ContiLeaks – A Rare Look Into a Nation-State Adversary

INTRODUCTION

We are living through unprecedented times, not only in the information security realm, but in geopolitics overall. During the last week, anyone in the West with an internet connection can witness, in real time, an invasion of scope and scale not seen since World War II. This includes video footage, up-to-date declassified combat intelligence, and actual humans on the front lines with access to social media, sharing the hard reality of war.

The discussion around the “cyber” component of this conflict is all over the news as well, as Russia has been known for its offensive cyber operations against not only the United States, but the entire world since the 90’s. While Russian cyber activity has taken some unexpected turns since they decided to invade Ukraine, the response from the rest of the world has been extraordinary. From the Ukrainian government calling on hackers to get involved in espionage and disruption of Russian networks, to the likes of Anonymous targeting over a thousand of Russian and Belarusian websites, it is clear that we have truly entered a new era of cyber warfare.

An interesting storyline emerging from these events is the response to the invasion from Ransomware gangs with attribution to Russia or ties to the Russian government. The Conti Ransomware gang is one such organization that on February 25^th issued a threat that they would strike critical infrastructure of any country or organization opposing Russia.

In response to this statement, a security researcher, believed to be of Ukrainian nationality, began releasing internal data from the Conti Ransomware gang group using the Twitter handle @ContiLeaks. This individual is believed to have had backend access to Conti gang’s various chat systems and infrastructure.

From a Cyber Threat Intelligence (CTI) perspective, this offers fascinating insight into the inner workings of one of the most prolific cybercrime organizations of the last few years. This blog post details some highlights from the leaked data as well as high-level analysis of what this could mean for the cybercriminal underground.

DISCLAIMER: At the time of this writing, the data leaks are still under review by security researchers, intelligence analysts, and (more than likely) rival ransomware gangs. Much of the data contains cleartext credentials of victims of unauthorized intrusion with intent of extortion via Ransomware. It should be noted that access to the data leaks should be treated with great caution. Additionally, it is very possible that the data leaks and the corresponding data could have been altered – so, my advice is to tread lightly before making any changes to your organization or assuming information from the leaks are gospel truth.

Forum Logs, Chat Logs

The initial leak (on February 27^th, 8:22 PM UTC) contained private messages from Jabber from 1/29/21 to 2/27/22. For the most part, all communications were in Russian and needed to be translated. This initial leak painted a detailed picture of the private conversations among the internal Conti gang and its various affiliates as they conducted operations.

There were several consistent handles appearing in the chats:

• Defender (defender@q3mcco35auwcstmt[.]onion)
• Stern (stern@q3mcco35auwcstmt[.]onion)
  • Believed to be one of the “higher up” Conti managers, also tracked in other intel sources as the CEO of the TrickBot group.
• Bentley (bentley@q3mcco35auwcstmt[.]onion)
  • Appears to be in charge of their software build pipeline, seen to be discussing how to build obfuscated payloads for their various loaders.
• Mango (mango@q3mcco35auwcstmt[.]onion)
  • Per the chats, appears to be heavily involved in Conti’s operations.
• Professor (professor@q3mcco35auwcstmt[.]onion)

Note the Conti ransomware gang’s primary Dark Web Onion XMPP (I.e., Jabber messaging protocol) address consistent across the accounts:

hxxp://q3mcco35auwcstmt[.]onion

They also appear to be using AVCheck[.]net to validate their various malware loaders and their bypass capability. Most of the leaked conversations read like your average software development firm, troubleshooting different issues, issuing requests to their development pipeline, discussing timeframes, etc. along with usage of various tools centered around file transfer for their various development projects and even some private messaging systems, like PrivNote.

Based on those conversations, we can also observe them conducting research and development on how to bypass popular EDR products, like VMware’s Carbon Black and Sophos. The following snippet shows a conversation between Condi gang members “Carter” and “Stern” in which they talk about attempting to contact a vendor to request a demonstration and obtain a license for testing.

On February 28^th, starting at 10:22 PM UTC and throughout that day, more and more chat logs were released, among other interesting artifacts. There appears to be a few mistranslations in the chat from Russian to English when using Google translate, but also there seems to be some internal slang in use:

• Firework = firewall
• Whining = эс ку эл = SQL
• School = SQL
• Balls = shares
• Zithers = Citrix?
• Food = FUD/Fully Undetectable
• tpsh = their proprietary tool for handling initial access
• silkcode = shellcode
• Cue balls = Bitcoin
• Rockets = Rocket Chat
• Toad = Jabber
• Gasket = Space/Connections? – still unclear
• Scarfinder = sharefinder
• Swear = detect
• Grandfather = dedik = attack box
• Met/h = Metasploit

Credit @seadev3 on twitter for this list

Interestingly enough, the Condi gang performed formal interviews to hire new members.  We can even see some parts of an interview process in the following thread:

Of course, we are also able to observe chatter centered around victim companies, including negotiations with actual victim contacts and the internal discussions around Ransomware ransom payment. Some of the companies listed in the data leak have not publicly disclosed, as far as we can find,  any ransomware incidents. Time will tell if there will be any repercussions stemming from this leaked information been made public.

Additionally, it appears that the Conti gang enforced a ban on attacks to the healthcare industry last June, likely because the media attention generated from attacks against major hospitals during the later stages of a global pandemic.

Command and Control Infrastructure

Besides the various chat logs, a fantastic piece of actionable intelligence gained from the Conti Leaks is the information disclosed about their actual internet-connected infrastructure. This includes command and control (C2) server IPs, virtual private server (VPS) systems they were operating from, and the several Dark Web onion sites they used for their operations.

Below are some sample screenshots of Conti ransomware gang’s internet-connected infrastructure:

On March 2^nd, during the height of the leaks, we can see internal communications showing that they dismantled their environment to avoid further compromise.

Even though most of the data that was leaked was considered archived or old, some of the Conti infrastructure was intact, though for a short period of time.

As one would expect, the leaks were littered with cleartext credentials, not only from victim systems and accounts but also Conti’s infrastructure too. There are also reports of some still valid victim credentials.

NOTE: the VPS listed below all appear to be down at this time.

Source Code

Arguably the most sought after and objectively the most dangerous part of the #ContiLeaks is the source code of the Conti team’s hacking tools. Internal proprietary software source code was released, as well as source code for the gang’s administrative panel, the BazarBackdoor API, and a password-protected archive containing the source code for the actual Conti ransomware encryptor, decryptor, and builder.

The archive was quickly cracked by researchers. Below is a snippet of the actual Conti Locker source code for encrypting a file:

This particular piece of the leak provides incredible insight to security researchers on how this malware works and its various mechanisms. But as we have seen in prior ransomware source code leaks, various copycats will quickly implement this code into their own operations. This will undoubtedly do much more harm than good in the coming months.

Documentation, Process, and Procedures

Intel gathered on Conti gang’s tactics, techniques, and procedures (TTPs) lead analysts to believe they operate at a very high level and have several different methods (some possibly novel) for compromising their victims. The #ContiLeaks have affirmed this and more, as internal documentation on tool usage tutorials, encryption process, data exfiltration, and extortion strategies show a mature approach to information sharing among their various affiliates.  They even have a rudimentary structure related to the various operational teams:

We can see that they use various offensive tools and frameworks, including BloodHound, WinPEAS, Inveigh, PsExec, Impacket, and Rubeus among others. Obviously Cobalt Strike is heavily utilized and documented well in the leaks. This confirms many of the threat intel analyses of Conti’s activities over the past two years.

Many of the procedures recorded line up with the threat intelligence gathered in recent years from resources like @TheDFIRReport, showing very fundamental offensive tradecraft, situational awareness on a compromised network using Living off the Land techniques, tools like ADFind etc.

One fascinating piece of documentation reveals how the Conti gang make determinations for the ransom asking price based on victim company cyber insurance policy, how to package stolen data, and what data to “pay special attention to…”

Conclusion

We must always be reminded that these ransomware operators study us just as much as we study them. All the tooling I have seen referenced in the leaks thus far are actively in use by our internal Red Teams (outside of proprietary software). So, it is gratifying to know that our approach should prove useful for our clients, since we are using the same methodology.

Also, we will absolutely see the Conti Locker source code coopted from copycat groups, and everything gathered from these leaks from an indicator perspective should be immediately added to your organization’s detections, data collection, and analysis.

The recent world events have brought about various monumental realizations in cyber security, but from a Threat Intelligence perspective, the #ContiLeaks hit very close to home for many enterprises globally. Ransomware is in your threat model no matter in  what industry vertical your business operates. The events of the past two weeks remain as a sobering reminder that defenders must remain up to date with emerging intel. This rare, expansive look into a prolific criminal organization can and will be mined for information, not only to reinforce what we already know about ransomware operations but to provide confirmation on various parts of the Conti operation we could only theorize about from past incidents.

While the TTPs we observe pre and post leak are not extraordinary or advanced by any means, we have justification to believe that their organized approach to operations and scale absolutely works against victims with immature security postures.

As an incident responder, I have personally worked on several Conti and Ryuk cases in the past two years. These leaks and the subsequent shutdown of Conti’s operational capability provide some closure to some victims, but Conti will rebuild and bounce back, just as TrickBot and Emotet before them. We will likely see similar leaks from other groups as we move forward with the current geopolitical landscape. Pandora’s box has been blown open.

Below is access to the #ContiLeaks. Proceed with caution:

• https://github.com/TheParmak/conti-leaks-englished
• https://share.vx-underground.org/Conti/