A Ukrainian security specialist turned the tables on the notorious Russia-based ransomware group, Conti, and leaked the group’s source code, chat logs, and other sensitive information about the group’s operations, tools, and costs. Global researchers have been poring through the silo of intelligence revealing the criminal organization’s inner workings. The ransomware group has the business model down to a science and has extorted $180 Million last year which made the group the most lucrative ransomware operation of 2021 according to a Crypto Crime Report.
The group’s primary Bitcoin address contained more than $2 billion in digital currency. However, like most businesses, it had significant expenses from paying employee salaries in BTC and maintaining its infrastructure according to a data security business. Additionally, the ransomware group rents virtual private servers (VPS) and favors services that accept Bitcoin. When conducting their operations and purchasing various security products, the group maintains VPN subscriptions to maintain a layer of anonymity.
According to an analysis by a forensics company, other leaked documents provided information on the ransomware group’s hiring and firing. Additionally, the security company provided a detailed Conti org chart showing Stern, “the big boss”, at the top with henchman handling human resources, recruitment, blogging, negotiating, training, and blockchain wrangling. Conti ransomware group is known for focusing on high-value targets that will likely pay big money to have their encrypted data restored or prevent exfiltrated information from being publicly leaked.
When the Conti ransomware group compromises Active Directory, they’re searching for potentially interesting people, including admins, engineers, or IT technicians. Companies think that having backups systems is sufficient; however, the Conti group searches for backup servers encrypting the backups and training manuals revealing the techniques they use to bypass backup storage vendors ensuring the backups are encrypted. According to a section titled “HOW AND WHAT INFO TO DOWNLOAD”, one instruction states that after raising the privileges to domain admin and invoking share finder, Conti is interested in the financial documents, accounting, clients, and projects. According to an analysis of the Conti leaks, the information, which includes 12 git repositories of the internal Conti software, can help companies protect themselves. After inspecting the repositories, the code appears to be open-source software, written in PHP and managed by Composer, except for one repository tool which is written in GO.
Even though the ransomware threat operators might have dismantled their infrastructure after their internal files were stolen and leaked, Conti is still active, according to the United State government. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Secret Service issued a joint advisory on Conti stating that the cyber threat actors targeted more than 1,000 United States and international companies. The federal agencies are urging companies to review their dossier on the ransomware group, including the technical information on how the operators gain access to networks and the indicators of compromise. Additionally, it’s important for companies to remain alert on the current threat landscape and always keep their network security infrastructure updated regularly.
At SpearTip, our certified engineers are working continuously monitoring companies’ data networks at our 24/7/365 Security Operations Centers for potential ransomware threats like Conti. Our ShadowSpear Platform, our endpoint detection and response tool, optimizes visibility, enhances the organization’s cyber posture, and integrates with cloud, network, and endpoint devices providing an extra layer of network security.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.