Behind Conti: Leaks reveal inner workings of ransomware group
The Ukraine conflict comes to significant attention from the cybersecurity community because of cyberattacks conducted against Ukraine's infrastructure. One threat group that has increased its operations is Conti Ransomware Group.
Conti Ransomware Group is one of the most emergent threat groups these days. After the beginning of the conflict in Ukraine, Conti released a statement informing the group is supporting the Russian government. The statement was published on its website, as observed below.
Figure 1: Conti's statement fully supports the Russian government.
Two days after (Feb. 27, 2022), a new Twitter account was created to publish a large log containing hundreds of thousands of Jabber and Rocket Chat messages related to the internal group communications.
Figure 2: Conti leaks published online.
Several entities have conducted global research, revealing some of the operations, TTP, software and crimes associated with the threat group.
Although it is not the purpose of this article to present a full analysis of the entire process, we will present below some of the artifacts identified during this mega operation against the malicious group.
Conti's internal hierarchy
From a hierarchy graph by the CheckPoint research team, getting a high-level perspective about the teams and their responsibilities is possible. The next graph presents a graphical relation between the users present on Jabber logs and their professional occupation within the Conti hierarchy.
The principal groups observed are:
- Coders: Team responsible for maintaining malware code, back-end servers and admin web pannels.
- Testers/crypters: This team test and develop proof-of-concept codes to bypass detection. The knowledge acquired is then transmitted to the coders to implement bypassing features on the developed malware.
- Ransom operators: A team responsible for controlling all the ransomware operations.
- HR: A team responsible for making new hires, online interviews etc.
Regarding the CheckPoint analysis, it's also important to emphasize the following image where Conti's key members are highlighted.
Figure 3: Key members and their communications based on the leaked messages (source).
This graph reveals that "Stern" is potentially the big boss or leader of the group. The user behind the "Bentley" handle is a technical lead of the group with responsibilities for testing and evasion tasks.
On the other hand, "Mango" is a global team manager, "Buza" is a technical manager, and "Target" is the person responsible for the hacking team.
Finally, "Veron" aka "mors" is seen as the key point behind the entire operations related to Emotet malware.
The reverse side of the coin
After the publication of several private data from the Conti Ransomware Group, as presented in Figure 2, a lot of information was also shared as a continuous work of a group of cyber security individuals.
Figure 4: Details about the Conti infrastructure.
Also, the source code of the ransomware used by Conti was shared. Now, a hacking group known as NB65 uses the knowledge and TTP obtained from the Conti group to create its ransomware against Russian organizations.
Since the last month, the NB65 group has attacked Russian-based organizations, leaking their data online. Some of the impacted organizations are Document Management Operator Tensor, Russian space agency Roscosmos and VGTRK, the state-owned Russian Television and Radio broadcaster.
Figure 5: Tweet about the recent operations of NB65 against Russian-based organizations.
The ransomware takes advantage of the Conti group intelligence and TTP, encrypting all the files and appending the extension. NB65 to the damaged files.
Figure 6: Encrypted files by NB65 ransomware.
After the termination of its operation, the ransomware drops the ransom note with a specific target message blaming the cyberattack on President Vladimir Putin for invading Ukraine.
Figure 7: Ransomware note of NB65 ransomware.
Cyberattacks against Ukraine
The Conti leaks have high importance due to this Russia — Ukraine conflict. These leaks show how these giant ransomware gangs are operating and are often supported by governments or nation-state entities.
The data leak about the group revealed a lot of the details speculated for a long time by the community. As a result, it also fueled a new wave of attacks, with new pieces of malware emerging and adapted from the codes used by the group.
Sources:
- Leaks of Conti Ransomware Group, CheckPoint Research Team
- Conti Leaks, Trellix
- Hackers using Conti ransomware, BleepingComputer
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Behind Conti: Leaks reveal inner workings of ransomware group
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
- What is Operation Dream Job by Lazarus?
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis