The Russian ransomware group Conti has recently suffered another embarrassing leak: a Ukrainian member has published a treasure trove of internal chat logs and source code. After internal manuals and tools were already published by an angry member in August 2021, these recent leaks appear as a reaction to the “official announcement of the group to fully support the Russian government”.
The analysis of recent data leaks and chat logs provides insight into how Conti and probably other similar ransomware groups coordinate and carry out their operations. Security managers should deal with this and adjust their strategies accordingly if necessary. In the meantime, it is not yet clear what impact this leak will have on Conti. It is possible that the group – as in similar cases before – will (apparently) dissolve, disappear for a certain time, then rename itself and resume its activities.
Structure and management
Among other things, the published content included discussions about “salaries”, which also show the size and scope of the ransomware operation, the internal structure and the number of members. Accordingly, there are five different teams: “Main” (62 people), “Reverse” (23 people), “New Coder” (6 people), “Reverses” (6 people, the difference with “Reverse” is not obvious) and “OSINT” (4 people).
The number of team members and the salary figures (estimated at $ 2 million per year) clearly show that the group is a cybercriminal company that has made a significant effort to identify and compromise new companies, steal data and blackmail victims.
In addition to paying the team members, Conti incurs significant ongoing costs for the maintenance of the backend infrastructure: in addition to renting virtual private servers (VPS), the group most likely maintains VPN subscriptions to maintain a level of anonymity when performing its operations, as well as subscriptions or purchases of various security products. In principle, services that accept Bitcoins are preferred.
Attackers buy security products to develop, test and practice exploits for the security solutions used by their victims in a controlled environment. In the case of Conti, these are probably various antivirus packages, the Carbon Black EDR solution from VMware and SonicWall Secure Mobile Access (SMA) 410. Apparently, Conti had difficulties buying VMware Carbon Black directly. Therefore, an “intermediary” was used for this, who purchased the solution for a payment of $ 30,000.
Collecting open source information
Cybercriminals usually carry out reconnaissance measures before the attack to analyze their target and thus improve the chances of success. Conti has a special open source Intelligence (OSINT) team whose task is to collect information about the targeted companies. For this purpose, both the target’s website and common online data sources are used. The published chat logs specifically mention contact database services such as SignalHire and Zoominfo, which are used to collect names and contact information about potentially important people. These services are usually used by sales and marketing teams, but they also provide valuable services to criminals when it comes to identifying targets for spear phishing campaigns and naming contacts for social engineering attacks.
Shodan, a search engine for devices connected to the Internet, and a premium subscription to Spiderfoot are also used. Both allow the OSINT team to discover a target’s digital resources and identify vulnerabilities for exploitation, such as open ports or vulnerable technologies. Conversely, the OSINT team can also use these services to locate targets that are vulnerable to certain exploits and pass them on to their exploit teams.
Moreover, Conti seems to use OSINT tactics not only in advance, but also during the attack. In this way, internal financial information is specifically searched for. Economic data of a company can often also be obtained from open sources, especially if the victim is listed on the stock exchange. If both sources of information are combined, one can see quite precisely how much a victim is able or willing to pay.
Ransomware groups often use stolen credentials to gain access to exposed services, be it remote desktop protocol (RDP) sessions or web mailboxes, and exploit vulnerabilities in network infrastructure devices such as VPN gateways. Conti also uses the services of so-called “initial access brokers”, which offer these accesses as a service. The broker receives a share of the ransom payments. According to the leaked documents, this is usually 25 percent and can increase to 30 percent for particularly close partners. Since the use of a broker reduces the profits of the group, Conti tries to forgo them and gain access himself. For this purpose, information about security gaps and exploits is exchanged internally and websites with security warnings are closely monitored.
As with most big game ransomware groups, i.e. those that focus on certain selected targets, Conti also searches for and exfiltrates confidential and sensitive data after penetrating the victim’s network in order to later use it for the blackmail process. Due to the leak in August 2021, it is known that Conti, among other things, used the legitimate open source file synchronization tool “Rclone” to steal data.
As already observed in 2021, the group continues to exfiltrate data to the cloud file storage service Mega.nz and benefit from free accounts with 20 GB of storage space. In addition, Conti also uses dedicated VPS instances. This is especially useful because some companies have access to cloud storage services such as Mega.nz blocking. By using VPS instances, the attackers can circumvent this and better avoid detection during exfiltration.
The analysis of an exfiltration VPS instance that has now been taken off the grid shows which data is being stolen: common productivity files such as documents and spreadsheets as well as database, image and CAD files can be found. In addition, it contained large 7zip archives, probably created on the victim’s network before the transfer, as well as mail server data in the form of a Microsoft Exchange EDB file.
The stolen data serves two main purposes: on the one hand as an additional means of pressure (“Either you pay or we publish the data!“), on the other hand, in order to determine the solvency of the victim by means of appropriate financial data.
The new Conti leaks offer us a rare insight into the inner workings of these criminal organizations and confirm a number of assumptions made by security experts. They also provide insights into psychology and internal group dynamics. But above all, they show us the technical and tactical approach. With this knowledge, security managers are at least a little better able to detect attacks and identify corresponding Indicators of Compromise (IoC).