The recent Conti internal data leaks have led to previously inaccessible findings on the inner workings of a modern-day criminal network.
Conti is an extortion group that has been observed since early 2020, and it has since been used by criminals to attack organizations throughout the world. Conti offers Ransomware-as-a-Service (RaaS), enabling affiliates to utilize its code as desired, provided that a percentage of the ransom payment is shared with the Conti operators. See a March 9, 2022 report on Conti from CISA in the US.
Around February 27, 2022, a cache of internal chat logs belonging to Conti were leaked online thanks to an apparent insider, who claimed to have objected to the group’s support for the Russian invasion of Ukraine.
The leak was shared with VX-Underground, a malware research group that collects malware samples and data. The leaked data set has about 400 files containing tens of thousands of Conti group internal chat logs in their native Russian language. The files hold about a year’s worth of messages dating back to January 2021, some six months after the group first formed in mid-2020.
Crystal’s analytics and investigations team have thoroughly assessed the provided information and are ready to share specific key insights that have been verified.
For many years, malware researchers have reported similarities between the Conti and the Ryuk ransomware variant. However, the link was circumstantial and relied heavily on source-code similarities. Thanks to Crystal’s investigations team, we can now reveal that the payment information contained in the leaked chats strongly supports this connection and that Conti likely tried to contact Ryuk. We also observed that Ryuk sent payments directly to a Conti wallet that was mentioned in the chat history several times; this suggests affiliation and some degree of operational coordination between these two groups. Our team will continue to investigate the potential connection between these two criminal groups.
Below are Conti conversations about Rockford School District ransomware attack:
In other words, Conti members are asking if Ryuk had anything to do with this specific attack.
We found there to be significant connections via blockchain payments from Ryuk labeled wallets to Conti labeled wallets, as was mentioned in the same chat logs:
Our investigations team identified connections between Conti and other significant cases, such as the Liquid Hack 2021. Hackers drained Japanese cryptocurrency exchange Liquid of $97 million worth of Ethereum and other digital coins. The company, in a tweet, announced the compromise and said it is moving assets that were not affected into more secure “cold wallet” storage.
Our initial assumption, based on the tactics used, was that Conti might not be directly connected to the theft, and there was an unknown mixer on the path from the Liquid Thief 2021. However, we were able to identify funds from the Liquid Thief being sent to Conti, most likely through a mixing service. This strongly suggests that the group or individual behind the Liquid hack may have some connection to Conti through a shared service provider.
However, such fund flows only confirm the fact that even though Conti tried to get “cleaned” funds from the mixer, they received even more “red” or “dirty” funds as a result. Despite trying to obfuscate the trail of funds, they still ended up with tainted funds that would be less useful for them.
Besides that, there was a direct connection with Hydra Marketplace – we can see that Conti developers received payments from dark markets. Chatex, a sanctioned Russian exchange, was also involved in payment procedures.
We can see here that this wallet was used for a salary payment for a Conti member. We can see that the same wallet was also had fund flows connected to Hydra marketplace on the darknet market.
The owner of the wallet above is “Cryptonator”. See the wallet on our platform:
And now let’s take a closer look at significant cases that were not publicly discussed:
According to files, there are over 30 companies that suffered from Conti ransomware attacks. In the image above, we can see a message to say that Xerox was “infected” successfully.
See in the map a list of companies that Conti tried to attack (some successfully):
Revenue Source: Sales, Dun & Bradstreet, 17 Mar 2022
Crystal will collect a full list of unconfirmed victims and share our findings. Keep an eye out for Part Two and Part Three as our team delves further into the case…
Here we can see a dialogue between several Conti members – Tramp, Pumba, Zevs, Admin (see the email list in the center column for nicknames) where they discuss six companies that they plan to attack: UMC, Beaulieu Canada, Shapiro, BUHCK, LP, and Angeleno Group.
Some of Conti’s attacks were successful and they managed to gain significant payments out of it. In this section, we’ve outlined some cases with payments.
Below are payment details from the HDP attack:
Below is a message from Conti members to HDP group (translation underneath). We can see the members negotiating with HDP on information and prices.
Below is a visualization of the payment transaction from HDP in Crystal’s analytics platform and the subsequent movement of funds to certain “known” entities:
Below is a payment transaction from an attack on an unnamed Canadian company – known to Conti members as Ottawa, like the Canadian city:
Below is a message thread about the “Ottawa” attack. Conti members are discussing the ransom price they sent to the unnamed Canadian company to be paid in 3 days – along with the wallet it would need to be sent to:
Below is a visualization of the payment transaction from “Ottawa” or the unnamed Canadian group in Crystal’s analytics platform and the subsequent movement of funds to certain “known” entities:
Conti members were so certain that no one outside the group would ever see their communications; there were even examples where funds were sent directly to exchanges from Conti-owned wallets, linking payments to the organization and its members. Below we can see a thread between Conti members asking for a wallet address for payment. The address is confirmed to belong to a Conti member.
On this visualization, we can see direct fund flows from Conti wallets to known exchanges:
Conti has various templates for targeting different companies, employees, and situations and how to extort them. To download malware to a targeted company or organization, Conti members need to create a list of possible cases and connections to gain access to the company’s internal networks. See the two examples of such templates used and shared by Conti below.
As ransomware attacks continue to proliferate, it is expected that we will see continued attacks in 2022. Whilst there is not yet any legal requirement to prohibit paying ransom, organizations, and victims of ransomware attacks are responding to such attacks by paying the ransom demand, often because payment seems the fastest route to recover the damage and resume normal business operations.
It has become generally accepted in the information security industry, though not in government circles, that paying extortion is acceptable, as the business model of the attacker is to fulfill their end of the bargain and restore the data/services, else they may get a reputation for not complying with their end of the deal, which discourages the victims from paying them. It remains, however, an ethical debate.
In cases such as Conti, the assumption is that the group is criminal and as such, the money taken as extortion will not be provided to any sanctioned or terrorist organization.
However, this argument has a profoundly different side; what if the group is linked to a terrorist organization or sanctioned entity? Where paying ransoms are not strictly illegal, financing terrorist organizations or sanctioned entities is certainly a criminal act with stringent legal consequences, not to mention far-reaching public backlash. But due to the opaque nature of extortion groups, it is often difficult to tell; and in this deniability, the payer can evade scrutiny.
As regulation changes, VASPs, and those being extorted are now at far greater risk of exposure for facilitating these payments; though it could be circumvented using unhosted wallets, the Travel Rule requires identification of the beneficiary and sending organization to be transmitted between VASPs.
This is an incredible find for any data intelligence team because it allowed us to understand the inner workings of a criminal group. This information gives us an unprecedented look inside the operations of a high-profile criminal organization, beyond the reach of a non-government organization.
Access to Conti’s chat logs gives us the ability to understand the process of storing and moving assets better. In terms of opportunities for disruption, compliance teams and law enforcement agencies will have a better focus on how to stop ransomware groups from operating.
Crystal’s investigations and analytic teams will continue to evaluate such operations further and share our findings. We have a considerable amount of data to sift through so stay tuned for more information in The Conti Leaks Part Two and Three.
To find out more about our research or to get in touch about your own case you can contact Crystal’s investigations team at [email protected]