One of the most notorious ransomware groups is Conti. It is a criminal organization behind advanced ransomware technologies, such as Ryuk and Hermes. This type of ransomware is extremely damaging (and popular with cybercriminals) due to the speed with which it encrypts data and is spread to other systems.
The Conti ransomware prevents users from accessing their data unless the victims pay a ransom. Conti automatically scans networks for valuable targets spread through the network and encrypts every device and account it can find.
Conti is Russia-based and is thought to be led by a Russia-based group that goes under the Wizard Spider pseudonym. Lately, a tremendous amount of files have been leaked, giving insight into how Conti operates.
This leaked information is invaluable to defenders. In order to set up a proper defense, understanding the strategies of an attacker and how they operate is very important.
This post is part of a series of posts relating to Ransomware. I will give more insight into how modern Ransomware works, how Conti operates/is used to operate (the war has affected its position because of Conti’s affiliation with Russia), and how to set up a proper defense against these attacks.
The Ukraine war and how it backfired on Conti
Shortly after the war in Ukraine started, the Conti ransomware group posted a dark web message indicating that it wanted to participate in the Ukraine war as a defensive cyber measure. The group threatened to attack Western targets in response to any cyber attacks on the Russian government or on the country’s critical infrastructure.
However, while Conti may be based in Russia, their “ransomware-as-a-service” (RaaS) clients range all over Eastern Europe. Some of them, especially those located in Ukraine, did not particularly appreciate the group’s sudden registration as a Russia-aligned mercenary brigade. Conti quickly backpedaled on their full-throated original statement, taking a more neutral stance and backing off a bit from the promise of cyber retaliation.
That didn’t make a difference to at least one Ukraine security researcher, who seemed to have access to the group’s Jabber communication system. The data that the security researcher leaked, included over 60,000 of the group’s internal messages. The authenticity of the messages was confirmed by independent researchers, who spotted matches with previously Conti messages that have been circulating followed by the group’s December 2021 attack on Shutterfly.
The conversations provided an invaluable amount of information on the cybercrime organization, including bitcoin addresses, how the organization is organized as a business, evading law enforcement, how they conduct their attacks, and much more.
A password-protected ZIP containing the ransomware source code for the Conti ransomware encryptor, decryptor, and constructor, all of which could be downloaded for free, was also leaked.
Experts who have reviewed the files say that they contain explicit information about the group’s crimes, private URLs containing data leaks from their attacks, and hundreds of bitcoin addresses that contain a total of over € 13 million in ransom payments. Information was also found about previously unknown victims of the Conti ransomware.
All of this is now publicly available to law enforcement and security researchers, likely striking a serious blow to the group’s operations.
Ransomware attacks
Ransomware attacks work by encrypting the victim’s business-critical data, rendering it inaccessible. After triggering the attack, cybercriminals will then offer to sell a decryption key to the victim. If the victim doesn’t comply, they simply have to accept the catastrophic loss of their most valuable data.
Some ransomware attacks use a “forked” strategy. When applying this strategy, attackers will demand a ransom payment for decrypting data, and threaten to publicly publish sensitive data if the ransom is not paid by a certain deadline. This is strategy is also called ”Double Extortion”.
Ransomware has been in use for decades (the first one surfaced in 1989 on a floppy disk: Cyborg PC), but it has increased in popularity among cyber criminals in recent years. Multiple reasons contribute to this rise, including the development of cryptocurrency that enables close to full anonymous payments, the widespread digitalization of sensitive data, and the release of sophisticated ransomware-as-a-service (RaaS) criminal business models. Ransomware losses exceeded € 20 billion (!) at the end of 2021.
Conti software is by far the most popular RaaS out there
Ransomware can be split into two basic groups:
- Fully Automated Ransomware (FAR)
- Semi-Automated Ransomware (SAR)
Fully Automated Ransomware (FAR)
Fully Automated Ransomware (FAR), infects the system with the support of phishing emails or malicious web pages that contain the malicious payload. A payload is the component of the attack which causes harm to the victim. Much like the Greek soldiers hiding inside the wooden horse in the tale of the Trojan Horse, a malicious payload can sit harmlessly for some time until triggered.
