Examining the Conti Group, Leaks & Evolving Ransomware

Sixty thousand leaked chat messages and files later, the online community has gotten a real glimpse into the inner workings of the Conti ransomware group. While founded only two years ago, the group has established success as an online extortion group with reported earnings of at least $25.5 million since July 2021 according to Prodaft’s Ransomware Group In-Depth Analysis Report from November of last year.

In February 2022, Conti publicly voiced their support for Russia’s invasion of and war on Ukraine; an action that would result in many consequences for the group. Within a few days of declaring their allegiance, the groups’ internal server was hacked, and tens of thousands of Conti’s private chat logs and source code were posted by new Twitter user, @ContiLeaks. The individual behind the leaks has remained anonymous but is thought to be someone formerly part of the Conti group or with special access to Conti’s inner infrastructure. The leaked logs and files have offered revealing glimpse into how Conti is organized as an organization and how they target their victims, their daily operations and potential ties to the Kremlin, development plans for their own social network and cryptocurrency platform, as well as their future ambitions to expand further than corporate extortion.

Like many cyber threat gangs, Conti takes a ransomware-as-a-service (RaaS) approach to their business. This includes processes such as:

• Hiring operators, brokers, and negotiators to manage and execute various steps of their attack campaigns
• Developing in-house malware and selling them to affiliates to receive a share of the payout after successful ransoms
• Using double-extortion techniques – data encryption followed by data exfiltration as well as publicly shaming their victims and leaking stolen data online if ransoms are not paid

Based on the leaked chat logs, we understand that the Conti group is structured much like any organization, operating with standard hiring processes for contractors and salaried employees, incentive programs, multi-tiered teams, and a clear reporting structure. In terms of their service, the group has mostly focused their efforts on ‘big game hunting’ – cyberattacks targeting high-value victims such as corporate organizations, critical infrastructures, and government organizations in hopes of striking a large ransom payment.

Conti group employs many common attack methods to exploit their victims’ environments including:

• Phishing Emails & Social Engineering – They have been known to spy on their victims first, collecting valuable intel to form phishing attacks and customized social engineering attacks. The attack begins once a malicious attachment is opened and installed.
• Remote Desktop Protocol (RDP) – Through an unprotected RDP port, Conti remotes into their victim’s network and begins spreading laterally, working their way deeper into the environment. They often ‘live off the land’, adding tools as needed such as Sysinternals and Mimikatz.
• Software & Hardware Vulnerability – Conti also exploits unpatched systems or known vulnerabilities to gain access. Then, they encrypt and exfiltrate data on an infected machine.

In the wake of leaked ransomware tools, tradecraft, and source code from the Conti group, Blackpoint’s Threat Research APG (Adversary Pursuit Group) is already seeing new tactics, techniques, and procedures (TTPs) being used since the leaks appeared online in February. These include:

Multiple RMM Tool Trials

• Avast Premium Remote Control
  • Binary Name: PremiumRemoteAgentService.exe
• ConnectWise Control (formerly known as ScreenConnect)
  • Binary Name: ScreenConnect.ClientService.exe

Admin Tools that scan networks and deploy ransomware 

• Total Software Deployment
  • Binary Name: tsd.exe
• Total Software Inventory
  • Binary Name: tni.exe

Staging files out of the Music Directory (C:\Users\(USERNAME)\Music\) 

To harden your infrastructure, Blackpoint Cyber recommends the following cyber hygiene best practices:

• Practice strict email hygiene and be wary of phishing attempts. Look out for emails that ask for sensitive information, contain links that do not match their domains, use an urgent tone of voice, and/or include unsolicited documents/attachments.
• Stay vigilant against instances of external access with no MFA (multi-factor authentication), or external access with vulnerabilities.
• Monitor for the presence of rogue admin tools operating outside of normal business hours, particularly in the middle of the night, or very early in the morning.
• Keep your software up to date and prioritize patching. Ensure that patching and upgrade activities are completed particularly for firewall and VPN appliances.

While Blackpoint Cyber’s 24/7 Security Operations Center (SOC) has seen no noticeable increase or sophistication in the volume of attacks while monitoring our customer base, the leaks serve as a reminder of how quickly the cyber threat landscape and its players can change. Even after the actions of @ContiLeaks, the ransomware group has since shifted their internal communications to another platform and continued to attack organizations with listings indicating data for sale and new threats posted on their website, Conti News.

The February leaks have provided some insight into ransomware organizations and raised awareness about the need to practice vigilance when it comes to building a long-term security strategy. When an attack occurs, detection and response times often determine whether the malicious actors succeed. To combat ransomware and catch cyber threat actors in the lateral movement phase, investing in a 24/7 detection and response service means that you can detain threats in their earliest stages and protect your environment from critical damage.

• Alert (AA21-265A): A joint advisory from CISA, FBI, and NSA on Conti ransomware with technical details, adversary behavior mapped to MITRE ATT&CK and recommended mitigations.
• Destructive Malware Targeting Organizations in Ukraine: A joint advisory from CISA and FBI on recommended guidance and considerations for organizations to address as part of network architecture, security baseline, continuous monitoring, and incident response practices. 

Eliminate cyberthreats before they take root in your network. Blackpoint Cyber’s true Managed Detection & Response (MDR) service delivers real-time threat alerts and immediate response. Our experienced SOC analysts respond 24/7 to critical alerts by isolating infected devices and terminating malicious software, immediately helping to eradicate a malicious actor’s foothold in your network.

Further, our patented SNAP-Defense Security Operations & Incident Response platform allows us to detect lateral movement in its earliest stages and then neutralize threats before they have a chance to spread. Trust our decades of extensive knowledge in real-world defensive and offensive tactics and contact us to safeguard your and your clients’ businesses today.