March 4, 2022

Part I of this series examined newly-leaked internal chats from the Conti ransomware group, and how the crime gang dealt with its own internal breaches. Part II explored what it’s like to be an employee of Conti’s sprawling organization. Today’s Part III looks at how Conti abused popular commercial security services to undermine the security of their targets, as well as how the team’s leaders strategized for the upper hand in ransom negotiations with victims.

Conti is by far the most aggressive and profitable ransomware group in operation today. Image: Chainalysis

Conti is by far the most successful ransomware group in operation today, routinely pulling in multi-million dollar payments from victim organizations. That’s because more than perhaps any other ransomware outfit, Conti has chosen to focus its considerable staff and talents on targeting companies with more than $100 million in annual revenues.

As it happens, Conti itself recently joined the $100 million club. According to the latest Crypto Crime Report (PDF) published by virtual currency tracking firm Chainalysis, Conti generated at least $180 million in revenue last year.

On Feb. 27, a Ukrainian cybersecurity researcher who is currently in Ukraine leaked almost two years’ worth of internal chat records from Conti, which had just posted a press release to its victim shaming blog saying it fully supported Russia’s invasion of his country. Conti warned it would use its cyber prowess to strike back at anyone who interfered in the conflict.

The leaked chats show that the Conti group — which fluctuated in size from 65 to more than 100 employees — budgeted several thousand dollars each month to pay for a slew of security and antivirus tools. Conti sought out these tools both for continuous testing (to see how many products detected their malware as bad), but also for their own internal security.

A chat between Conti upper manager “Reshaev” and subordinate “Pin” on Aug. 8, 2021 shows Reshaev ordering Pin to quietly check on the activity of the Conti network administrators once a week — to ensure they’re not doing anything to undermine the integrity or security of the group’s operation. Reshaev tells Pin to install endpoint detection and response (EDR) tools on every administrator’s computer.

“Check admins’ activity on servers each week,” Reshaev said. “Install EDR on every computer (for example, Sentinel, Cylance, CrowdStrike); set up more complex storage system; protect LSAS dump on all computers; have only 1 active accounts; install latest security updates; install firewall on all network.”

Conti managers were hyper aware that their employees handled incredibly sensitive and invaluable data stolen from companies, information that would sell like hotcakes on the underground cybercrime forums. But in a company run by crooks, trust doesn’t come easily.

“You check on me all the time, don’t you trust me?,” asked mid-level Conti member “Bio” of “Tramp” (a.k.a. “Trump“), a top Conti overlord. Bio was handling a large bitcoin transfer from a victim ransom payment, and Bio detected that Trump was monitoring him.

“When that kind of money and people from the street come in who have never seen that kind of money, how can you trust them 1,000%?” Trump replied. “I’ve been working here for more than 15 years and haven’t seen anything else.”

OSINT

Conti budgeted heavily for what it called “OSINT,” or open-source intelligence tools. For example, it subscribed to numerous services that can help determine who or what is behind a specific Internet Protocol (IP) address, or whether a given IP is tied to a known virtual private networking (VPN) service. On an average day, Conti had access to tens of thousands of hacked PCs, and these services helped the gang focus solely on infected systems thought to be situated within large corporate networks.

Conti’s OSINT activities also involved abusing commercial services that could help the group gain the upper hand in ransom negotiations with victims. Conti often set its ransom demands as a percentage of a victim’s annual revenues, and the gang was known to harass board members of and investors in companies that refused to engage or negotiate.

In October 2021, Conti underling “Bloodrush” told his manager “Bentley” that the group urgently needed to purchase subscriptions to Crunchbase Pro and Zoominfo, noting that the services provide detailed information on millions of companies, such as how much insurance a company maintains; their latest earnings estimates; and contact information of executive officers and board members.

In a months-long project last year, Conti invested $60,000 in acquiring a valid license to Cobalt Strike, a commercial network penetration testing and reconnaissance tool that is sold only to vetted partners. But stolen or ill-gotten “Coba” licenses are frequently abused by cybercriminal gangs to help lay the groundwork for the installation of ransomware on a victim network. It appears $30,000 of that investment went to cover the actual cost of a Cobalt Strike license, while the other half was paid to a legitimate company that secretly purchased the license on Conti’s behalf.

