Reading:
An Overview on Conti Ransomware Leaks: Is This the End for Conti?

An Overview on Conti Ransomware Leaks: Is This the End for Conti?

March 18, 2022

Along with Russia’s physical invasion of Ukraine on February 24th, 2022, Russia has targeted and attacked Ukraine in cyberspace. There has been a massive spike in cyberattacks parallel to physical aggression, affecting many Ukrainian organizations such as government ministries and state-owned banks. The cyber side of the war has been “bloody” so far because of the numerous critical DDoS attacks and new deadly war weapons such as the HermeticWiper and the Cyclops Blink malware.

You can access detailed information about the Russian-Ukrainian cyber-conflict from this post prepared by SOCRadar

Hacker Gangs in Politics: Joining the Cyber-Battlefield

Well-known hacker gangs worldwide did not stay silent during the cyberwar, some of which are choosing sides. The Anonymous group was the first one to choose, and they declared that they were siding with Ukraine in the cyberwar. Several Russian government websites went down slightly after they have announced their allegiance to Ukraine.

The Anonymous Group waging cyberwar against Russia
The Anonymous Group waging cyberwar against Russia

Not long after the Anonymous Group stated their allegiance, the Conti Ransomware group joined the cyberwar with a post on the gang’s dark web site, declaring their full support to the Russian government. 

Conti’s aggressive message posted on their Dark Web site
Conti’s aggressive message posted on their dark web site

We can see from the post that Conti was ready to go to great lengths in defending Russia. It turns out, not every member of Conti was happy with the aggressive standpoint against Ukraine. Some members were clearly not siding with Russia in the cyber-warfare, so they were pretty upset about the situation, so upset that they betrayed their own organization. The internal conflict led to an event of utmost importance, Conti Leaks.

Conti’s Downfall Begins as Sensitive Data is Leaked 

Shortly after the aggressive post on Conti’s leak site, on the same day, a Conti member siding with Ukraine began leaking sensitive data with the message “**** Russia, Glory to Ukraine!”. We can say that Conti’s aggressive standpoint was the reason for its downfall, not taking that some of its members might not 100% agree with siding with Russia into account. Below, you can see Conti Leaker’s message to the world along with the leaks.

Conti Leaker’s message to the world
Conti Leaker’s message to the world (Source: vx-underground)

Conti has replaced its original aggressive post on the leak site with a more neutral one on the same day, noticing that they made a mistake. Unfortunately for Conti, it was too to mitigate the damage as the leakers were adamant about their choice.

Conti’s second and less aggressive post
Conti’s second and less aggressive post

The leaks are consistently coming in from a Twitter account, @ContiLeaks. Each day, we can see more sensitive data are being leaked about the notorious ransomware group. The Twitter account also posts tweets cursing the Russian government and supporting Ukraine.

Screenshot showing ContiLeaks Twitter account’s previous tweets
Screenshot showing ContiLeaks Twitter account’s previous tweets

The malware source code and samples collection library vxunderground has been archiving each leak on their website, https://share.vx-underground.org/. You can access and download the Conti leaks from the archive. We suggest that downloading the files is done with caution since not all files are verified, there could be malicious files.

Screenshot taken from vx-underground’s Conti leak archive
Screenshot taken from vx-underground’s Conti leak archive

What’s in the Leaks?

We have compiled together and derived for you the most critical information the leaks include.

Chat Logs

You can see chat logs in JSON format in the leaks starting from June 2020. There were 2103 JSON files in three different files containing chat logs. The logs were in Russian, but there are some people in the cyber community that translated all the logs to English. 

You can reach the translated logs in here: https://github.com/tsale/translated_conti_leaked_comms

Screenshot showing the leaked chat logs
Screenshot showing the leaked chat logs

In multiple files, Conti members discuss TTPs to perform cyberattacks using Cobalt Strike. The mentioned tactics from the chat logs include active directory enumeration with AdFind, brute force attacks with SMBAutoBrute and kerberoasting, SQL Database enumeration with sqlcmd, pass-the-hash attacks with Mimikatz, and many more.

Screenshot from chat logs showing that Conti uses Kerberoast and SMBAutoBrute
Screenshot from chat logs showing that Conti uses Kerberoast and SMBAutoBrute
Screenshot showing Conti utilizes sqlcmd scripting
Screenshot showing Conti utilizes sqlcmd scripting

You can reach Cobalt Strike commands and LOLbins Conti used from here: 

https://github.com/soufianetahiri/ContiLeaks/blob/main/cobaltsrike_lolbins

Screenshot from Conti’s Cobalt Strike commands
Screenshot from Conti’s Cobalt Strike commands

Training Files and Videos

The leaks also include internal training files and training videos designed to produce more hackers working for Conti. 

Internal Software

Internal Software Conti uses including local database credentials
Internal Software Conti uses including local database credentials

In a folder inside the leaks, we can see several git repositories of internal software used by Conti (Even the threat actors use version-control software!). Most of the code inside this folder was written in PHP, and most folders include open-source software used by Conti. 

Screenshots

The leaks also include multiple screenshots from Conti’s operations. Below, you can see a screenshot from Conti’s Cobalt Strike panel and a screenshot from Conti’s recovery chat panel.

Screenshot from Conti’s Cobalt Strike panel
Screenshot from Conti’s Cobalt Strike panel
Screenshot from Conti’s Recovery Chat panel
Screenshot from Conti’s Recovery Chat panel

In addition, the leaks also had another interesting screenshot, including a web panel that was never seen before. The panel shows that Conti actively tracks top antiviruses used by its victims and the victims’ operating systems. The lesson to be learned is keeping the software you are using up to date and patching vulnerabilities is crucial since Conti tracks which software you use. If they find an unpatched vulnerability, they will exploit it.

One of Conti’s never before seen web panels
One of Conti’s never before seen web panels

Conti Locker and Decryptor

Most importantly, Conti Locker and Decryptor software were leaked. The leaks were initially encrypted, but people in the cyber community decrypted the leaks and gave the decryption key. We can see that the encryption is done with a variant of ChaCha20 encryption algorithms from the file.

Screenshot of a tweet showing the contents of the decrypted Conti Locker Software
Screenshot of a tweet showing the contents of the decrypted Conti Locker Software

Unfortunately for the previous victims of Conti, the locker and the decryptor software do not mean that they can decrypt their files without the decryption keys. The locker is responsible for encrypting the data and creating decryption keys, whereas the decryptor software is responsible for decrypting the data using decryption keys. Other than private test keys, no decryption keys were found in the leak files.

Bitcoin Addresses

Multiple bitcoin addresses Conti uses to receive ransom payments were found in the leak files.

Thanks to the open-source crowdfunded ransomware tracker ransomwhe.re and the discovered Bitcoin addresses from the leak, we can see and track the transactions Conti has received throughout its operations. Conti has approximately received 50 million US dollars in ransom, and that’s only the tip of the iceberg, the amount we can see and calculate.

Screenshot showing the total payments several ransomware groups has received
Screenshot showing the total payments several ransomware groups has received

Is This The End For Conti?

With the leaks coming in every day and providing us the details of how the notorious ransomware group Conti works, we can say that the cyber community has gained more insight into preventing Conti from breaching networks. The cyber community knows which tools they use, which vulnerability they exploit, or which attack they launch. However, is this all of Conti’s TTPs and capability? Assuming it is not is the best course of action we can take, the invisible part of the iceberg is still yet to unravel.

These leaks will not be able to take Conti down permanently but will slow Conti’s operations and weaken their organization. There’s a chance that they will close down Conti and build a brand new organization with a new name but still operating as a ransomware group.

IOCs

You can reach all the IOCs found from the Conti leak files below compiled together by SOCRadar’s analysts.

https://safebin.co/raw/uvavapaviz

Conti’s MITRE Mappings

Initial Access

T1566

Phishing

T1190

Exploit Public-Facing Application

Execution

T1106

Execution through API

T1059.003

Command and scripting interpreter: Windows command shell

T1047

Windows Management Instrumentation

T1204

User execution

T1053.005

Scheduled task/job: scheduled task

Persistence

T1053.005

Scheduled task/job: Scheduled task

Privilege Escalation

T1078.002

Valid accounts: domain accounts

T1083

File and directory discovery

T1018

Remote system discovery

T1057

Process discovery

T1016

System network configuration discovery

T1069.002

Permission groups discovery: domain groups

T1082

System information discovery

T1033

System owner/user discovery

T1012

Query registry

T1063

Security software discovery

Credential Access

T1003

OS credential dumping

T1555

Credentials from password stores

T1552

Unsecured credentials

Lateral Movement

T1570

Lateral tool transfer

T1021.002

Remote services: SMB/Windows admin shares

Defense Evasion

T1562.001

Impair defenses: disable or modify tools

T1140

Deobfuscate/Decode files or information

T1055

Process injection

Command and Control

T1071

Application Layer Protocol

T1219

Remote access software

Exfiltration

T1567.002

Exfiltration over web service: exfiltration to cloud storage

Impact

T1486

Data encrypted for impact

T1489

Service stop

T1490

Inhibit system recovery

Source: TrendMicro

Suggestions and Mitigations

Now that we have taken a peek at Conti’s operations, we have more insight into their TTPs. Conti actively exploits legacy vulnerabilities such as ZeroLogon, EternalBlue (ms17-10), Log4J, and many more. SOCRadar’s analysts suggest you upgrade software your company uses to the latest release to stop cyberattacks exploiting unpatched vulnerabilities.

The cyber community has collected all the CVEs (vulnerabilities) discussed in Conti’s leaked chat logs. Below, you can access the CVEs Conti members have actively discussed within their organization. SOCRadar’s analysts suggest you scan your organization’s infrastructure to detect possible vulnerable endpoints to prevent potential cyberattacks. 

https://pastebin.com/raw/pv1mDGYC

Thanks to the leaks, we now have access to various IOCs of Conti, such as IP addresses, tor domains, and e-mail addresses. To prevent Conti affiliates from accessing your organization’s endpoints, we suggest integrating IOCs shared by SOCRadar into your SIEM, XDR, and EDR systems.

Lastly, we have seen that Conti commonly utilizes brute force attacks to access credentials used to gain access into their victims’ network. We suggest you train your employees to upgrade your security posture to the next level, educating them to use strong, unique passwords.

Discover SOCRadar® Free Edition

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets. Get free access