Earlier this week, a Ukrainian security researcher with insights into the Conti ransomware group leaked almost two years’ worth of internal chat logs. Conti is responsible for a number of high profile ransomware attacks.
As Russia unleashed war on Ukraine, many are asking about a possible Russian cyber-attack. Recently GroupSense's Director of Intelligence Operations, Bryce Webster-Jacobsen, was interviewed by Asharq News about the situation and the impact on the cyber nexus. As the situation has developed and more information has come out, GroupSense analysts have been researching and reporting on possible cyber implications with the Russia/Ukraine Conflict and the recent Conti leaks.
“Boots on the ground” is not the only tactic of the Russian government in Ukraine. As cyberwarfare is waged against Ukrainian assets, the ransomware group, Conti, announced full support of Putin’s invasion. Unfortunately for Conti, presumed Ukrainian members of the prolific hacking group leaked a year’s worth of chat logs exposing the inner workings of the organization. Much like other governments and businesses, Conti members seek to punish the group for its affiliation with Putin’s invasion.
Through threat intelligence analysis and direct interactions with Conti, GroupSense has deep intelligence on the ransomware group’s tactics, techniques, and procedures. Before the leaks, GroupSense knew that Conti operated like a business, closely aligning themselves with Russia. The leaks revealed additional details about the structure of the ransomware-as-a-service (RaaS) group. Here’s what you, and your organization, need to know about how Conti operates to better protect your assets.
False Claims & Business Challenges
Conti's attacks start with phishing campaigns to gain access to the network, lock down devices, and encrypt data before asking for ransom. GroupSense analysts found that Conti targets different size organizations by translating the leaked information. When the payout sums are in the millions, employees are told to “be nice” to their victims and put on their best customer service voices. The organization doesn't care as much about victims who are not able to pay as large of a ransom. When their victim is a lawyer, they are told to never negotiate because lawyers will always pay the full price.
Over the past several months, Conti has had issues cashing out their cryptocurrency wallets. In the leaked chats, employees discussed the distance of different banks in kilometers so as not to give up their location. They also discuss weekend trips in kilometers only to protect the location of their offices.
Much like other as-a-service business structures, Conti has upper and middle management with entry-level employees that do the leg work. The “doers” rely heavily on “initial access brokers,” who gain access to victim networks over the weekend, ensuring that the higher-ups have enough work throughout the week. This off-hour work gives the other entry and middle-level employees work to keep busy with throughout the week, negotiating and collecting ransoms on the victims.
In the leak, cryptocurrency wallet keys were revealed, giving us information on how much the employees get paid. Because initial access brokers are the keys to Conti's revenue, they get paid 20-30% of the ransom collected, and work throughout the weekend. Upper managers take the most from the ransoms, and middle management works off a salary in the $80k range working a normal nine-to-five week. New entry level employees make half of a percent of the ransom until they are promoted and receive one percent of the ransom. The chats revealed that they work long hours and rarely sleep more than three hours a night.
The chats also revealed Conti's office politics. Entry level employees complain about how middle and upper management treats them and how many hours they work. There also appears to be a promotion structure involving more prestigious offices, the best being in Dubai. If promoted to that location, employees get more high-profile cases and bigger payouts.
It’s important to know that while Conti employees often claim that they have all of a client’s important data, it’s not always true. We found that in most cases, Conti gains access to only a fraction of the data they claim to have. With this information, organizations can better understand the extent of the attack, allowing negotiators and threat intelligence teams to call their bluffs. In the long run, leaks like these enable law enforcement groups to target specific threat actors to take down their organizations.
New Information Coming Out Soon...
Given that key members of the Conti team were recently doxed, GroupSense MSIC are digesting and validating that new data. We will post what we find here soon.