[German]The PRODAFT Threat Intelligence (PTI) team has published a new report on the internal structures and inner workings of the Conti ransomware group. They are currently among the most dangerous ransomware criminals. Now, the infrastructure through which the ransomware group receives its ransom payments is said to be offline and shut down.
Advertising
The Conti ramsomware and group
The group behind the Conti ransomware is considered to be the successor of the Ryuk gang, targets Windows systems with its malware and is quite successful. Once it succeeds in infecting a system, it tries to delete Volume Shadow Copies. After that, the malware tries to terminate a number of services using Restart Manager. This is to ensure that the files used by the services can be encrypted. Conti ransomware then disables real-time monitoring and tries to uninstall Windows Defender.
By default, all files on local and networked server Message Block drives are encrypted, ignoring files with DLL, .exe, .sys and .lnk extensions. The software uses a proprietary AES-256 implementation that uses up to 32 individual logical threads, making it much faster than most ransomware. The malware can also target specific drives and individual IP addresses.
Operations by the group have been known since 2020. The group behind Conti has been operating a website since 2020, from which it can publish documents copied by the ransomware from victim systems. Through this track, the cyber criminals additionally try to extort victims.
In May 2021, the FBI issued a warning that the Conti ransomware group, which recently crippled the Irish healthcare system, had also attacked at least 16 healthcare and first responder networks in the U.S. in the previous year (see also Healthcare facilities prime target for ransomware attacks).
At the beginning of October 2021, the Conti Gang's threat became known that victims' data would be published immediately if any of the extortion became public. In the case of the Japanese electronics company JVCKenwood, screenshots of the ransomware had become public – causing the criminals to break off negotiations and publish the captured documents.
Advertising
According to this latest report, the Conti gang has already extorted at least $25.5 million from victims since July 2021. The dissemination route is still not entirely clear, according to Wikipedia. But the US CISA has published some methods (spear phishing, Word attachments, RDP accesses) for spreading.
First leaks, now details public
In early August 2021, a suspected disgruntled Conti gang member probably leaked internal documents to a Russian underground forum, giving investigators their first clues about the operation and infrastructure. Now I just read on Twitter that the PRODAFT Threat Intelligence (PTI) published a report about the Conti group.
The 37-page report (PDF) file can be downloaded from the website in question. It does ask for an email address, but you can close the popup.
The starting point for this report was that the PTI team noticed an increase in Conti attacks and therefore started analyzing the group in September 2021. The team discovered a vulnerability in the recovery servers Conti uses and used this vulnerability to discover the real IP addresses of the hidden service that hosts the group's recovery website.
As a result, the PRODAFT Threat Intelligence (PTI) team gained valuable insight into the inner workings of the Conti ransomware group. The report
provides unprecedented details about how the Conti ransomware gang operates, how they choose their targets, how many targets they have attacked, and more. For example, affiliates of the group give 10-30% of ransoms as commission to the holders of the Ransomware as a Service (RaaS) infrastructure in successful attacks.
During the analysis, the PTI team discovered several victims' chat sessions and was able to grab the credentials for MEGA accounts used in the extortion of victims' data. The team was able to determine the connecting IP addresses, dates, purchase method, and software used to access the file-sharing and uploading service.
The Conti gang would not use Windows. The PTI team was able to determine the details of the operating system of the server, that hosts the hidden TOR service for Conti. The host is a Debian server with the hostname "dedic-cuprum-617836." The analysts believe that the numerical value at the end of the host name is an invoice number for the server, which was assigned by the hosting company ITLDC.
I've cross read the report once, it's amazing all the details included. Everything the analysts at PRODAFT Threat Intelligence (PTI) do not disclose a report. A number of information is probably in a confidential report that was forwarded to law enforcement. This is where it gets interesting. Security researcher Kevin Beaumont points to PTI's just-released report and writes that the infrastructure used by the Conti gang to process payments was shut down. I wonder if law enforcement was active there? We'll find out for sure in the coming hours and days.
