As discussed in my previous post, the Conti Files Part I, a big leak at the start of the war in Ukraine struck a serious blow to the Conti organization. Although there are still speculations about the reason behind the leak, most experts think the leak is related to Conti’s threat to attack Western targets in response to any cyber attacks on the Russian government or on the country’s critical infrastructure. This threat was not appreciated by some of their “ransomware-as-a-service” (RaaS) clients that ranged all over Eastern Europe, especially not the ones in Ukraine, and the files seem to be leaked by a Ukrainian security researcher.
After the main leaks, the last conversations that were leaked showed that the decision was taken, to go off the grid for some time. Key members of the group made efforts to ensure that all relevant files were deleted, all links shared within the conversations were dead, and to bring down all servers used for the organization’s infrastructure.
However, it’s not going to be the last we have seen of Conti. My expectation is that Conti will turn their efforts in the coming weeks to rebuilding their infrastructure and relocating all their communication channels and sources very carefully, so the Ukrainian research does not infiltrate this infrastructure as well. When organizations like Conti are faltering but still standing, extra precautions should be taken: a wounded lion is more dangerous than a hungry one.
In this second part of the Conti Files, we will take a little history lesson on how Conti was founded and that the leak in 2022 was not the first one in its history. In addition to this, I will show you how valuable these leaks can be in the ever-lasting game of cat and mouse in the world of cybersecurity in which defenders continuously need to adapt their defenses against attackers that are always one step in front of defenders.
History of Conti
The Conti ransomware group appeared for the first time in October 2019. A website was not established until the beginning of 2020. Its address: http://fylszpcqfel7joif.onion. As with many of these providers, the address was located on TOR (The Onion Router), the common browser/gateway when you want to go to the Darkweb.
Since its start, close to 600 companies have been shared on the Conti extortion site. This number only represents the victims whose names/data are shared on Conti’s extortion site. In addition to this, Conti also used another TOR hidden service for stolen victim data.
Example of Conti Extortion Blog
The number of affected companies by the Conti group is much higher than what you could see on their websites. One of the last RaaS affiliation models that Conti released, enabled threat actors to operate independently of one another.
Ryuk and Conti collaboration
There is a clear connection between the Ryok ransomware teams and Conti. Although it seems that these ransomware teams were one and the same, this was never completely proven. The first samples of Ryok ransomware software were published in 2017 under the name of “Hermes” on the https://exploit.in/ which is a very infamous underground cybercrime forum on the Darkweb by the hacker “Cryptotech”.
Hermes 2.1 Ransomware share notification August 2017
Hermes was further developed until its last version (2.1) released in August 2018. Then the name Hermes was replaced with “Ryuk” and the ransomware software was advertised for $ 300. The development of Hermes continued until version 2.1, which was released in August 2018. Cryptotech replaced the name Hermes with ”Ryuk” and started to advertise the ransomware for $300.
There are a lot of similarities between the Conti ransomware and the Ryuk ransomware. Both tools show a lot of similarities in their libraries and the way of spreading is also similar. Certain fragments of code are an exact 1-1 match as well and both Conti and Ryuk rely on the same ransomware payload distributors: Trickbot, Emotet, and BazarLoader. Payload distributors are software packages that actually deliver the malicious ransomware files to the network of the victims. Another piece of proof that Conti ransomware and Ryuk ransomware were distributed by the same party is the fact that bitcoin ransom transactions of Conti ransomware victims included a wallet address that was previously used by the Ryuk ransomware group. This is another confirmation of the connection between Ryuk and Conti.
A history of leaks and what we can learn from these leaks
During its latest days when it was fully up and running, the Conti group worked with a Ransomware as a Service (RaaS) affiliate model. The group was also actively recruiting new members and affiliates to the team. The leak in February 2022 was not the first one. On August the 5th, 2021, the Conti team suffered a serious data leak. Data leaks are not uncommon business in the industry of cybercrime. Internal conflicts are common in this industry and internal fights can end up in the disclosure of sensitive information and even free source code, hurting the business model of the organization because the secret code for its ransomware is then freely available to potential competitors.
Internal arguments (mostly money-related) and the exposure of intellectual property by disgruntled employees/members are not different from the real world but because cybercrime organizations operate off the grid, any serious leak is identified and big news, especially when it is related to a big cybercrime organization.
In this case, an affiliate shared information about the leader of the group and his assistant because the group had treated the affiliate unfairly in regard to money. He was only paid $1,500 as part of an attack, while the rest of the team was making millions and promising big payouts after a victim pays a ransom. These promises were not kept which ended in the affiliate being unhappy.
Forum post of a disgruntled Conti affiliate
In this post, the affiliate also referred to the IP addresses of Cobalt servers, including attached images to the post with Cobalt Strike beacon configurations that contain the IP addresses for command and control servers used by the ransomware gang.
In a tweet by security researcher Pancak3, it is advised that everyone block those IP addresses to prevent attacks from the group:
go block these:
162.244.80.235
85.93.88.165
185.141.63.120
82.118.21.1
— pancak3 (@pancak3lullz) August 5, 2021
After its initial post, a subsequent post was followed in which the affiliate shared an archive containing 111 MB of files, including hacking tools, manuals written in Russian, training material, and help documents that are allegedly provided to affiliates when performing Conti ransomware attacks.
Leaked Conti training materials
These kinds of leaks are huge for defenders because the leaked data contains a high volume of tactical information about Conti, and valuable intelligence about the operations of the responsible hackers, like the images of the Cobalt Strike servers that the Conti group actively used.
This list of topics was included inside the leaked training materials:
- How to build a Cobalt Strike executable
- An introduction to avoiding security products using compiler-based obfuscation techniques.
- A tutorial on using rclone to pull victim data to secure cloud storage accounts on MEGA.
- How to establish a remote connection to the victim’s network and gain persistence using AnyDesk and Atera.
- How to connect to hacked networks with RDP using Ngrok secure tunnel.
- A guide to performing SMB (Server Message Block) brute-force attacks.
- A tutorial on the O/S (Operating System) and anonymizing internet traffic via the TOR network.
- A how-to on privilege escalation and gaining administrative rights inside a target network.
A lot of these technologies are readily available software products with legitimate commercial use cases, and cyber criminals abuse these technologies to attack their victims.
- Cobalt Strike is a commercial, full-featured, remote access tool frequently used in cybersecurity event simulations.
- Rclone is a command-line program that helps users manage cloud data storage using code.
- AnyDesk and Atera are commercial remote desktop applications that provide platform-independent remote access to personal computers and other devices.
- Ngrok generates an interface where users can introspect all HTTP traffic running over specified tunnels in real-time.
- Tor is an open-source web browser designed for secure, anonymous communication.
When the data was leaked in August 2021, as a defender, you could immediately block the IP addresses of the Cobalt Strike servers, preventing Conti affiliates to get access to your IT environment. In addition to this, the hacking tools and training manuals that are used also gave defenders insight into (1) the progression that cybercriminals make in relation to ransomware software and (2) how the software is operated.
Final Thoughts
An important part of defending is knowing your enemy. Data leaks can help you with that because you can learn from the latest tools and tactics that cybercriminals use to extradite cash and data from ransomware attacks.
My advice: keep an eye on the news relating to cybersecurity and in case a leak happens and researchers are analyzing it, follow this closely. Doing this will keep you vigilant and aware of the developments which you can anticipate with your defense.
Feel free to contact me if you have any questions or if you have any additional advice/tips about this subject. If you want to keep in the loop if I upload a new post, don’t forget to subscribe to receive a notification by email.
And as always: don’t forget it’s a warzone out there in the world of Cyber. Take care of yourself and the people surrounding you, and keep your defense up all the time by keeping up-to-date by actively following the news relating to cybersecurity. And if there is anything I can do to help just let me know.
