After the leak of chat logs at Conti: exceptionally deep insights into the ransomware group
by Tina Siering
Who is Conti?
Since its first appearance in 2020, the Conti gang has made a notorious name for itself. Alongside the "friendly" group REvil, the Russian hacker collective has been synonymous with ransomware extortion attempts like no other cybercrime syndicate, and is also known for its ransomware-as-a-service business model, which involves renting out software for criminal activities. The Conti gang has been credited with sensational extortions of large companies or organizations - and millions of dollars in ransoms paid. After 14 leaders of the REvil group were arrested in early 2022, the Conti gang remained at the top as the leading hacker collective. Rumor has it that the Russian government largely tolerates the Conti Gang's activities, since the group specializes mainly in Western victims and thus also acts in the interests of Putin and Co.
"Glory to Ukraine" - The Conti Leak Begins with a Statement on Twitter
The Conti gang had taken a clear position with the start of the Russian-Ukrainian war. A blog post by the hackers stated, "If anyone decides to organize a cyberattack or any war activities against Russia, we will use all our possible resources to attack an enemy's critical infrastructures."
This advocacy of war of aggression was the catalyst for one of the biggest leaks in the history of cybercrime - some journalists compare the leak to the so-called "Panama Papers."
After the statement, an anonymous source began publishing internals. Via Twitter, the user named @ContiLeaks has since regularly provided links to data packages that offer deep insights into Conti's structure and daily life. It is still unclear who is behind the account. Initially assumed to be an insider in the group itself, journalist Brian Krebs suspects a Ukrainian security researcher behind the leaks. After all, intelligence agencies, security researchers and law enforcement agencies have had their sights set on the Conti Gang for some time - and have successfully infiltrated the criminal organization. Whoever is behind the leaks - he or she is extremely industrious: In total, tens of thousands of messages were disseminated via Twitter, revealing the cybercriminals' modus operandi down to the smallest detail.
Conti is organized like a medium-sized company
Currently, well over 60,000 internal chat logs and around 400 Json files have been published, providing an extremely interesting insight into the mafia-like structures of the Conti gang. According to the leaks, the organization of the group can be compared to a medium-sized company. Different departments with their own budgets, an active HR department that regularly conducts job interviews, administrators for setting up attack structures, managers and "CEOs" - structures from classic business also seem to function in cybercrime circles. At its core, the entire "Conti workforce" is made up of 62 people responsible for attacks and negotiations with victims, as well as 23 people in development. The team is supplemented by six experts in reverse engineering and four other professionals in the field of open source intelligence.
Dissatisfaction at the lower levels of the hierarchy
The chat transcripts show that not all members of the tightly organized Conti gang are satisfied with the processes. In one of the leaked chats, "Mango," the Conti manager responsible for recruiting new members, tells of advertisements in Russian hacker forums that were used to recruit new employees: "The ad says a salary of $2,000. But there are many comments that we recruit galley slaves." The Conti manager continues, "Of course we deny that. And say that those who work and deliver results deserve more. But there are also examples of programmers who work normally and earn 5 to 10 thousand dollars."
Criticism of working conditions also hails from internal Conti chat rooms. While the top management treats itself to princely "salaries," the employees on the lower hierarchy levels sometimes have to work for days on end without a break or sleep - the requests for at least a little free time are skillfully ignored by the management. And all this for a salary of only $1,000 to $2,000 per month - for exhausting, constantly repetitive "work."
The actual "work" of the Conti gang is also revealed by the leaks. For example, Conti employee Bentley, who is responsible for the camouflage mechanisms of the malware, writes: "Our work is not difficult, but monotonous. We do the same thing every day. It's essentially launching files and checking them against the algorithm." In the process, this work must be repeated every 4 hours - and before 8 to 9 p.m. Moscow time. If employees adhere to the strict guidelines, Bentley says "career advancement is possible."
To pay its employees, the Conti gang uses bitcoin wallets. The way the addresses are handled varies extremely. While some employees use a Bitcoin address regularly and permanently for incoming payments, other employees change the wallets systematically. It can be concluded from this that the skill level of the Conti gang can generally be described as heterogeneous. In addition to accomplished professionals, Conti apparently also has recruits who have to be taught even the basic knowledge of how to use Socks proxy servers or VPN servers.
To stay with the payment: The leaks show heated discussions that have erupted in internal forums. Payments to gang members are sometimes delayed, sometimes not made at all.
The source code for the Conti ransomware was also leaked
The leak includes a password-protected archive containing the source code for the Conti ransomware. The Conti gang's "tool" consists of an encryptor, decryptor and builder - and has now been cracked by a security researcher. The source code is thus openly available and offers a fully comprehensive insight into how the malware works. Is this now the end of the Conti gang? "Difficult to assess" is the unanimous tenor of security experts worldwide. As a rule, hacker groups can cope with such setbacks quite easily. However, the leak has obviously dealt the Conti gang a pretty significant blow. Because no new attack has been published on the group's Darknet page since February 28.
"Extremely effective - if remarkably inefficient"
Journalist Krebs draws a clear conclusion. He says he got the impression from researching the leak that Conti is an extremely effective - if remarkably inefficient - cybercriminal organization. At Conti, millions of dollars in revenue from ransomware extortion are combined with overworked, poorly paid employees and a high-handed management team - which at best has only half a grip on the business.
Conclusion on the insights provided by the Conti-Leaks
The Conti-Leaks provide unique insights into the organization of a successfully operating criminal organization. Detailed insights into the gang's operations, access to the source code of the malware, and certainly a whole lot of addresses of interest to law enforcement agencies: The leak dealt a serious blow to the hacker collective. It is unlikely that the leak will mean the end of the Conti gang.
So how do organizations protect themselves from ransomware attacks? In addition to preventive measures such as disabling the Remote Desktop Protocol (RDP), which allows remote access to a computer, organizations should generally have an incident response plan as well as a disaster recovery plan. These ensure the right response and a structured approach in the event of an emergency.
However, the best strategy is to prevent the worst case from happening in the first place. For example, with systems for attack detection, such as the Active Cyber Defense ACD Service from secion. Here, all systems and networks are continuously monitored for unusual activities, such as remote access from unknown IPs or remote commands from a command & control server. Suspicious cases are reported in real time. If action is required, customers are immediately informed by the response team about the detected attack activities and receive concrete recommendations for action to prevent the cyber attack.