This is the first of two blog posts, where we focus on the Conti ransomware group whose training material was recently leaked on a cybercrime forum. To provide some context to this analysis, we describe Conti’s evolution and success since its origin. We then contextualize the leaks thanks to our observations on underground forums and analyze it in terms of threat intelligence. The second blog post will give some details on the techniques used by Conti operators and how to detect them.
The origin of Conti ransomware
Conti and Ryuk were developed and operated by a group dubbed Wizard Spider by CrowdStrike (aka UNC1878, Grim Spider, Conti gang) and some affiliates. Wizard Spider started its activity in 2016 by conducting financial fraud campaigns using the TrickBot banking trojan¹. The link between Conti and Wizard Spider was confirmed by Clearsky, following a bitcoin transaction after a successful ransomware attack².
In August 2018, the actor previously using TrickBot started to use a new ransomware called Ryuk to target large organizations, asking for high ransom amounts. Wizard Spider seemed to follow the Big Game Hunting (BGH) trend started by BitPaymer’s gang one year earlier³. Ryuk’s activity made the project famous in the ransomware business. According to Coveware, in Q1 2020, the average ransomware payment on behalf of the group was over $1.3 million. During this period, we can note the attacks against major US companies such as Electronic Warfare Associates (EWA), a US Government contractor⁴.
Average ransomware payment of Phobos, Ryuk & Sodinokibi in Q4 2019 and Q1 2020⁵
The group has constantly evolved its arsenal, reacting to attempts to block them. In 2020, they developed BazarLoader, which has a high level of obfuscation. They also regularly added known vulnerabilities such as Eternal Blue, Zerologon, and more recently, PrintNightmare to their arsenal.
Their loaders were often delivered through phishing email or credentials previously obtained from Emotet or IcedID activity. The affiliates probably used accesses sold by initial access brokers.
Conti appears in February 2020 as a Ryuk successor using the new data blackmailing technique⁶ (aka double extortion technique). They created a website to publish stolen data in case of non-payment of the ransom and to have a good-looking chat interface to communicate with victims and others. According to ransom notes SEKOIA studied, Ryuk operators used to communicate with victims through secure email services such as Protonmail or Tutanota.
Threatening to leak sensitive files is great to increase the pressure on companies and therefore increase the probability that the ransom will be paid and to increase its amount. Note that Wizard Spider seems to consider the file decryptor and the deletion of the stolen files as two different services.
Old Conti leak website
New Conti leak website
The double extortion technique used by Conti has apparently paid off: the group claims more than 150 successful attacks and $20M of paid revenue by the end of 2020⁷. Based on our observations, Conti is the most prolific group since January 2021, with more than 300 publicly disclosed ransomware attacks this year.
This success is partly due to the efficiency of the group’s tools. Indeed, in 2020, the Conti ransomware was one of the fastest to encrypt a computer by running 32 concurrent threads, using AES-256 keys bundled with a RSA-4096 public key. The encryption and data exfiltration speed has since been a marketing argument in the ransomware community and was greatly improved by other groups. One of the Conti ransomware specificities is that it can be used in command line to encrypt the local hard drive or network shares.
Comparative table created by LockBit 2.0 group (available on their website)
Another specificity that indicates a continuity between the activities of Ryuk and Conti is Ryuk’s habit of demanding ransom payments proportional to the revenues of the targeted company that has continued with the Conti ransomware. Once their affiliates compromise a target, they send the operators a report containing information about the victim (name, website address, number of servers and endpoint locked, amount of stolen data, and target’s revenue) to help during the ransom negotiation.
Conti’s negotiators are experienced and patient. They use the anchor technique by setting a very high first price and negotiating it. They use a service-oriented rhetoric, calling the victim “customer” and themself “support”.
Unlike other ransomware gangs, Conti did not hold back from attacking the hospitals during the COVID-19 crisis⁸.
An internal discord at the origin of the Conti’s training material leaks
On August 5, 2021, a XSS cybercrime forum member known as “m1Geelka” leaked a Conti ransomware group’s training material. The “manual” includes some insights on the modus operandi of one of the most successful ransomware cartels at the moment.
