Analysis of leaked Conti files blows lid off ransomware gang
Not only is this payback sweet, it gives network defenders valuable intelligence
It was a Ukrainian security specialist who apparently turned the tables on the notorious Russia-based Conti, and leaked the ransomware gang's source code, chat logs, and tons of other sensitive data about the gang's operations, tools, and costs.
Since then, infosec researchers around the globe have been wading through this silo of intelligence, which reveals the inner workings of the criminal enterprise.
"I call this the Panama Papers of ransomware," Trellix's head of cyber investigations John Fokker told The Record. Trellix is the cybersecurity company previously known as the combined McAfee Enterprise and FireEye.
Conti, it should be said, has the ransomware business model down to a science. It extorted an estimated $180m last year, making it the most lucrative ransomware operation of 2021, according to the latest Crypto Crime Report from security shop Chainanysis. As of late February, Conti's primary Bitcoin address contained more than $2bn in digital currency, according to a Rapid7 report.
But, as with any business, it incurs significant expenses from paying employee salaries in BTC, and maintaining its infrastructure, according to data security biz Varonis.
"In addition to renting virtual private servers (VPS), favoring services that accept Bitcoin, the group most likely maintains VPN subscriptions to maintain a layer of anonymity when conducting their operations, as well as subscriptions to or purchases of various security products," it wrote.
Other leaked documents provide insight into the ransomware gang's hirings and firings, according to analysis by forensics firm BreachQuest. The security vendor provided a detailed Conti org chart that shows Stern, "the big boss," at the top with henchmen responsible for HR and recruitment, blogging and negotiating, training, and blockchain wrangling, plus teams underneath.
- Conti ransomware gang's source code leaked
- Alleged REvil suspect extradited and arraigned on ransomware spree charges
- Ukraine invasion: This may be the quiet before the cyber-storm, IT staff warned
- Ragnar ransomware gang hit 52 critical US orgs, says FBI
It turns out that even criminal operations are having difficulty hiring and keeping good staff these days. "Conti understands that the turnover ratio of workers is also very high due to the fact that they are running a criminal organization," BreachQuest wrote. "The Conti group has an HR/Recruiter that assists with the continual finding and recruitment of new candidates."
While Conti has been known for big game hunting — or focusing on high-value targets that will likely pay big bucks to get its encrypted data restored, or to prevent exfiltrated info from being publicly leaked — BreachQuest goes into detail about how Conti ensures that its processes pay off:
When the Conti group compromises Active Directory, they are looking for potentially interesting people like an admin, engineer, or someone in IT. Many companies think that backups are sufficient, but Conti hunts for backup servers to encrypt the backups as well as training manuals reveal that they know techniques to bypass backup storage vendors to make sure the backups are encrypted.
One of the instructions that stood out the most was a section titled "HOW AND WHAT INFO TO DOWNLOAD" that they state after raising the privileges to domain admin and invoke share finder, what Conti is interested in are financial documents, accounting, clients, projects, and much more.
CyberArk posted its own analysis of the Conti leaks, and says the information can help organizations protect themselves. One of the data dumps included 12 git repositories of what's said to be internal Conti software.
"Upon quick inspection of these repositories, most of the code appears to be open-source software that is used by the Conti group," the analysis said. "For instance, yii2 or Kohana is used as part of (what seems to be) the admin panel. The code is mostly written in PHP and is managed by Composer, with the exception of one repository of a tool written in Go." ®