The malware contains the code to spread throughout the network. It identifies sensitive files, encrypts them, and displays a ransom note for the victim. Threat actors (the entity that is partially or wholly responsible for a security incident/breach that impacts, or has the potential to impact, an organization’s security) who use FAR mostly focus on lightweight distribution channels that are easily automated. Threat actors tend to stay away from making direct contact with victims. FAR attacks do not typically succeed against enterprise-level organizations with a wide range of detection and prevention tools. Victims of FAR attacks tend to be more cautious about paying the ransom because the automated system doesn’t instill a great degree of trust. In many cases, victims will ask to be transferred to a human representative, who will negotiate on behalf of the cybercrime organization.
Semi-Automated Ransomware (SAR)
Semi-Automated Ransomware (SAR) attacks can be more sophisticated because these kinds of ransomware attacks rely on manual interaction between cybercriminals and their victims. In these cases, attackers might use zero-day exploits. A zero-day exploit is a software security vulnerability that is unknown to the software vendor or to antivirus vendors, which can be exploited by a cyber attack. Cybercriminals may also rely on known vulnerabilities that haven’t yet been patched, even within hours of the patch release. This can be done by buying Remote Desktop Protocols (RDPs) or VPN credentials directly from other hackers on underground markets. Upon successful entry, attackers use common penetration testing tools for lateral movement within the victim’s network. They then escalate their privileges, start encrypting, and trigger the ransomware attack. Modern cybercrime organizations use a hierarchical workflow to monetize operations.
The ransomware-as-a-service (RaaS) model has become popular among criminals since each step of an advanced attack kill chain requires different skills. A kill chain is the chain of phases of a cyberattack: from early reconnaissance to the goal of data exfiltration.
Phases of an attack kill chain
Ransomware as a Service
Developers of RaaS software employ multiple affiliates (clients) who are responsible for breaking into the networks of victims after which they encrypt the files of the victim. These affiliates are selected mostly from forums, among highly-skilled hackers with backgrounds in penetration testing. People may also become affiliates if they have an established network for obtaining access to information from other cybercriminals. In both cases, RaaS owners require references from recognized cybercriminals before hiring affiliates. The RaaS business model makes cybercriminal reputation essential to success. Most affiliates send a commission between 10-30% of each ransom payment they receive to the RaaS owners. The amount for the operators can also be automatically deducted from the collected ransom in certain cases. RaaS owners also often provide virtual machines, exploitation tools, and other technologies to support affiliates’ attacks. Every affiliate has access to a management panel where they can monitor and communicate with victims. An affiliate panel usually includes the following tools:
- A ransomware executable generator
- A separate ransomware decryption application
- A cryptocurrency payment gateway for victims
- A commission rate calculator
- Monitoring tools for victims and statistics
- Secure chat functionality for victim negotiation
These tools are designed with non-technical users in mind. Cybercriminals no longer need a great deal of technical expertise to run successful attack campaigns. Instead, they maximize profit using psychological tactics like extortion and victim shaming. Moreover, affiliates are expected to constantly attack and breach new targets. Whenever an affiliate becomes inactive for a long period of time, RaaS owners remove that affiliate’s account, which has a negative impact on the affiliate’s reputation.
Conti uses a ransomware-as-a-service (RaaS) business model. Conti develops the ransomware technology and then sells or leases this technology to its clients, who then use that technology to carry out attacks. This business model often includes a digital management panel. Conti customers (affiliate threat actors), use this management panel to create new ransomware samples, manage their victims, and collect data on their attacks.
Conti threat actors also use extortion and victim shaming to coerce victims into paying ransoms. Victim shaming is the use of tactical use of social pressure to push victim organizations into fulfilling ransom demands. They may threaten to release stolen confidential data, or to email business partners and draw attention to the ransomware attack.
Final Thoughts
I hope you enjoyed the first part of the series of posts I devote to Ransomware, inspired by the Conti leaks. Of course, I am open to any suggestions and input: happy to integrate this in my next posts.
Feel free to contact me if you have any questions or if you have any additional advice/tips about this subject. If you want to keep in the loop if I upload a new post, don’t forget to subscribe to receive a notification by email.
And remember: it’s a warzone out there in the world of Cyber. Take care of yourself and the people surrounding you, and if there is anything I can do to help just let me know.