From our observations of the discussions between different actors, “m1Geelka” is believed to be one of the Windows Administrators of the group. After allegedly working for Conti (or as he states, “I got in there to find out how they work”), “m1Geelka” judged the remuneration formula to be unfair and decided to do justice to the group’s “partners”.
In fact, the cybercriminal community has repeatedly voiced that Conti’s alleged remuneration was inadequate, given the qualifications they are looking for. Starting from $1,500 and from $2,000 for technical profiles, wages are, however, constantly being adjusted upwards, and accompanied by regular bonuses, all paid in BTC – the group states.
Even so, “m1Geelka” was promptly expelled from the Russian-speaking underground community. He has broken one unwritten rule that dictates the law in this medium: conflicts have to be solved through private arbitration processes.
This has also driven us to pay close attention to the most recent activity of a Conti representative on a forum where he was particularly active from June to August 2021. “IT_Work” is the online persona of a suspected threat actor who handled the group’s expansion this summer.
The Conti’s representative profile on XSS forum, banned since August 6, 2021
As commercial activities related to ransomware are now prohibited on this platform, no advertisements for the used software, nor any specifications about the targeted countries or industries were seen. Instead, we observed a massive recruitment campaign on the XSS cybercriminal forum which is highly popular among ransomware operators seeking to create new partnerships.
“We are a small recruitment team” – “IT_Works” states. He announced “lots of vacancies” in June 2021, so candidates were encouraged to apply for job openings or to make spontaneous applications. “No formalization under the Labor Code” is stipulated, as to comfort some and prevent others.
There were over a dozen job openings on behalf of Conti spotted in less than two months, revealing a highly specialized and organized group structure. As commonly observed among ransomware groups originating from Russia or countries within the Commonwealth of Independent States (CIS), the communication is performed in Russian and the job listings are addressed to “Russian speakers only!”.
An example of a job listing posted by a Conti representative on June 11 on a Russian-speaking cybercriminal forum. Translated from Russian, the post reads:
“Vacancy for the position of Business Analysts. Required Skills: Business English (reading) required, conversational is a big plus; Knowledge of business particularities in the U.S.; Analytical skills, attention to detail; Advanced PC user. Responsibilities: Analysis of B2B markets; Analysis of companies’ financial statements, and other public data obtained from government institutions; Drawing up cases on key players on the financial and industrial markets […]”
A close look at these messages allows us to draw up a rough picture of the Conti’s internal structure, which can be imaged as follows:
An overview of how the Conti Group is structured, based on statements recently made by its representatives on different cybercriminal forums
This is slightly out of the ordinary job offers that other ransomware groups publish (most often for pentester positions). Of particular curiosity is the position of Asterisk Administrator. Based on a July 2021 announcement by Conti, a dedicated Asterisk VoIP service was in development, probably to initiate phone conversations with the victims or the victim’s partners or employees, in order to put more pressure on them. Threat actors are particularly interested in the “Auto Redial” feature of the Asterisk framework to put the phone number on automatic dial repeatedly, until the called party picks up the phone.
The group is also looking for Web Designers with “really creative ideas“ and UI/UX Designers “to design layouts of websites and individual user interfaces of web applications”.
To study potential victim’s activity or to analyze the already attacked ones, Business Analysts are wanted. They must be proficient in English and know the business particularities in the U.S, have good analytical skills and “pay attention to detail”. Business Analysts working for Conti prospect the B2B market, collect and analyze companies’ financial statements and other public data obtained from government institutions, and they are also drawing up cases on key players on the financial and industrial markets, according to “IT_Works”.
What is also quite unique is the well-structured corporate approach Conti adopted: their “partners” have paid vacations and sick leaves. They usually have a 3pm-1am, Monday to Friday work schedule, remote only.
What do the Conti leaks tell us?
Following the first leak release, we decided to analyze its content and tried to assess how useful it could be in terms of threat intelligence and detection.
