What does the Conti leak tell us?
Date : February 07, 2022
After Russia went to war against Ukraine, the ransomware group Conti declared that it will defend Russia. This angered one of the group's members (probably Ukrainian) who decided to publish internal group data via the @ContiLeaks Twitter account. He first published Jabber logs (on 18-Fev-2022), then other logs, and finally (on 02-Mar-2022) source codes of the Conti group's tools. It is possible that new elements will be published later.
Vx-underground (a group that has created a database archiving malware) has downloaded all this data and made it available (in Russian) here: https://share.vx-underground.org/Conti/
English translations of some parts have also been published:
- https://github.com/tsale/translated_conti_leaked_comms
- https://github.com/TheParmak/conti-leaks-englished
- https://github.com/Res260/conti_202202_leak_procedures
There is all kinds of data in these publications. It might be interesting for some companies to see if their brands or names appear in them. However, according to the [Marchive1] article (listed below at the end) victims are normally referred to with code-name rather than by real name.
Several journalists have analysed some of this data and published articles on the subject. We summarise below what we learn from the articles published by Brian Krebs (a freelance journalist in the US) and Valéry Marchive (a French journalist for LeMagIT.fr). Some elements were also taken from a (very detailed) article published by the company BreachQuest.com. All the references for these articles are provided at the end of our article.
Conti is considered one of the most active and sophisticated ransomware groups. According to [Krebs4] it would have generated a revenue of $180 million in 2021 (the total amount of ransoms collected). However, these figures are difficult to confirm. The [BreachQuest] report, for example, estimates that 50 million dollars have been collected since September 2021, which can be extrapolated to 120 million dollars per year.
The Conti group employs a team of 80 to 100 people who are paid monthly (or twice a month, with a salary of around $1,000 or $2,000 according to [Kreb2] or $500 to $750 according to [Marchive1]) for fairly tedious tasks (e.g. re-generating malicious binaries as soon as they are detected by the Microsoft Defender antivirus). It is constantly recruiting new employees because there is a high turnover. The [BreachQuest] built up a detailed organisation chart of the company.
There are strong links between Conti (ransomware) and Trickbot (a botnet that can infect new computers). It is even likely that Trickbot belongs to Conti. There are also links between Conti and Emotet (another botnet) but the link seems less strong.
Ruyk and Conti are two independent ransomware groups, but they use similar working methods to such an extent that one can suspect that they have common managers and shared know-how.
There are links between Conti and the Russian government. According to Brian Krebs, the FBI has been asking the Russian government for information about Trickbot for several years. In October 2021 Trickbot was warned that the Russian government was starting an investigation at the request of the US. But Trickbot was largely untouched, and the Russian government seems to have gone after the REvil group (another Russian ransomware group). Key members of REvil were arrested in January 2022 by the Russian authorities.
The US government has been conducting infiltration operations targeting Trickbot for a long time. A major operation was conducted in September 2020. The takedown was unsuccessful, but the infrastructure was disrupted several times and Trickbot finally shut down its infrastructure in February 2022.
The management of Conti platforms (purchase of tools, VPNs, malware generation, etc.) requires a significant number of people and the purchase of services and products are numerous. Examples include the purchase of subscriptions to Crunchbase Pro and Zoominfo (tools to obtain financial information about Conti victims), the purchase of Cobalt Strike licenses (attack tool), the payment of subscriptions to job boards (to recruit), the purchase of security software (to search for vulnerabilities or protect infrastructures). The [BreachQuest] report estimates that Conti spends $6 million a year on salaries, software and service purchases.
Conclusion
There are no big surprises in these articles. They show, for example, that a ransomware group like Conti operates like an SMB and that these groups have connections to the Russian government (although it is still difficult to measure the extent of these connections). On the other hand, they contain many examples and anecdotes about the daily life within these groups.
For more information:
Article from TheRegister summarising the chronology of the data leak:
https://www.theregister.com/2022/03/02/conti-source-code-leaked/
Article from Valéry Marchive:
- [Marchive1] 01-Mar-22 : https://www.lemagit.fr/actualites/252514027/Conti-dans-les-coulisses-dun-cyber-gang-aux-allures-de-PME
- [Marchive2] 03-Mar-22: https://www.lemagit.fr/actualites/252514148/Cybercriminalite-reglement-de-comptes-a-OK-Conti
- [Marchive3] 04-Mar-22: https://www.lemagit.fr/actualites/252514197/Ransomware-comment-les-Conti-preparent-leurs-cyberattaques
Article from Brian Krebs:
- [Krebs1] 01-Mar-2022: https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/
- [Krebs2] 02-Mar-2022: https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/
- [Krebs3] 04-Mar-2022: https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-iii-weaponry/
- [Krebs4] 07-Mar-2022: https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-iv-cryptocrime/
Other articles:
- [BreachQuest] 09-Mar2022: https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/
- 10-Mar-2022: https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/
Anecdote about the leaked source code of the Conti tools:
https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a8