Likewise, Conti’s Human Resources Department budgeted thousands of dollars each month toward employer subscriptions to numerous job-hunting websites, where Conti HR employees would sift through resumes for potential hires. In a note to Conti taskmaster “Stern” explaining the group’s paid access on one employment platform, Conti HR employee “Salamandra” says their workers have already viewed 25-30 percent of all relevant CVs available on the platform.

“About 25% of resumes will be free for you, as they are already opened by other managers of our company some CVs are already open for you, over time their number will be 30-35%,” Salamandra wrote. “Out of 10 CVs, approximately 3 will already be available.”

Another organizational unit within Conti with its own budget allocations — called the “Reversers” — was responsible for finding and exploiting new security vulnerabilities in widely used hardware, software and cloud-based services. On July 7, 2021, Stern ordered reverser “Kaktus” to start focusing the department’s attention on Windows 11, Microsoft’s newest operating system.

“Win11 is coming out soon, we should be ready for this and start studying it,” Stern said. “The beta is already online, you can officially download and work.”

BY HOOK OR BY CROOK

The chats from the Conti organization include numerous internal deliberations over how much different ransomware victims should be made to pay. And on this front, Conti appears to have sought assistance from multiple third parties.

Milwaukee-based cyber intelligence firm Hold Security this week posted a screenshot on Twitter of a conversation in which one Conti member claims to have a journalist on their payroll who can be hired to write articles that put pressure on victim companies to pay a ransom demand.

“There is a journalist who will help intimidate them for 5 percent of the payout,” wrote Conti member “Alarm,” on March 30, 2021.

The Conti team also had decent working relationships with multiple people who worked at companies that helped ransomware victims navigate paying an extortion demand in virtual currency. One friendly negotiator even had his own nickname within the group — “The Spaniard” — who according to Conti mid-level manager Mango is a Romanian man who works for a large ransomware recovery firm in Canada.

“We have a partner here in the same panel who has been working with this negotiator for a long time, like you can quickly negotiate,” Trump says to Bio on Dec. 12, 2021, in regards to their ransomware negotiations with LeMans Corp., a large Wisconsin-based distributor of powersports equipment [LeMans declined to comment for this story].

Trump soon after posts a response from their negotiator friend:

“They are willing to pay $1KK [$1 million] quickly. Need decryptors. The board is willing to go to a maximum of $1KK, which is what I provided to you. Hopefully, they will understand. The company revenue is under $100KK [$100 million]. This is not a large organization. Let me know what you can do. But if you have information about their cyber insurance and maybe they have a lot of money in their account, I need a bank payout, then I can bargain. I’ll be online by 21-00 Moscow time. For now, take a look at the documents and see if there is insurance and bank statements.”

In a different ransom discussion, the negotiator urges Conti to reconsider such a hefty demand.

“My client only has a max of $200,000 to pay and only wants the data,” the negotiator wrote on Oct. 7, 2021. “See what you can do or this deal will not happen.”

Many organizations now hold cyber insurance to cover the losses associated with a ransomware attack. The logs indicate Conti was ambivalent about working with these victims. For one thing, the insurers seemed to limit their ability to demand astronomical ransom amounts. On the other hand, insured victims usually paid out, with a minimum of hassle or protracted back-and-forth negotiations.

“They are insured for cyber risks, so what are we waiting for?” asks Conti upper manager “Revers,” in a conversation on Sept. 14, 2021.

“There will be trades with the insurance company?” asks Conti employee “Grant.”

“That’s not how it works,” Revers replied. “They have a coverage budget. We just take it and that’s it.”

Conti was an early adopter of the ransomware best practice of “double extortion,” which involves charging the victim two separate ransom demands: One in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed. Indeed, some variation of the message “need decryptors, deletion logs” can be seen throughout the chats following the gang’s receipt of payment from a victim.

Conti victims were directed to a page on the dark web that included a countdown timer. Victims who failed to negotiate a payment before the timer expired could expect to see their internal data automatically published on Conti’s victim shaming blog.

The beauty of the double extortion approach is that even when victims refuse to pay for a decryption key — perhaps because they’re confident they can restore systems from backups — they might still pay to keep the breach quiet.

