Business Continuity Management / Disaster Recovery
Critical Infrastructure Security
Number of Victims Posted to Data Leak Site Increasing; Innovation Key, Experts Say
Despite the recent leak of internal communications and code from the Conti ransomware group, the criminal enterprise appears to have continued operations without breaking stride, in part thanks to constant innovation, security researchers report.
On Feb. 27, a Ukrainian security researcher using the Twitter handle @ContiLeaks began leaking Jabber chat logs and source code generated by the Conti ransomware operation’s roughly 100-strong team.
The leaks have provided security researchers with new insights into how the Russian-speaking group functions, revealed the identity of previously unknown victims who quietly paid a ransom – perhaps to avoid public exposure, and may serve as the basis for future criminal indictments.
But Atlanta-based cybersecurity firm Secureworks says in a new report that Conti has continued to hit targets, posting to its data leak site the second-largest-ever monthly tally of victims in March.
“The Conti leak site listed an average of 43 victims per month in 2021,” hitting a peak of 95 last November before easing off for the winter holidays, Secureworks says in a blog post. The group’s activities appear to have resumed in earnest in February, and it has continued to post new victims despite the leak of its business information in late February.
“Despite these public disclosures, the number of Conti victims posted in March surged to the second-highest monthly total since January 2021,” Secureworks says. In other words, the crime group in recent months “appears to have continued and even increased the tempo of its operations without disruption.”
In fact, that’s precisely what Conti has been claiming. For example, a post by Conti group operation member “Jordan Conti” to the RAMP cybercrime forum on March 30 says the group’s business is gangbusters and boasts that the group has twice as many victims as it lists on its data leak site and a 50% ransom payment success rate. The post also says that, on average, Conti receives $700,000 per ransom payment. None of those claims could be verified (see: Secrets and Lies: The Games Ransomware Attackers Play).
Not All Victims Get Listed
Such findings carry caveats. For example, it’s not clear how many victims Conti may have amassed who didn’t get added to the data leak site perhaps because they had already paid.
Cybersecurity firm Group-IB estimates that on average, only 13% of a ransomware group’s victims ever get listed on a data leak site, if the group uses one. It also estimates that about 30% of ransomware victims will pay a ransom.
As with many other ransomware-wielding groups, Conti practices double extortion, meaning it often steals data from a victim before crypto-locking systems and then demands a ransom not just for a decryption key, but also a promise from the criminals that they won’t publicly leak or sell the stolen data to others.
Victims who don’t quickly meet Conti’s ransom demand often get named on its dedicated data leak site, in an attempt to name and shame them into deciding to pay. The criminals may leak the stolen data of holdouts, in an attempt to make an example of them to future victims (see: Ransomware Operations Double Down on Data Leak Sites).
For criminals, the best outcome is when a victim pays, and quickly, hopefully without alerting law enforcement officials, since this makes each attack more difficult to track.
Not Just Ransomware, But Other Malware Too
Secureworks refers to the group that runs Conti’s data leak site as Gold Ulrick, while researchers at other firms have their own codenames – CrowdStrike calls it Grim Spider, while FireEye labels it UNC1878.
Researchers believe Conti is part of a massive criminal enterprise tied not just to the majority of Conti as well as Ryuk ransomware attacks, but also distributing malware such as TrickBot, BazarLoader and Beur Loader, which is used in part as an initial infection vector before crypto-locking malware gets installed (see: Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware).
The February leak of Conti information wasn’t the first time the group’s secrets were spilled. Notably, the operation previously appeared to shrug off another leak last August, involving one of its training playbooks.
Based on a translation and analysis published by Cisco Talos, the leaker appeared to have been a low-level employee or contractor based in Ukraine who was being paid a salary of approximately $1,500 to work as a “pentester,” referring to someone who gains initial access to a victim’s network.
Many ransomware groups offer their malware as a service to business contractors, or affiliates. For every victim who pays a ransom, affiliates get a pre-agreed cut – often 70% or more.
The playbook leak, however, revealed that Conti has pursued a different tack, which was to use – at least in part – a lower-skilled and relatively low-paid workforce to help it gain initial access to systems, before handing off these “accesses” to more skilled team members. This approach allows the Conti operation to keep more – if not all – of the ransom proceeds for itself.
‘Almost Like a Normal Business’
The more recent leaks of Conti details have shed new light on its operations, reports cybersecurity firm Trellix, based in Milpitas, California.
“The leaks are of an unprecedented level and show the world how a government-backed, multimillion-dollar ransomware gang operates,” according to a recent report from Trellix’s John Fokker and Jambul Tologonov.
“In some fashion it was almost like a normal business: wages needed to be paid, software licenses obtained, customer service initiated and strategic alliances had to be formed,” Fokker and Tologonov write in the report. “However, make no mistake, this business is dealing in top-level cybercrime, with a strategic alliance to an intelligence apparatus responsible for several nation-state attacks.”
Exactly what ties to the Russian government might Conti have? Based on a review of the leaks, Trellix found multiple references in chats to an individual called “Stern,” who apparently runs Conti’s 100-strong operation, and who appears to either work for or have close ties to Russia’s principal security agency, the Federal Security Service or FSB. A Conti coder named “Angelo,” in one chat with fellow employee “Elroy,” refers to Stern working “in the service of Pu,” apparently in reference to Russian President Vladimir Putin.
Angelo referred to Stern being “almighty as God,” leading Elroy to respond: “If he was not almighty, we all would have ended up as REvil.” That rival operation – aka Sodinokibi – was disrupted last year by Western intelligence agencies. Some low-level members were arrested in Russia in January, perhaps so Moscow could claim it was cracking down on ransomware.
Conti’s Constant Innovation
Whatever their reported ties to the Russian government, successful ransomware operations constantly innovate, and Conti has been no exception.
For example, New York-based threat intelligence firm Advanced Intelligence, aka AdvIntel, says in a new report that Conti put a number of new features in place after the middle of last year. That’s when competitors such as DarkSide hit Colonial Pipeline, and REvil hit targets such as managed software service provider Kaseya. Ultimately, both of those groups and others disappeared, at least in name. Some operators have attempted to reboot, typically under a new name, but with mixed results.
But Conti continued. In July 2021, AdvIntel reports, to help better monetize attacks, Conti launched a new division designed solely “to process, investigate and weaponize stolen files, in order to apply maximum pressure against their targets.” In addition, the group developed “new and more sophisticated methods” to exfiltrate data, as well as new tools to simply and better hide data exfiltration.
Later that year, AdvIntel says Conti further refined its approach by launching a dedicated sub-group called Karakurt, which was focused not on crypto-locking files, but rather monetizing data extortion. It says the group was supported by Conti and appeared to be given a ready-to-extort list of victims whose systems had been infected with the BazarLoader dropper, which would install BazarBackdoor malware for remote access, allowing Karakurt to exfiltrate data.
“Unlike other notable ransomware groups, Karakurt had an approach of moving quickly through its hit list of targets, steering clear of major business interruptions in favor of soliciting paltry ransoms from small businesses before quickly shifting focus to their next victim,” AdvIntel reports. “These quick movements suggested that Karakurt came already supplied with network access and intelligence information, even prior to the compromises they were being credited for.”
As the launch of the Karakurt group inside Conti shows, the operation’s leadership continues to find, test and pursue innovative new ways to turn an illicit profit, and not always via ransomware infections.