Take a Product Tour Request a Demo Cybersecurity Assessment Contact Us

Stories

The latest cybersecurity trends, best practices,
security vulnerabilities, and more

Conti Leaks: Examining the Panama Papers of Ransomware

Introduction

It isn’t often the whole world gets an inside look of the business operations of a top tier cybercriminal group. Very early on in the Russian-Ukrainian Crisis the predominantly Russian based ransomware group Conti made a public statement where they expressed their loyalty to the Russian Administration.

Figure 1. Conti expressing their support to the Russian Administration. Source: BleepingComputer
Figure 1. Conti expressing their support to the Russian Administration. Source: BleepingComputer

As a reaction to this statement and the current conflict, a Ukrainian security researcher, operating by the twitter handle @contileaks decided to publish years of Conti’s internal Jabber conversations online. The chats that were dumped span across several years consisted of thousands of messages making this the “Panama Papers of Ransomware”.

This wasn’t the first time the Conti gang got hit, last summer a disgruntled affiliate posted their attack playbook online, which was full of very useful intelligence for our customers.

Since it was public, the whole security community jumped to review the chats and within hours the first findings appeared on Twitter. Trellix was also quick to obtain the dataset and realized that this might be one of the largest “crowd-sourced cyber investigations” ever seen. What this means is that as a research team you must devise a flexible dissemination strategy because findings by the crowd will appear online. So, it is constant balance between verification of the published findings by others, investing in your own research goals and adjusting some of these goals based on new information.

Even though it was very tempting to dive down the rabbit hole immediately we did make sure we attacked the dataset with a certain plan.

Dissemination strategy; How to avoid the rabbit hole

Attack infrastructure

The first batch of leaked chats were only a couple of days old and ranging back quite some time. From the start we realized that the criminals might have left valuable data on their attack infrastructure in the chats. We wrote a quick extraction script and compared the mentioned network artifacts to our current dataset and saw a lot of overlap. Not only did we see overlap with infrastructure we attributed to TrickBot and Cobalt Strike in the past, but a good portion of the systems we filtered out were still alive and kicking. To prevent any retaliation by the Conti group directed at our customers, blocking this infrastructure was top priority.

Some of these live systems were actually located in the countries where we have a good relationship with Law Enforcement, so naturally we reached out and made sure they got a heads-up to take appropriate measures quickly.

The intelligence gathered from this was very actionable, but with a short shelf life, the next stop for us was tradecraft.

TTPs and tradecraft

Due to the severity of the leaks, there was a good chance that the Conti gang would rebrand or disperse it members across other ransomware families. In the prior leak where Conti’s playbook got dumped online there were excellent descriptions of the different tools and scripts they would use to attack their victims. So, looking at around 200 thousand leaked messages (Conti & TrickBot leaks combined) span over the period 2020-2022, it was likely members would share custom TTP’s or tradecraft amongst each other.

By filtering tool names and command line structures we found several examples where members discussed tool usage. Given the crowd sourced nature of this dump we would also like to thank The DFIR Report for their excellent findings which they published via their Twitter account.

Affiliates might leave Conti and their network, but wherever they go they will take along their tradecraft. Without an external intervention, like an arrest, we should anticipate that cybercriminals won’t stop their line of business, and thus we can expect to see their TTPs pop up in the future. However, through proper dissemination of the data we were able to empower many of our XDR product teams to improve the product efficacy against this tradecraft and incorporate our findings in MVISION Insights for customer visibility.

Did we ignore the juicy conversations completely? Not at all, fortunately we have a native Russian speaking research capability that made a huge difference while going down the rabbit hole. In the following section we will highlight some of the findings we found interesting to share.

Interesting chats

For transparency purposes we have included both the original Cyrillic and our human translated text to allow readers to delve into the intricacies of some of the Conti’s discussions. For readability purposes we have put the original leaked messages into 1-2-1 conversations to make it easier to understand/follow the context.

