The online community has gotten a real glimpse into the inner workings of the Conti ransomware group from leaked chat messages and files. The group has established success as an online extortion group with reported earnings of at least $25.5 million since July 2021 according to Prodaft’s Ransomware Group In-Depth Analysis Report from November of last year.
In February though, Conti publicly voiced their support for Russia’s invasion of and war on Ukraine; an action that would result in many consequences for the group. Within a few days of declaring their allegiance, the groups’ internal server was hacked and thousands of Conti’s private chat logs and source code were posted by new Twitter user, @ContiLeaks. The person behind the leaks has remained anonymous but thought to be someone formerly part of the Conti group, or with special access to Conti’s inner infrastructure. The leaked logs and files have offered an extremely close look into how Conti is organized as an organization and target their victims, their daily operations and potential ties to the Kremlin, development plans for its own social network and cryptocurrency platform, as well as their future ambitions to expand further than corporate extortion.
Understanding How the Conti Group Operates
Like many threat gangs, Conti takes a ransomware-as-a-service (RaaS) approach to their business. This includes processes such as:
- Hiring operators, brokers, and negotiators to manage and execute various steps of their attack campaigns,
- Developing in-house malware and selling them to affiliates to receive a share of the payout after successful ransoms, and
- Using double-extortion techniques – data encryption followed by data exfiltration as well as publicly shaming their victims and leaking stolen data online if ransoms are not paid.
Overview: Conti Ransomware Attacks Methods
Conti group employs many common attack methods to exploit their victims’ environments including:
- Phishing Emails & Social Engineering – They have been known to spy on their victims first, collecting valuable intel to form phishing attacks and customized social engineering attacks. The attack begins once a malicious attachment is opened and installed.
- Remote Desktop Protocol (RDP) – Through an unprotected RDP port, Conti remotes into their victim’s network and begins spreading laterally, working their way deeper into the environment.
- Software & Hardware Vulnerability – Conti also exploits unpatched systems or known vulnerabilities to gain access. Then, they encrypt and exfiltrate data on an infected machine.
How to Protect Yourself and Your Clients
To harden your infrastructure the following cyber hygiene best practices are recommended:
- Practice strict email hygiene and be wary of phishing attempts. Look out for emails that ask for sensitive information, contain links that do not match their domains, use an urgent tone of voice, and/or include unsolicited documents/attachments.
- Stay vigilant against instances of external access with no MFA (multi-factor authentication), or external access with vulnerabilities.
- Monitor for the presence of rogue admin tools operating outside of normal business hours, particularly in the middle of the night, or very early in the morning.
- Keep your software up to date and prioritize patching. Ensure that patching and upgrade activities are completed particularly for firewall and VPN appliances.