“Hello [victim company redacted],” the gang wrote in January 2022. “We are Conti Group. We want to inform that your company local network have been hacked and encrypted. We downloaded from your network more than 180GB of sensitive data. – Shared HR – Shared_Accounting – Corporate Debt – Departments. You can see your page in the our blog here [dark web link]. Your page is hidden. But it will be published if you do not go to the negotiations.”

“We came to an agreement before the New Year,” Conti member “Skippy” wrote later in a message to the victim company. “You got a lot of time, more than enough to find any sum and fulfill your part of this agreement. However, you now ask for additional time, additional proofs, etc. Seems like you are preparing to break the agreement and flee, or just to decrease the sum. Moreover, it is a very strange request and explanation. A lot of companies pay such amounts without any problems. So, our answer: We are waiting for the above mentioned sum until 5 February. We keep our words. If we see no payment and you continue to add any conditions, we begin to upload data. That is all.”

And a reputation for keeping their word is what makes groups like Conti so feared. But some may come to question the group’s competence, and whether it may now be too risky to work with them.

On Mar. 3, a new Twitter account called “Trickbotleaks” began posting the names, photos and personal information of what the account claimed were top Trickbot administrators, including information on many of the Conti nicknames mentioned throughout this story. The Trickbotleaks Twitter account was suspended less than 24 hours later.

On Mar. 2, the Twitter account that originally leaked the Conti chat (a.k.a. “jabber”) records posted fresh logs from the Conti chat room, proving the infiltrator still had access and that Conti hadn’t figured out how they’d been had.

“Ukraine will rise!,” the account tweeted. “Fresh jabber logs.”

If you liked this story, check out Part IV: Cryptocrime, which explores different schemes that Conti pursued to invest in and steal cryptocurrencies.


23 thoughts on “Conti Ransomware Group Diaries, Part III: Weaponry

  1. JamminJ

    “Tramp” (a.k.a. “Trump“), a top Conti overlord.

    Says it all

    1. Klaus

      Clinton was thought to have been shot down by Fancy Bear, not Conti. Are you suggesting that Tramp/Trump was a former Fancy Bear member?
      Well, perhaps the pay is better for a Conti overlord than in a state-funded group, but what would the FSB (Федеральная служба безопасности Российской Федерации) say about such a move?

  2. JamminJ touches kids

    JamminJ, do you still bitch and moan about George Bush too? Jesus Christ, get over it and take your political hot garbage elsewhere.

    1. thegreyfoxx

      Yeah, I’m real tired of his pontifications too. he needs to create his own rant blog. someone might follow him, but he sure is an arrogant ‘know it all’ nuisance here.

      1. Readership1

        You are free not to comment or even read the comments if you wish.
        Whether wrong, right or just an opinion at least JamminJ has something to say. Do you have anything at all to add?

        1. factoid

          It’s more that he repeats what others are saying as if he is coming up with it.
          Over and over and over. People who require attention are annoying. Oh well.

      2. maruchan

        Worse is when he repeats what someone else said as if fixing it.
        Some people have no filter for indulgent self-involvement.

        1. Readership1

          Where do you see JamminJ repeating what others are saying? His was the first comment here.
          It’s more likely that he’s just triggering people who support Trump. Just being a know it all doesn’t invite such vitriol. But politics is certainly divisive enough.

          The fact that the first response was to accuse pedophilia suggests a political motive against JamminJ and not one based on just being annoying. Very similar attacks that we see from Q Anon believers.

          1. maruchan

            Excellent obfuscation, or you think this is his first comment?
            My observation has nothing to do with pedophilia nor politics,
            nor Trump, nor Q-Anon, so maybe read more carefully or not.

            1. Readership1

              That was his first comment here, yes.
              Regardless of your claimed observation, I don’t see any problem with JamminJ comments on this article. You say it has nothing to do with pedophilia or politics but you are replying to and agreeing with a comment that accused both. I read carefully and so should you. Read the comments that you are replying to and agreeing with. The only explanation for all these replies trying to pile on, is that its politically motivated.

    2. hypocrite magats

      Moaning about trump 14 months after he left office isn’t the same as moaning about Bush after 14 years.

      And Trump supporters are still bitching about Clinton after all. Their default accusation seems to be to call someone a pedo. Sounds like you would storm into a non-existent pizzeria basement.