Conti as an enterprise

It is fascinating how much Conti resembles an ordinary firm with an office building, HR and other departments (testers, reversers, OSINT, coders, training team, etc.) with their regular salaries on the 15th and 30th of each month. Working hours are 10.00-18.00 Moscow time, five days a week. Stern is the boss who oversees everything and has 100 people on the payroll. “The weekend are the weekends. And nobody cancelled the vacations and sick days. All the other holidays - with the management's agreement” says Salmon (recruiter) to new hire-coder Core. According to Bentley (manager), he worked there for a year, but the company has existed for more than 10 years. Below are excerpts from various chats which provide a good glimpse into Conti’s organization and the presence of a physical office(s) in Russia:

Figure 2. Target's messages to Stern about office expenses

Figure 2. Target's messages to Stern about office expenses

Figure 2. Target's messages to Stern about office expenses

Figure 3. Mango to Stern about teams’ monthly salary Figure 3. Mango to Stern about teams’ monthly salary
Figure 3. Mango to Stern about teams’ monthly salary Figure 3. Mango to Stern about teams’ monthly salary
Figure 3. Mango to Stern about teams’ monthly salary

Figure 4. Mango to Qwerty about team composition

Figure 4. Mango to Qwerty about team composition
Figure 4. Mango to Qwerty about team composition

It is particularly interesting that in the Conti-TrickBot enterprise they are very careful about malware code overlapping. They have external experts who scrutinize developed illegal software code and ensure the code fingerprints are unique to each team of coders. Avoiding overlap seems to be important to segregate activities of different sub-teams and make it difficult for security researchers to piece various Russian speaking threat actors’ campaigns together.

Figure 5. Salmon to Core about company’s policy on intellectual property

Figure 5. Salmon to Core about company’s policy on intellectual property
Figure 5. Salmon to Core about company’s policy on intellectual property

Possible government connections

According to Angelo (tester/coder), Stern is closely affiliated with FSB or other structures and works for ‘Pu’. If Stern was not as almighty as God, they all would have ended up as REvil:

Figure 6. Angelo saying to Hammer that Stern is close to FSB Figure 7. Elroy and Angelo discussing how almighty their boss Stern is
Figure 6. Angelo saying to Hammer that Stern is close to FSB

Figure 6. Angelo saying to Hammer that Stern is close to FSB Figure 7. Elroy and Angelo discussing how almighty their boss Stern is
Figure 7. Elroy and Angelo discussing how almighty their boss Stern is

The Conti leadership was concerned over the situation surrounding the REvil ransomware group. However, Conti believed Russian authorities arrested only the lowest ranked members of REvil who were involved in the cash out.

It is worth mentioning that Basil (tester/coder) was asked if he is from FSB, he subsequently replied he had serious intelligence related to Ukrainian border activity. This statement was made seven days prior to Russia’s incursion into Ukraine:

Figure 8. Basil and Elroy on REvil arrest

Figure 8. Basil and Elroy on REvil arrest
Figure 8. Basil and Elroy on REvil arrest

In another conversation involving Target (manager) he stated if they indeed encrypted Credit One Bank Troy (tester/crypter) would get a reward in the Kremlin:

Figure 9. Target to Troy saying he gets a reward in the Kremlin Figure 9. Target to Troy saying he gets a reward in the Kremlin
Figure 9. Target to Troy saying he gets a reward in the Kremlin

Occasionally Conti seems to be asked to do so-called ‘pioneering’ (volunteering) work on a special request from one of two ‘offices’. As Soviet Pioneers (aka scouts) they do their fair share of work similarly to what Cozy Bear does:

Figure 10. Stern and Professor discussing what they need from Academi hack

Figure 10. Stern and Professor discussing what they need from Academi hack
Figure 10. Stern and Professor discussing what they need from Academi hack

It is probable that one of the two offices is a so-called ‘Bolshoy Dom’ (Big House), an office building located at 4 Liteyny Avenue which serves as the headquarters of Saint Peterburg’s local branch of FSB:

Figure 11. Target to Professor mentioning FSB’s HQ address

Figure 11. Target to Professor mentioning FSB’s HQ address
Figure 11. Target to Professor mentioning FSB’s HQ address

In line with geo-political interests of Russia, Conti seems to have a ‘stop’ on China and get terrified every time they see a Russian company or ‘OOO’ abbreviation (equivalent of ‘LLC’ in CIS countries) in the list of their victims:

Figure 12. Target and Troy discovered a RU entity in their list of potential victims Figure 12. Target and Troy discovered a RU entity in their list of potential victims
Figure 12. Target and Troy discovered a RU entity in their list of potential victims

Figure 13. Troy confirms to Target they have a stop on China Figure 13. Troy confirms to Target they have a stop on China
Figure 13. Troy confirms to Target they have a stop on China

All these messages corraborate the fact that Conti-TrickBot enterprise has a close relationship with Russian government and/or act in its interests.

Collaboration with other Malware families

Conti-Ryuk

Collaboration with Ryuk seemed to have started around August 2020 when Stern said, “Ryuk is going start as of Monday.Target seemed to responsible for updating Stern on how the Conti-Ryuk collaboration was going and if Ryuk team is able to work together and smoothly with his team:

Figure 14. Conti-Ryuk initial plans on collaboration

Figure 14. Conti-Ryuk initial plans on collaboration
Figure 14. Conti-Ryuk initial plans on collaboration

As per the chat between Stern, Target and Troy, it is evident that from September 2020 to October 2020 Conti-Ryuk successfully executed attacks on Sopra Steria, Steelcase, Merieux NutriSciences and Northern Trust and received 1.5 million (currency is unknown) in ransom payments:

Figure 15. Potential victims of Conti-Ryuk collaboration Figure 15. Potential victims of Conti-Ryuk collaboration
Figure 15. Potential victims of Conti-Ryuk collaboration

Conti-Maze

The first mention of Conti-Maze potential connection dates back July 2020, when Kevin (coder/crypter) says to SternProf took a different locker as far as I understood. Appears to be Maze. Said he has rolled it at night”. Then Kevin suggests to Prof (team lead/manager) that Conti-Maze negotiation should be handled by Stern himself as he is more experienced. He then says Maze will take 25-30%. It seems that Prof contacted developers of Maze and managed to get the ransomware build which was later given to Conti reversers to figure out how it works and build a locker “not worse than Maze, and even better”:

Figure 16. Reshaev to Stern advising a new Maze-based locker will be better than Maze Figure 16. Reshaev to Stern advising a new Maze-based locker will be better than Maze
Figure 16. Reshaev to Stern advising a new Maze-based locker will be better than Maze

When it comes to Conti-Maze victims, it seems that both were involved in hacking Academi (former Blackwater), a U.S. private military company who provides services to CIA. “We [expletive] Academi for almost a year” says Target to Dandis (tester). Academi and the affiliated Triple Canopy, Olive Group Capital Ltd, Strategic Social LLC and Constellis Group were all infected/hacked around mid-July 2020 and Maze had negotiations in one of the victim’s networks. Stern informed his subordinates that they are primarily looking for chats, contracts, PII, emails and accounting and that the request seems to be originating from one of the two ‘offices’ (see above, the chat where they mentioned Cozy Bear). Target reports to Stern they infected 30+ military companies along with some agencies, one of which is The US Environmental Protection Agency:

Figure 17. Stern and Revers’s discussion around Academi hack Figure 17. Stern and Revers’s discussion around Academi hack

Figure 17. Stern and Revers’s discussion around Academi hack Figure 17. Stern and Revers’s discussion around Academi hack
Figure 17. Stern and Revers’s discussion around Academi hack

 

Figure 18. Target to Stern about 30+ military companies they infected Figure 18. Target to Stern about 30+ military companies they infected
Figure 18. Target to Stern about 30+ military companies they infected

Conti-Netwalker

Mid-April 2021 Stern asked Bentley and Professor to add Netwalker’s jabber account to their contact list. In mid-2020, Trellix wrote an in-depth blog on Netwalker explaining not only their malware but how we uncovered a large portion of their funds. In January 2021, Law Enforcement managed to takedown the Netwalker’s dark web site and arrested an affiliate based in Canada. After these interventions, it got really quiet arround Netwalker. Given the appearance date of the Netwalker moniker within the Conti jabber server, it is possible that Netwalker affiliates found a new home within the Conti group.

According to Stern, Netwalker will use the TrickBot botnet to distribute their malware. Bentley was in charge of onboarding Netwalker to their admin panel, VNC, etc. and providing them with tested LNK/XLS files with payload to use in their campaigns. It looks like there was friction in the beginning of the collaboration and Netwalker did not get the promised bonus from Stern, and Stern did not like that Netwalker was passing the Citrix’es given to him to other parties:

Figure 19. Initial friction between Netwalker and Stern

Figure 19. Initial friction between Netwalker and Stern
Figure 19. Initial friction between Netwalker and Stern

Later in May 2021 Netwalker provided Stern the details of their two potential victims, Blackbaud, Inc. and Ellsworth Adhesives, and asked him to pay to his team as they worked hard:

Figure 20. Potential Conti-Netwalker victims

Figure 20. Potential Conti-Netwalker victims
Figure 20. Potential Conti-Netwalker victims

Blackbaud, Inc. disclosed that they indeed paid ransom to the perpetrators but never mentioned who they actually were nor the amount of ransom they paid.

Conti-Lockbit

There is a hint of Conti-TrickBot potentially collaborating with LockBit group. At the beginning of November 2021, Defender (manager) said to Stern that the account Brom was (re)created in Group 6 for LockbitSupp (an alias strongly associated with LockBit ransomware group):

Figure 21. Defender advising to Stern he added LockBitSupp to their Jabber Figure 21. Defender advising to Stern he added LockBitSupp to their Jabber
Figure 21. Defender advising to Stern he added LockBitSupp to their Jabber

Two weeks after, Mango (team lead/manager) told Stern that there was misunderstanding with LockBit and asked him about the percentage of networks and revenue they will take from LockBit in case of successful collaboration:

Figure 22. Stern to Mango on percentage of revenue they take from Conti-LockBit collaboration Figure 22. Stern to Mango on percentage of revenue they take from Conti-LockBit collaboration
Figure 22. Stern to Mango on percentage of revenue they take from Conti-LockBit collaboration

TrickBot, Buer, Amadey and IcedID

On June 26, 2020, Taker (tester) who just began the conversation with Stern asked questions around what TrickBot was and how it got started. “It started as a banking bot, gathering logs, logins, and passwords. It was a financial matter” replied Stern. Later in October 2020, Target said to Troy, “They managed to connect Cobalt, Bazar and TrickBot together. They figured that TrickBot is us.” On the August 19, 2021, Professor got furious when somebody mistakenly included the TrickBot module designed to not infect CIS countries into Diavol ransomware (aka Conti) build, which allowed security researchers to attribute TrickBot and Conti teams to the same threat actor:

Figure 23. Professor advising Stern TrickBot module was added into Conti ransomware build Figure 23. Professor advising Stern TrickBot module was added into Conti ransomware build
Figure 23. Professor advising Stern TrickBot module was added into Conti ransomware build

Amadey and Buer were also mentioned multiple time in Conti chats as alternative loaders. In June 2020, Price (coder) said to Target, “Hof referred me to a hacker forum, I got access to it (for money) and copied Buer’s entire ins and outs from there.” As for Amadey loader, it looks that Conti team bought it and every time Amadey required a ‘re-crypt’ they would pay for that.

Furthermore, Leo (coder) from Conti gang appears to be the creator of IcedID loader which in May 2021 was ‘on the first place among infections’:

Figure 24. Leo is the creator of IcedID malware Figure 24. Leo is the creator of IcedID malware
Figure 24. Leo is the creator of IcedID malware

Conti’s victims: NGO, Medical institutions among others

We went through the Conti leaked messages and compiled a list of their potential victims which mainly includes EU and U.S. entities across various sectors. Most of the 103 potential victims we have identified were located via a Zoominfo URL Conti used to check a company’s size and revenue to determine a ransom amount to ask. “Found a way of buying a Zoominfo account, 2 managers for Buza, for his pricing research, the price is 2k” advised Mango to Stern. Later Stern said to Mavelek (coder/tester), “@ali has a script to check domains on Zoominfo to get data on number of employees and the revenue of the company.

Between 2020-2022 Conti and its affiliates targeted and potentially attacked twelve healthcare organizations (clinics, hospitals, care houses including UHS, Prodemica, Geo Group), five educational institutions (schools, colleges, universities, etc.), a charitable organization, a governmental agency, and numerous companies in financial, retail, business services, manufacturing, and other industries:

Figure 25. The chart gives an overview of the Conti’s potential victims by sector
Figure 25. The chart gives an overview of the Conti’s potential victims by sector

Call center services

Among other departments, Conti has a team of callers. A caller is required to have a good knowledge of spoken English (level B2-C1) and between age 18 and 25. They are recruited by Conti’s HR team to work remotely for ‘an online store’ abroad. The callers earn $450-500 a month (salary increases by $100 - $200 - $300, depending on the success of the call-centre), working hours are 18:00-2:00 Moscow time (correspond to usual working hours in Western hemisphere), and they receive paid holidays but get no official contract as per the Labour Code.

Below are Mango’s messages to Stern where he suggests some improvements around blackmailing/call-center and explains a concept which is ‘more or less’ working for them:

Figure 26. Mango’s vision on how their call center should operate

Figure 26. Mango’s vision on how their call center should operate
Figure 26. Mango’s vision on how their call center should operate

Here is a call sample from Conti’s caller to one of their victims, curtesy of Northwave Security:

Conti call sample.mp3

Cybercriminal entrepreneurship (crypto and Forum)

By end of May 2021 Stern instructed Mango to get in touch with the administrators of exploit forums to see if they were willing to sell to Conti. “Also get a list of forums which can be considered for sale. XSS - find out a list of active users, per day, week, month. The same for Antichat and WWH,” continued Stern. Later Mango replied that WWH had laughed out loud at their offer and that hxxp://korovka32xc3t5cg[.]onion and hxxp://crdclub4wraumez4[.]onion were available for sale. However, he advised those forums are rubbish, a hotbed of grifters, and instead of trying to buy a forum they should create one on their own. The following is Mango’s suggestion to which he got a ‘go-ahead’ from Stern:

Figure 27. Mango to Stern on their new hacker forum and it’s functionalities

Figure 27. Mango to Stern on their new hacker forum and it’s functionalities
Figure 27. Mango to Stern on their new hacker forum and it’s functionalities

In July 2021, Mango sent two design suggestions for the social network (aka forum) to Stern – one in dark-green and another in dark-blue color schemes. Stern approved the dark-green variant for the forum and suggested it was ready to make it available with a minimum functionality:

Figure 28. Two design suggestions for the hacker forum Figure 28. Two design suggestions for the hacker forum
Figure 28. Two design suggestions for the hacker forum

Below are the conversation extracts between Stern and Mango, full of entrepreneurial spirit, where they brainstorm what functionalities the forum should have and what might potentially work for it and what might not:

Figure 29. Mango and Stern discussing their new hacker forum Figure 29. Mango and Stern discussing their new hacker forum
Figure 29. Mango and Stern discussing their new hacker forum

Later Mango suggested a potential domain for the forum and a logo for it: “matryoshka[.]space (already with the domain:)) and as a logo matryoshka but angry, in our color scheme, dark-green, and may be draw a laptop next to it. In principle matches the theme. We are one big system amongst the multiple other sub-systems in one place. And it is clear that it is a Russian theme. It is going to be cool, and easy to remember, I think it will resonate with everyone”.

Purchase of Carbon Black and SonicWall

In March 2021 Stern said to Defender that he needs Carbon Black AV. In April 2021 Mango asked Professor if 60k (currency is unknown) is a lot for Carbon, 30k for the firm who buys and 30k for the Carbon itself for 250 PCs. A week later it seems that Mango managed to purchase Carbon Black via a firm in France for 14.8k euros (plus 20% for BTC conversion and 30k for the firm as promised). However, Stern did not take Carbon Black AV and in July 2021 Mango asked him why they aren’t doing anything with Carbon Black to which Stern replied that originally Ryuk needed it and now for some reason they no longer do:

Figure 30. Stern advising to Mango Carbon Black AV was bought for Ryuk team Figure 30. Stern advising to Mango Carbon Black AV was bought for Ryuk team
Figure 30. Stern advising to Mango Carbon Black AV was bought for Ryuk team

In February 2021 Stern said to Swift (tester/coder) that he also needs SonicWall solution. He broadcast to all the contacts in Jabber “Who can figure out the vulnerability in SonicWall and make a working scanner for it?” to which Ghost (tester/coder) replied “This one, CVE-2020-5135: Critical SonicWall VPN Portal Stack-based Buffer Overflow Vulnerability, right?”. The CVE-2020-5135 is a CVSSv3 9.4/10 critical vulnerability which was fixed around November 2020 and according to SonicWall PSIRT there was no exploitation observed in the wild. Mid-April 2021 Mango advised Stern there are several ways to buy SonicWall (even a new model SMA 410) and later that they manage to buy new as well as refurbished ones:

Figure 31. Stern advising to Mango Carbon Black AV was bought for Ryuk team Figure 31. Stern advising to Mango Carbon Black AV was bought for Ryuk team
Figure 31. Mango to Stern on the purchase of SonicWall

There is not much further information regarding SonicWall, except that in June 2021 Subzero (tester/coder) advised to Stern that he “figured out the SonicWall”.

Conclusion

Financially motivated cyber criminals have a history of collaboration across borders and often stay away from politics. However, the current Russia-Ukraine conflict isn’t one to ignore, not even for cybercriminals, as they are forced to choose sides.

The ContiLeaks and TrickBotLeaks were a direct result of this conflict. The leaks are of an unprecedented level and show the world how a government backed, multimillion-dollar ransomware gang operates. In some fashion it was almost like a normal business; wages needed to be paid, software licenses obtained, customer service initiated, and strategic alliances had to be formed. However, make no mistake, this business is dealing in top level cybercrime, with a strategic alliance to an intelligence apparatus responsible for several nation-state attacks.

In our line of work, we are often aware of technical innerworkings, partnerships between malware families and suspected nation state relationships but reading the internal conversations and having our suspicions confirmed was very insightful.

Get the latest

Stay up to date with the latest cybersecurity trends, best practices, security vulnerabilities, and so much more.
Please enter a valid email address.

Zero spam. Unsubscribe at any time.