Monitoring deep, dark and surface web to detect exposure of your sensitive data, secret projects and initiatives, privileged users, critical systems, IT infrastructure, and more.
Monitoring and alerting of third party data breaches impacting your employees’ emails, usernames, and personally identifiable information.
Assess the risk footprint and security posture of key business relationships to get a handle on external risk introduced through your extended attack surface.

Sign Up for Updates

Digital risk monitoring of key personnel with telemetry and risk metrics. VIPRecon provides broad coverage of social media, deep and dark web, as well as physical threat assessments.
Our Ransomware Response Readiness Assessment, Playbook and Table Top Exercise gives your organization the best chance to survive and recover.
Gain visibility of your digital footprint by reaching into the most active areas of the cyber underground.
Fully managed and tailored Threat Intelligence services that becomes an extension of your current security processes and provides real-time visibility on new threats.
Providing research and investigations into known threats, to save security teams time and stress during a cyber emergency.

Sign Up for Updates

GroupSense offers a comprehensive package of services for assessing and responding to ransomware attacks, including negotiations with threat actors.
Actively researching and monitoring threats from vendors or third-party companies that can affect organizational security.
Monitoring for threats to elections, VIPs, and more on social media to proactively prevent or mitigate digital risk.
Focusing on the threats and risks that matter to your security processes and providing intelligence and insights to prevent or mitigate digital risk.
Taking the next step in security services, by proactively taking down phishing sites or anonymously interacting with threat actors to provide better intelligence.
Active monitoring of your brand's digital assets to protect its reputation and stop further brand abuse from targeting unsuspecting victims.

Sign Up for Updates

Combining your cyber and fraud programs to effectively fight threat actors continually scamming or threatening assets within an organization.
Executives are prime targets for fraudulent activities, but with a proactive approach, any attacks or threats can be neutralized before causing any damage.
Governments, political parties and candidates must all act now to activate cyber threat intelligence services to harden their information security and get ahead of inevitable cyber threats to the election process.
3 min read

The Inner Workings of the Conti Ransomware Group

Mar 4, 2022 2:24:16 PM

Earlier this week, a Ukrainian security researcher with insights into the Conti ransomware group leaked almost two years’ worth of internal chat logs. Conti is responsible for a number of high profile ransomware attacks.

As Russia unleashed war on Ukraine, many are asking about a possible Russian cyber-attack. Recently GroupSense's Director of Intelligence Operations, Bryce Webster-Jacobsen, was interviewed by Asharq News about the situation and the impact on the cyber nexus. As the situation has developed and more information has come out, GroupSense analysts have been researching and reporting on possible cyber implications with the Russia/Ukraine Conflict and the recent Conti leaks.

Conti Leaks

“Boots on the ground” is not the only tactic of the Russian government in Ukraine. As cyberwarfare is waged against Ukrainian assets, the ransomware group, Conti, announced full support of Putin’s invasion. Unfortunately for Conti, presumed Ukrainian members of the prolific hacking group leaked a year’s worth of chat logs exposing the inner workings of the organization. Much like other governments and businesses, Conti members seek to punish the group for its affiliation with Putin’s invasion. 

Through threat intelligence analysis and direct interactions with Conti, GroupSense has deep intelligence on the ransomware group’s tactics, techniques, and procedures. Before the leaks, GroupSense knew that Conti operated like a business, closely aligning themselves with Russia. The leaks revealed additional details about the structure of the ransomware-as-a-service (RaaS) group. Here’s what you, and your organization, need to know about how Conti operates to better protect your assets. 

False Claims & Business Challenges

Conti's attacks start with phishing campaigns to gain access to the network, lock down devices, and encrypt data before asking for ransom. GroupSense analysts found that Conti targets different size organizations by translating the leaked information. When the payout sums are in the millions, employees are told to “be nice” to their victims and put on their best customer service voices. The organization doesn't care as much about victims who are not able to pay as large of a ransom. When their victim is a lawyer, they are told to never negotiate because lawyers will always pay the full price. 

Over the past several months, Conti has had issues cashing out their cryptocurrency wallets. In the leaked chats, employees discussed the distance of different banks in kilometers so as not to give up their location. They also discuss weekend trips in kilometers only to protect the location of their offices.

CONTI RansomwareBusiness Structure

Much like other as-a-service business structures, Conti has upper and middle management with entry-level employees that do the leg work. The “doers” rely heavily on “initial access brokers,” who gain access to victim networks over the weekend, ensuring that the higher-ups have enough work throughout the week. This off-hour work gives the other entry and middle-level employees work to keep busy with throughout the week, negotiating and collecting ransoms on the victims.

CONTI RansomwareIn the leak, cryptocurrency wallet keys were revealed, giving us information on how much the employees get paid. Because initial access brokers are the keys to Conti's revenue, they get paid 20-30% of the ransom collected, and work throughout the weekend. Upper managers take the most from the ransoms, and middle management works off a salary in the $80k range working a normal nine-to-five week. New entry level employees make half of a percent of the ransom until they are promoted and receive one percent of the ransom. The chats revealed that they work long hours and rarely sleep more than three hours a night. 

Office Politics

The chats also revealed Conti's office politics. Entry level employees complain about how middle and upper management treats them and how many hours they work. There also appears to be a promotion structure involving more prestigious offices, the best being in Dubai. If promoted to that location, employees get more high-profile cases and bigger payouts.

It’s important to know that while Conti employees often claim that they have all of a client’s important data, it’s not always true. We found that in most cases, Conti gains access to only a fraction of the data they claim to have. With this information, organizations can better understand the extent of the attack, allowing negotiators and threat intelligence teams to call their bluffs. In the long run, leaks like these enable law enforcement groups to target specific threat actors to take down their organizations.

New Information Coming Out Soon...

Given that key members of the Conti team were recently doxed, GroupSense MSIC are digesting and validating that new data. We will post what we find here soon.

Topics: Blog

Written by Editorial Team