October 25, 2021

The Conti ransomware affiliate program appears to have altered its business plan recently. Organizations infected with Conti’s malware who refuse to negotiate a ransom payment are added to Conti’s victim shaming blog, where confidential files stolen from victims may be published or sold. But sometime over the past 48 hours, the cybercriminal syndicate updated its victim shaming blog to indicate that it is now selling access to many of the organizations it has hacked.

A redacted screenshot of the Conti News victim shaming blog.

“We are looking for a buyer to access the network of this organization and sell data from their network,” reads the confusingly worded message inserted into multiple recent victim listings on Conti’s shaming blog.

It’s unclear what prompted the changes, or what Conti hopes to gain from the move. It’s also not obvious why they would advertise having hacked into companies if they plan on selling that access to extract sensitive data going forward. Conti did not respond to requests for comment.

“I wonder if they are about to close down their operation and want to sell data or access from an in-progress breach before they do,” said Fabian Wosar, chief technology officer at computer security firm Emsisoft. “But it’s somewhat stupid to do it that way as you will alert the companies that they have a breach going on.”

The unexplained shift comes as policymakers in the United States and Europe are moving forward on efforts to disrupt some of the top ransomware gangs. Reuters recently reported that the U.S. government was behind an ongoing hacking operation that penetrated the computer systems of REvil, a ransomware affiliate group that experts say is about as aggressive and ruthless as Conti in dealing with victims. What’s more, REvil was among the first ransomware groups to start selling its victims’ data.

REvil’s darknet victim shaming site remains offline. In response, a representative for the Conti gang posted a long screed on Oct. 22 to a Russian language hacking forum denouncing the attack on REvil as the “unilateral, extraterritorial, and bandit-mugging behavior of the United States in world affairs.”

“Is there a law, even an American one, even a local one in any county of any of the 50 states, that legitimize such indiscriminate offensive action?” reads the Conti diatribe. “Is server hacking suddenly legal in the United States or in any of the US jurisdictions? Suppose there is such an outrageous law that allows you to hack servers in a foreign country. How legal is this from the point of view of the country whose servers were attacked? Infrastructure is not flying there in space or floating in neutral waters. It is a part of someone’s sovereignty.”

Conti’s apparent new direction may be little more than another ploy to bring victim companies to the negotiating table, as in “pay up or someone will pay for your data or long-term misery if you don’t.”

Or maybe something just got lost in the translation from Russian (Conti’s blog is published in English). But by shifting from the deployment of ransomware malware toward the sale of stolen data and network access, Conti could be aligning its operations with many competing ransomware affiliate programs that have recently focused on extorting companies in exchange for a promise not to publish or sell stolen data.

However, as Digital Shadows points out in a recent ransomware roundup, many ransomware groups are finding it difficult to manage data-leak sites, or hosting stolen data on the dark web for download.

After all, when it takes weeks to download one victim’s data via Tor — if indeed the download succeeds at all — the threat of leaking sensitive data as a negotiation tactic loses some of its menace. It’s also a crappy user experience. This has resulted in some ransomware groups exposing data using public file-sharing websites, which are faster and more reliable but can be taken down through legal means quite quickly.

Data leak sites also can offer investigators a potential way to infiltrate ransomware gangs, as evidenced by the recent reported compromise of the REvil gang by U.S. authorities.

“On 17 Oct 2021, a representative of the REvil ransomware gang took it to a Russian-speaking criminal forum to reveal that their data-leak sites had been ‘hijacked’,” Digital Shadows’ Ivan Righi wrote. “The REvil member explained that an unknown individual accessed the hidden services of REvil’s website’s landing page and blog using the same key owned by the developers. The user believed that the ransomware gang’s servers had been compromised and the individual responsible for the compromise was ‘looking for’ him.”

A recent report by Mandiant revealed that FIN12 — the group believed to be responsible for both Conti and the Ryuk ransomware operation — has managed to conduct ransomware attacks in less than 3 days, compared to more than 12 days for attacks involving data exfiltration.

Seen through those figures, perhaps Conti is merely seeking to outsource more of the data exfiltration side of the business (for a fee, of course) so that it can focus on the less time-intensive but equally profitable racket of deploying ransomware.

“As Q4 comes near, it will be interesting to see if issues relating to managing data leak sites will discourage new ransomware groups [from pursuing] the path of data-leak sites, or what creative solutions they will create to work around these issues,” Righi concluded. “The Ryuk ransomware group has proven itself to remain effective and a top player in the ransomware threat landscape without the need for a data-leak site. In fact, Ryuk has thrived by not needing a data leak site and data exfiltration.”

13 thoughts on “Conti Ransom Gang Starts Selling Access to Victims

  1. Ron

    You have to love the irony of this… People who hack into other people’s servers for a living – then perform 2 illegal actions (data destruction and theft) – go on hacker forums (where criminals talk about and commit crimes), and are outraged that people are breaking the law…. and can’t believe the US behavior concerning them… LOL

    1. Agent Leavenworth von Drumpf

      How dare you come in here like some junk yard dog?
      How dare you sir.

      1. nathan brown

        Thats going to drive me nuts – what movie is that again?

  2. Rogue Ai will enslave you All!!! muhahaha!

    is this a joke? lol
    “a representative for the Conti gang posted a long screed on Oct. 22 to a Russian language hacking forum denouncing the attack on REvil as the “unilateral, extraterritorial, and bandit-mugging behavior of the United States in world affairs.”

    hacks for thee and not for me?.. lol cyka blyat mofos.. who u think ur fookin with?

  3. Cass

    Great article Brian.

    Conti seem to have been creaking under the strain recently, possibly from spreading themselves too thin and opening up to multiple affiliates.

    6-8 months ago it was guaranteed that if Conti got you, you’d be on their site (one of tens a day or week). That changed as we came into spring with multiple known victims not being named by the group despite the same extortive line being taken (though their weak threat remained that “they’d already sold your data” – highly unlikely).

    It wouldn’t be surprising if Emsisoft’s prediction of a winding down is correct. Although I’d expect a “rebrand” and new group to pop up shortly after. Watch this space.

  4. WhiteBear

    Lockbit already used local domains like bigblog.at or decoding.at to expose their victims on the clearnet.

  5. sirk

    So if you’ve been robbed, you’re the “client” of the robber?

  6. The Sunshine State

    Readers here need to check out that Digital Shadows report link .

  7. Thereisnogod

    Still waiting for the day I see a video of a ransom gang being burned to death. God that will be awesome.

  8. fran

    Conti painted a giant target on their backs by hacking and crippling the hospital patient data system in Ireland (Health Services Executive). They demanded 30 million euros but we are told they did not receive anything. It was especially bad timing coming as it did in the midst of a global pandemic. The attack also coincided with the United Nations Security Council meeting in New York. Ireland was recently elected a temporary member of the UN Security Council and for the time being has a seat at the big table. All it took was for the Irish Foreign Minister, Simon Coveney, to have a quiet word with his Russian counterpart and 48 hours later Conti’s decryption key was handed over to the HSE to try and unlock their computers and stop the malware. Nevertheless, most of the data is gone for good because Conti creates a different encryption key for every file. It took four months to rebuild the data, I know that because my son’s dentist had his computer bricked for 16 weeks.

  9. New Jack

    These hackers should be found and executed without delay. Joe should call his KGB buddies and pull a favor or two. These hackers have killed dozens of people, ruined lives and are horrible vermin. Drone strike their homes and their families. Make them pay the ultimate price.

Comments are closed.