ensure a foothold into the network. When the Conti group compromises Active Directory, they are looking for potentially interesting people like an admin, engineer, or someone in IT. Many companies think that backups are sufficient, but Conti hunts for backup servers to encrypt the backups as well as training manuals reveal that they know techniques to bypass backup storage vendors to make sure the backups are encrypted. One of the instructions that stood out the most was a section titled “HOW AND WHAT INFO TO DOWNLOAD” that they state after raising the privileges to domain admin and invoke share finder, what Conti is interested in are financial documents, accounting, clients, projects, and much more. They understand that it all depends on the target organization to get the information needed for the victims to pay.
III. Conti’s Project Blockchain
In June of 2021, Stern sends a message to the channel asking, “Are there any of us who consider ourselves blockchain gurus and trendsetters? Who might know where to go in this direction and what to develop”. 21 days after his initial inquiry, he messages Logan. He lays out the direction for an altcoin (Altcoin: A coin other than Bitcoin) to build their own blockchain, and he wanted Logan to study the system, code, and working principles. Stern’s appetite to make Conti’s altcoin is shown to be a high-priority project.
Stern has been involved with ransomware activity for more than four years. In November of 2021, Stern stated that he was losing interest in ransomware campaigns and wanted to set his sights on blockchain technology and new projects. Stern has invested money in the blockchain department, Stern’s blockchain transactions reveal a substantial financial and operational overlap. A security researcher tweeted Conti and Ryuk pay “stern” direct commissions from ransom victim payments.
The chat logs reveal in February 2022 that there is a blockchain department and the team lead is Collin. Another team lead, Mango, informed another worker that “blockchain needs people” and that the Boss approves all the expenses to try to get him to move to that department. In another conversation from Demon and Van, “you and I are exactly where on the blockchain for two years” the below screenshot shows how far they are from completing the development of their own blockchain. Based on the leaks, we can infer that they are thinking of writing the Conti’s blockchain in Rust as there are only a dozen or more altcoins written in Rust.
IV. Conti’s Bitcoins Transaction
Conti, like many other ransomware gangs, used tokens like Monero for transaction anonymity. However, it is easier for targeted organizations to get a hold of Bitcoin when dealing with ransomware groups like Conti. But what we can see when using tools like blockchain.com is the transaction history, amount, time, and bitcoin wallet addresses used to pay Conti’s ransom. We extracted a total of 255 bitcoin wallets in the Conti Leaks. We focused on the transaction history of these wallets and the amounts that were sent for Conti organizational usages like salary, tooling, and services. They are few transactions made to these Bitcoin wallets. Many of them had less than three payments in total. These wallets act like shell companies and one-off payments to other Bitcoin wallets are made because they disguise transactions, so it does not stand out from the norm. Studying the leaks, we see that Conti has spent an estimated 6 million dollars on employee salary, tooling, and professional services from January 2021 to February 2022.
A tool used by Conti when dealing with Bitcoin is Segwit wallets. Segwit stands for “Segregated Witness” and these wallets use a technique while processing transactions that helps it reduce transaction fees. Segwit tackles a major problem with bitcoin’s scalability. It makes the Bitcoin blockchain lighter by storing the witness data on a sidechain, making each bitcoin transaction use 65% less data when recording transactions on the blockchain. The lighter data allows for faster transaction speeds which lead to reduced fees, and when dealing with the volume of Bitcoin that Conti deals with, this can be a great benefit.
Conti transfers an immense amount of money via bitcoin. Some security researchers have estimated that Conti’s total revenue is over $2.7 billion. Ransomwhe.re has been tracking the amount of money earned by different ransomware crime groups. They have reported that since September of 2021 Conti has made a total of $50,881,191.17.
Conti puts on an eminently professional façade when conducting several of their business processes. In the “Recruiting/Onboarding” section we dive into how the hiring procedure works for new recruits coming into Conti. The onboarding process might seem unprofessional and unstructured to the recruits, but Conti tries to cover that up with a legitimate HR department. The dodgy recruiting process does deter many candidates but the ones that stay are sure to be well compensated. Based on what was leaked, we can estimate that there have been 485 people that have gone through the Conti system. This includes employees, victims, and potential candidates who may have declined to participate in the group.
Another display of Conti’s professionalism theatrics is in their data and asset recovery process. Conti takes payment seriously; when a target pays the ransom, the recovery of the target’s assets and data will be “Priority 1” on Conti’s list. Conti even has a tech support staff on hand to assist targets and they are even willing to negotiate ransoms depending on how prominent their target is. This small display of empathy and assistance could be a factor that makes the victims more willing to pay their ransoms.
V. Conti Armament
Trickbot, is a popular modular malware botnet used for credential theft. Trickbot is spread primarily through phishing campaigns, once infected victims are subject to system reconnaissance and follow-on ransomware and additional malware infections.
Mimikatz is an open-source application that allows users to view and save credentials. Conti commonly uses Mimikatz to steal credentials and escalate privileges.
Additional Conti reference guides for Mimikatz
Cobalt Strike is used by Conti to deploy software on victim machines to perform malicious actions. Functionality includes command execution, keylogging, file transfer, privilege escalation, and often the installation of Mimikatz. Conti also uses this tool for Command and Control (C2) and payload staging. Additional tools such as obfuscators are used in orchestration with Cobalt to increase Conti’s success rate.
Additional Conti references for Cobalt Strike
The Metasploit framework is an open-source tool used to probe networks and endpoints for vulnerabilities.
The Conti group has searched for exploits related to the below CVEs. The list has 31 high-priority CVEs that Conti has developed or has done research on. Most notably Zerologon (cve-2020-1472) a vulnerability in Windows Netlogon which allowed Conti to become Domain Admin with ease has been mentioned in the chat logs.
- cve-2020-1472 [Zerologon]
The Rise of Mini Conti’s
Ransomware attacks have increased steadily over the years and many groups have emerged since Covid-19 began spreading worldwide due to remote work becoming the norm. Conti is a mature and well-seasoned group that will successfully make any necessary changes to mitigate the long-term damage from these leaks. Conti is known for using spear-phishing campaigns to gain access and compromise networks through low-hanging fruit vulnerabilities and this tactic certainly will not change. The leaks reveal Conti’s arsenal and their mindset, and researchers at BreachQuest believe that many offspring or splinter ransomware groups will appear as this level of knowledge and insight that has never before been shared.
To ensure that you’re protected from threat actors like Conti it’s essential to have a modern XDR that can defend your organization’s endpoints. Organizations must be proactive and take the necessary steps to ensure that your network is secure from threat actors.
Indicators of Compromise