Conti is one of the most prolific ransomware operations in the threat landscape today. In a recent act of retaliation against Conti’s leaders for their support of Russia, an anonymous person leaked documentation and internal chat logs from the group. This blog post covers important phishing-related takeaways Cofense Intelligence analysts discovered in the leaks. We discuss the background of the leaks, Conti’s segmentation of the attack chain and how Conti operators use OSINT to select and harass their targets.
Background
A day after Russia began airstrikes and its ground invasion into Ukraine, Conti posted a statement of support for Russia on its public website. Although the group attempted to distance itself from the Russian government, the statement threatened retaliation if Western entities “attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.” Two days later, an anonymous pro-Ukraine Twitter account published a large “leak” of Conti’s internal documentation, program code and chat logs involving Conti operators and their associates. The leaked chats include Conti’s private Jabber and Rocket Chat instance and chat logs from the TrickBot forums. They span most of Conti’s history, with logs from June to November 2020 and from January 2021 to March 2022. We examined the leaked information and identified several key takeaways from the phishing threat landscape.
Conti Intensely Favors Segmentation of the Attack Chain
In September 2021, we published a Strategic Analysis report to Cofense Intelligence customers, showing the significance of phishing and intermediate malware in ransomware attacks. Successful ransomware groups choose not to expend resources on scattered campaigns limited to encrypting only individual workstations that belong to individually compromised victims. Instead, they prefer to carefully select ransomware targets from organizations that have been compromised through phishing attacks against individual employees or that can be compromised by other intrusion methods. They use any footholds in a network to perform reconnaissance and evaluate the viability and value of a target. If the effort seems worthwhile, they perform lateral movement to maximize the volume of data and systems they can ransom.
The Jabber chat leaks show that the Conti threat group fully embraced this approach. Reconnaissance experts associated with the group search for companies with indications of revenue exceeding a certain threshold and identify individual targets. For initial exploitation, they pay other malware operators like TrickBot and Emotet to conduct phishing campaigns and establish footholds in the target organization. Conti managers distribute those footholds to a team of hackers who specialize in expanding access in remote networks and locating valuable data.
Beyond using specialists for each attack stage, Conti’s leadership showed a willingness to pay for sophisticated tools. They gave their reconnaissance staff access to business information services like ZoomInfo, SignalHire and Crunchbase Pro. Their extensive work with TrickBot eventually led them to absorb its developers into their own team, and they influenced Emotet’s return to action after its 2021 takedown by law enforcement. For their intrusion team, they illicitly acquired access to Cobalt Strike licenses. The investments appear to have paid off: according to blockchain analysis group Chainalysis, Conti’s cryptocurrency revenue in 2021 alone was estimated at $180m.
Conti Uses OSINT Research for Both Target Selection and Harassment
Conti’s OSINT researchers play an important role during multiple stages of an attack. Before infection, they help identify target organizations (ones that are likely to be willing and able to pay large ransoms). Team members aggregate data from a variety of sources in order to present summaries, including company contact information, social media pages, industry, revenue, number of employees and even website popularity ranking. For targeted organizations, they find contact information for potential phishing victims.
Once the ransomware has been successfully deployed and a victim organization has contacted Conti, the researchers identify influential figures associated with the company as targets for harassment. Conti’s negotiators reach out to these people to apply additional pressure to pay the ransom. In one case, a researcher listed two directors and two vice presidents within a victim organization, including multiple phone numbers for each one and notes from the first time they had attempted to call. To create more pressure in instances when companies refuse to negotiate, the researchers go outside the organization and identify board members or investors as targets.