Internal documents recently leaked by a member of the Conti ransomware group reveal the gang’s status as a multi-faceted business organization.
researchers at breach quest, a cybersecurity and incident response company in Dallas, on Wednesday released its analysis of chat logs posted first to private channels and then to Twitter by a disgruntled group member a few weeks ago. The leaks followed an aggressive pro-Russian post on the well-known ransomware group’s website.
According to Marco Figueroa, Head of Product at BreachQuest and former senior threat researcher at SentinelOne, the release is intended to help organizations understand the inner workings of Conti’s organizational infrastructure.
These chat logs provide an in-depth look at the ransomware gang’s revenue numbers, leaders, recruitment practices and operations, and victims.
One of the most surprising revelations is that the group’s top leader has invested heavily in Bitcoin and built its own blockchain network to support the Conti Group. Another key that emerged from the chat conversations is that almost all group members live in Russia, Figueroa confirmed.
“It’s a well-oiled machine that’s been running for a while. They made $50 million in September,” he told TechNewsWorld.
Overview of chat logs
The Conti Group previously announced it would conduct cyberattack campaigns in support of Russia’s ongoing invasion of Ukraine.
According to BreachQuest, the infosec community then began spreading leaks provided by a Ukrainian security researcher that detailed several years of internal chat logs that revealed Conti’s operations.
The leaked logs show that Conti’s attacks are not limited to large companies or targets. They also pursue small businesses.
One of Conti’s main goals is to maximize victims’ cooperation in paying for the decryption of their data through price negotiations, Figueroa said. The strategy involves a series of incrementally larger data releases until victims agree to pay. Until then, each new release of compromised information comes at a higher price.
“One of the things the blog reveals is that they want to honor their work,” he said.
Not included in the BreachQuest blog on the content of the transcript was a discussion of how an affected company made a special request against payment. According to Figueroa, the company wanted to download all of its files and then delete Conti’s copies.
The chat logs revealed the back-and-forth discussions and Conti’s agreement to comply as an indication that victims can trust Conti’s promises.
Conti is organized in an effective hierarchy that isolates its employees within qualified groups. Key executives are identified with ambiguous names and titles.
New hires’ work is kept vague to prevent them from understanding too much about the organization. This may be a contributing factor to the organization’s high turnover rate as well as the criminal nature of the work, BreachQuest’s report notes.
Conti divides teams into groups with an assigned team leader. Multiple leaders can work together in large groups to maintain work orders and training.
Employees are specifically encouraged to “listen, do, learn and ask questions, follow guidance and directions, and complete assigned tasks.”
The Conti leaks and the ongoing war in Ukraine could prompt the Conti leadership to intensify recruitment efforts. The devalued ruble and international sanctions against Russia are shifting Russians to bitcoin. So, according to the leaked protocols, Conti pays via bitcoin as requested by the workers.
Conti recruits employees using several strategies. The primary method is referrals from current trusted collaborators. Another method uses recruitment services to find candidates with the required skills.
One such service is a Russia-based website that allows Conti’s human resources department to access the resume database of potentially qualified candidates. An analyzed chat between Conti employees includes a significant price change through the website, which is discounted to Conti.
Interviews at Conti are problematic. Respondents wait in a chat room and questions are answered via chat exchanges rather than video, since video could compromise the operational security of its members. Many of the candidates exit the chat rooms before the interview begins.
The candidates who pass the interview negotiate their salary terms and their role in the organization. Those who are hired go through “freshman induction training”.
Much of the backroom work involves hiring talent as full-stack, crypto, C++, and PHP developers. They create various tools like lockers, spam, backdoor tools and/or admin panels.
Since many of the web applications were written in PHP, the released software lacked code and was almost impossible to get running. Programmers had to fix all that.
Reverse engineers analyze Microsoft updates to learn what changes come after system updates. They also reverse engineer endpoint protection products to bypass protection that could in some way manipulate or hinder their success.
Special teams search for targets by gathering information from publicly available sources online using various techniques. Admins help manage compromised corporate networks and gather victim information critical to their business in order to receive the maximum payment amount.
Testers help by evaluating and verifying that the Conti tools are doing what they are supposed to do in specific environments. The chat logs reveal the daily Windows Defender signature test to ensure Conti’s tools are not detected.
Conti follows specific best practices to gain a foothold on a compromised network. The hacker group looks for potentially interesting people such as administrators, engineers or someone from IT.
Backups main goals
Ransomware teams look for backup servers to encrypt the affected company’s data. Searchers also use techniques to bypass backup storage providers to ensure the backups are encrypted.
Leaked logs show Conti searching for financial documents, accounting files, clients, projects and more. The strategy gets Conti employees to understand that their success depends on the target organization’s information being useful in convincing victims to pay.
Relying on backup files in the cloud or elsewhere will not protect a company or organization under attack from compromise, Figueroa noted.
“They are after your backups. They won’t do anything (to notify a company that the compromise was successful) until they know they’ve got you in a bind you can’t get out of,” Figueroa said.
The leaked chat logs and full analysis are available at BreachQuest website.
BreachQuest Dissects, Publishes Pro-Russia Ransomware Group’s Internal Chat Logs Source link BreachQuest Dissects, Publishes Pro-Russia Ransomware Group’s Internal Chat Logs