      History is showing maga cultists to be hypocrites and traitors to the county. Reagan wouldn’t have sided with Putin, and it’s pathetic that any self respecting Republican would defend Russia here.

      This is political of course. Russian kleptocrats love Trump and Trump loves them. So it makes sense that one of Conti’s criminals takes the name Trump.

  3. Ed

    What I don’t understand is that if these high $ value extortions are true, then why have these thieves have not been the subject of those that specialize in private sector wet work. It doesn’t make sense that this industry is permitted to thrive. The only explanation is that there are bigger, more powerful benefactors and sponsors involved.

  4. Eugene Craine

    Many of the Conti group live in Russia which is so corrupt that any and all information is available for the right price. Because nothing happens in Russia without the FSB permission it should be fairly straight forward to find a source in local law enforcement or FSB who would sell the identities of the Conti group. Police salaries in Russia are not exhorbitant and corruption is endemic. You can buy databases on street corners in Moscow. Then it’s a simple matter of sending the right people to their homes to persuade them to cease and desist. It would be a lot cheaper than handing over a seven figure ransom. There are thoousands of ex military in Russia with the right skills and the willingness to do the job. Most Russians are not well off with yachts and mansions.

  5. ReadandShare

    I did not realize that conti revenues are so much higher than all the rest!

  6. Kenar

    These crooks are all trading in crypto to me it could be regulated out of existence with good regulations.

  7. Cached Comments

    The reason why users don’t see new comments (even after moderator approved) and engagement has been so low.
    At some point earlier this year, W3TC memcached was turned on. Not sure if this was intentional to prevent Layer 7 DOS attacks on the site, or if Brian is aware that comments are also cached.

    Source of the page:
    Performance optimized by W3 Total Cache. Learn more: https://www.boldgrid.com/w3-total-cache/
    Object Caching 174/175 objects using memcached
    Page Caching using memcached
    Database Caching 13/18 queries in 0.005 seconds using memcached
    Served from: krebsonsecurity.com @ 2022-03-06 17:03:42 by W3 Total Cache

    That’s almost 24 hours ago.
    A WP blog with an active comment section should not be so heavily cached.

    1. SeymourB

      Maybe everyone’s tired of criminals posting nonsense to Krebs comment threads and that’s why they’re not being approved anymore.

      Stop looking for complex conspiracies when a much simpler explanation will do.

      1. Appsec1

        He’s not talking about comments being approved or denied by the moderator.

        He’s talking about comments that are approved not awaiting moderator and are actually posted. These comments are there but they are still not always visible for for up to 24 hours because the entire page is cached from a previous version.

        It’s not a conspiracy. It’s plain text right there in the source page. Look for yourself.

      2. Henry

        I see the source code too. It’s a commented out note from W3 Total Cache.
        That explains why comments seem to show up and disappear randomly when refreshing the page. Thanks.

  8. Mainline

    Seems inevitable that Conti and many other Russian based ransomware gangs will be sanctioned by the US government and NATO allies.
    This is going to have a profound effect on the economics. Victim businesses will no longer be able to pay these ransoms. Cybersecurity insurance can still cover losses and recovery costs, but decryptors and promises to keep Conti from posting the data won’t be legal anymore.
    I know, many people who argue against making ransomware payments illegal say that companies will just stop reporting breaches.
    But I disagree. Companies avoid reporting all kinds of breaches. Most breaches do not involve paying ransomware. They are just damaging to reputation, so they don’t report. Paying large sums of money is something that corporations usually cannot hide. Publicly traded companies absolutely cannot just hide a ransomware payment, they risk way more than their reputation for cooking the books. Even private companies can be audited by the IRS and easily show a large payment made to buy cryptocurrency.
    So if a victim company doesn’t want to report a breach, that’s still legal, but making a million dollar purchase of bitcoin to send to an overseas wallet owned by Russian cyber criminals… that’s something the government can and should sanction.

    “Russia is the world’s largest exporter of decryptors”. It’s a billion dollar industry, with Conti as the largest share. Conti has already sided with Putin. Time to sanction those exports and cut off their funding. North American and European businesses should not be funding Conti, Putin, or his oligarchs.

Comments are closed.