The archive, retrieved by vx-underground⁹, contains a majority of text files written in russian, a few archives, binaries, scripts, and softwares (e.g. Cobalt Strike 4.3, Router Scan), and what looks like an unstructured manual explaining to Conti affiliates how to operate.
A public quick English translation¹⁰ has been made available to organize the leak with three main attack steps: Increasing privileges and information collection, Uploading data and Lock. For each step, each manual provides one or more tools/techniques to reach the objective with a kind of best practices approach and a collection of the best tools to use.
There is no new tool or technique to discover, everything is quite old and renowned (e.g. Mimikatz) and should already be detected. Although they are up-to-date with the latest vulnerability and have a manual for “PrintNightmare” (CVE-2021-34527, that is still not fixed by a proper patch from Microsoft). Obviously they also try to use Microsoft built-in tools as much as possible to blend-in with legitimate activities in order to avoid detection (e.g. powershell, wmi).
Some recommendations are made in terms of operational security in the manual files translated as “Anonymity for the paranoid” and “Personal safety” (not available in the public English translation):
A couple of notes on posts about anonymity for the paranoid:
- Concerning Kali and other operating systems for hackers. There is a group of people (Hackers) that needs to be tracked. Technically, this problem is difficult to solve. It’s easier to play on human weakness (laziness) and gather everyone together by providing a properly advertised, convenient, ready-made and popular solution. I think the idea is clear. I advise you to use Debian or build something of your own.
I think everyone here works through a virtual machine. Therefore, I advise you to install the virtual machine on the encrypted volume using VeraCrypt.
1 download Veracrypt
2 you will need to allocate space on your disk for a file / or encrypt the entire disk at once
An important rule is that you will have to install the virtual machine again, because, unfortunately, when you encrypt your old working virtual machine, an insurmountable error will appear in the code and it will no longer start. This is not a big problem, because you can get all your files from the image of your old virtual machine via 7ZIP.
Because they are hunting for administrator accounts, they are also cautious about their reaction. In the following extract from the “Hunting admins, please read, very useful !!” manual, a very explicit warning is made to dissuade an attacker to directly login to a computer session of an administrator:
Next is an IMPORTANT POINT.
First of all, beginners try to raise a session there and VERY OFTEN catch an alert. Alert at the admin = cutting out of the network, loss of time, nerves. Do not do this!
What we’re going to do is poll it through the file system.
But at the same time they could go for a live brute force of accounts when required, and as noticed by other researchers¹¹, use the same example directory (i.e. “ProgramData”) for all their command outputs which probably leads to a lot of copy/paste.
“ProgramData” directory usage example
Their discovery, collection and exfiltration methods match a lot with other ransomware groups and most of the time the techniques described aim for efficiency more than stealthiness.
Overall the archive reveals an interesting insider look into some ransomware attack operations where the attackers look for the weakest points of defense. It also confirms that most of the techniques from these groups are known and give lots of detection opportunities. This should again remind us as defenders where to focus on.
The second leak¹² was not as useful: these are 27GBs of mainly tutorial video files from several sources (free or paying ones), teaching about penetration testing (e.g. Metasploit, Cobalt Strike, network) and reverse engineering. Some sources are in English while others are in Russian but none seem specific to Conti. Indeed, the content of this leak confirms that Conti recruiters are also looking for beginners who will then be trained by following these tutorials, as indicated on a cybercriminal forum:
Translated from Russian, the post reads: “Recruitment of pentesters continues. […] Whether you’re a professional or a beginner, it doesn’t matter. We have an individual approach to everyone. We will teach and help, we need guys who want to progress in a long-term cooperation!”.
Conti leaks are a great source of knowledge to find out more about how ransomware cartels operate overall. It gives good insights into how they handle their operations, how they are organized and the techniques being used in these operations. This will likely raise the interest of other threat actors who might enter the ransomware scene by embracing a modus operandi that, up until now at least, has worked very well.
In the second part of this blog series we will cover some techniques used by Conti in the first leak and the detection opportunities for each one. Read: An insider insights into Conti operations – Part two !