Suche

Analysis of the leaked internal Conti chat

 

What’s there to see? A rogue insider ran.some.where – to Twitter

Insights gained from the leaked Conti chats

On February 27th 2022, someone with a link to the notorious ‘Conti’ Cyber Extortion gang, leaked a trove of internal Conti chats from their internal servers after the Ransomware group announced that it would be siding strongly with Russia in its war with Ukraine by publishing the warning that can be seen below. At the time of writing, it is not clear who this leaker is, but it is clear that the leaks came as a direct action of Conti siding with Russia in the war against Ukraine

The saga began on February 25th, when Conti published the harsh statement below on their leak site:

Screenshot 1: Conti declares to support the Russian government

However, they quickly softened their position by replacing that message with the gentler one below:

Screenshot 2: Conti’s correction of it’s first announcement position itself in the Russian-Ukrainian war

The wording of the second “warning” is very different. They have removed “Russian government” entirely, now claiming to take action in the case of “cyber warfare against the citizens of Russian Federation” or attempts to target critical infrastructure in Russia or Russian-speaking regions. They continue their correction by stating: “We do not ally with any government[…]”, thus contradicting what they had just publicly stated an hour before.

But what was done, was done, and the internet does not forget. So, on February 27th, a Twitter account was created, which started to leak internal chat logs from the Conti Ransomware group.

Screenshot 3: Twitter account with the description “fuck ru gov”.

The Conti leaks explored

The Twitter account ‘conti leaks’ takes a clear position, opposing the Russian Government as can be seen in screenshot 3 above. The account has not disappointed. At the time of writing, ‘conti leaks’ has published over 168,000 internal chat conversations between the Conti ‘team’ and with the TrickBot and Emotet malware gangs.

Screenshot 4: Our analysis: Conti’s internal chat messages by count from June 2020 to February 2022

Amongst the myriad of themes discussed in these attacks, were invaluable titbits such as:

  • The confirmation that the TrickBot botnet is shutting down
  • Various bitcoin addresses used for illicit transactions
  • Potential victims that have not been exposed on Conti’s Cyber Extortion leaks site
  • Advice by ‘supervisors’ on ongoing negotiations
  • Insight into how they approach victim selection (indicating a preference for victims with cyber insurance)

In addition, Conti’s source code, information about their modus operandi, organizational structure, tools used and their connection to the long-speculated ransomware strain Ryuk, are all revealed in the leaks. Indeed, the content leaked is so massive, that it will take some time for us and other researchers to really analyze all the data.

We anticipated, like many others, that this leak must have had a huge impact on Conti , so it has come as a surprise that at the time of writing (4th of March 2022), Conti has continued to announce new victims on their leak site, even as the ‘crisis’ unfolds. We expect to see a re-brand soon – refreshing their infrastructure and adopting a new name - as other ransomware groups have done before them.

We have been monitoring Conti activity since they became active in July 2020 (although other reports[1] suggest that they started two months prior to that). Since then we have registered a total of 654 businesses that have been visibly extorted by Conti via their leak site.

In fact, in our two years of cyber extortion activity data (January 2020 to February 2022), Conti is responsible for 17% of all extortion victims in our database, (n=4,121), making them the most active group we have encountered.

From the data we have gathered over the past 1,5 years, we have known that Conti has earned a lot of money with their criminal activities.

We have often been asked questions about how much money these threat actors are earning, and the truth is that no one knows. Cryptocurrencies are hard to trace, so it is hard to correlate cryptocurrency transactions with specific groups or activities. This is especially true since such groups make use of so-called ‘tumbler’ and ‘mixer’ services. These services help mix potentially identifiable funds with others to obscure the trail funds could potentially leave[2].

Now, since we have started analyzing the leaked chat content, several hundred Bitcoin addresses have been identified and their analysis has revealed a total of USD$ 2,707,466,220.29[3] in apparently illicit earnings (between April 2017 – February 2022, and this number will vary with the Bitcoin trading price). Even for those of us that have been monitoring this crime closely, it is a number that comes as a complete shock, and new information is coming to light daily, so it may not even be all!

Another very valuable insight that we can gain from the leaked chats are information on Conti’s internal structure. There is a lot of communication between different group members, but a few key players quickly stand out.

One very central player is called ‘mango’, for example, and is surrounded by others that maintain a lot of direct or indirect conversations gang members with names like ‘stern’, ‘hof’, ‘defender’, ‘demon’, ‘bentley’ and more.

The chats from 2021 alone reveal 334 unique identities who’ve share more than 33,000 messages.

Figure 1 shows users sending and receiving messages, each circle represents a user, the size of the circle is a function of inbound and outbound message count. There are budgets and salary discussions, task management etc. and mundane chatter all taking place. The number of employees seemed to vary a lot of time[4] and is therefore hard to estimate.

Fig1: Communication between the different team members of Conti

Impact of the chat leaks to Conti’s ransomware operation

What is the impact of these chats being leaked for Conti’s and future cyber extortion operations? The chats leaked contain very valuable intelligence for various security defenders and the insights gained will keep the security community busy for some time. We will learn things about Conti’s operation that until now were mostly assumptions that we can now make confident conclusions on. We most likely gained insights that extend Conti as one single operation and can be applied to other cyber extortion operations. However, at the time of writing, Conti still seems operational and has leaked an additional 11 victims between the 27th of February 2022 until now (4th of March). If anything, while Conti seemed to lay low in January 2022, making up for only 10% of all cyber extortion attacks; in February 2022 Conti reached normal levels again, standing for 16% of all victims, equalling its share from the past 2 years.

Orange Cyberdefense is currently working through all the material, and more findings of our analysis will be communicated in the near future.

 

 

[1] https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware

[2] https://www.eurospider.com/en/know-how/compliance/211-what-is-a-cryptocurrency-mixer

[3] https://twitter.com/vxunderground/status/1498394338027610124

[4] https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/

Incident Response Hotline

Ein Cybersecurity Incident, bei dem Sie sofortige Hilfe benötigen?

Kontaktieren Sie unsere 24/7/365 Incident Response Hotline.