Posted on 27 Jun 2023
On 25 February 2022, a message appeared on a darknet website run by the cybercriminal syndicate known as Conti. The message pledged allegiance and support for the full-scale Russian invasion of Ukraine, announced by Russian President Vladimir Putin the day before. This short and simple show of support for Russia was the beginning of the end of one of the most prolific ransomware groups in recent years.
Over the previous 18 months, Conti had rampaged across the internet, conducting cyberattacks against businesses, educational institutions and hospitals. In 2021, it was estimated that Conti accumulated over US$180 million in payouts. In May 2022, the US Department of State offered a US$15 million reward for information leading to the identification or conviction of Conti members.
Ransomware has come a long way since a floppy disk carrying the so-called AIDS trojan arrived in the mail during the late 1980s, with a demand of US$189 to decrypt. Today, this malware comes in the form of Ransomware-as-a-Service (RaaS), which operates as a business. Conti would rent its ransomware infrastructure, which could include an executable (the file used to deliver the ransomware), they would handle victim negotiations and payment, and launder the ransom payment. For this service, Conti asked for a percentage of the payment, thought to be around 30 per cent, a portion of which was reinvested in infrastructure, the tools of the trade and staff, before the cycle would start again.
RaaS has become so effective that, according to the US Financial Crimes Enforcement Network, criminal groups earned US$590 million in the first half of 2021. During that same period, Conti was the most successful ransomware strain. Throughout 2021, Conti extorted around double its nearest competitor DarkSide, infamous for its attack on Colonial Pipeline in the US in May 2021. Ransomware payments are almost entirely made in cryptocurrency. Once the payment is made, the money is laundered through a number of techniques and cashed out into fiat currency, for example dollars, euros or roubles.
Cyber-extortion
Within the cybercriminal world, RaaS groups extort their victims and even practice double extortion, which involves locking down and encrypting systems, and seeking out and exfiltrating sensitive data. This means they can charge not only for the decrypter key to unlock the systems, but demand another payment to refrain from leaking the sensitive data.
RaaS groups work with ‘affiliates’, cybercriminals who are not directly part of the RaaS structure but work alongside it. Affiliates allow RaaS groups to expand temporarily, hitting hundreds if not thousands of victims yearly. Using affiliates provides flexibility, dynamism and higher profits, but is also a vulnerability. In 2021, a disgruntled affiliate leaked a cache of internal Conti documents, including the group’s tactics, techniques and procedures, citing poor pay as the reason behind the leak.
Alongside the professionalization of ransomware, malware has also become more sophisticated. In 2021, Ukrainian cyber police released a video of an apartment raid, part of a wider law enforcement action called Operation Ladybird. The targets were those behind Emotet, a botnet once dubbed the ‘king of malware’. Malware spreads through phishing emails and can lead to an army of millions of zombie devices, controlled by the steady hand of bot-herders operating command-and-control servers. These botnets provide criminals access to already infected devices, becoming the unlocked gate for cybercriminals to walk through. When Emotet was taken down, ransomware attacks dipped, until the botnet suddenly returned ten months later. It has been speculated that Conti was behind the resurrection of Emotet.
Whack-a-mole
Two days after Conti pledged their support for the Russian invasion of Ukraine, things began to unravel for the group. A Twitter profile with the handle @ContiLeaks started leaking the ransomware group’s internal communication. Although there are conflicting reports on who was behind the leak – perhaps a Ukrainian security researcher or an affiliate against the war – the over 100 000 leaked files were dubbed the ‘Panama Papers of ransomware’. Over the coming months, Conti’s methodical and business-like approach disintegrated, although attacks continued, including on the networks of the Costa Rican state.
But on 19 May 2022, Conti’s websites were no longer working. It has been argued that following Russia’s invasion of Ukraine, potential victims feared violating sanctions imposed on Russia by the US and Europe. Although we will likely never know the true reasons behind Conti’s shutdown, fighting ransomware groups is like a constant game of whack-a-mole; for every destroyed group, another takes its place. They splinter, rebuild and rebrand. Ransomware did not start with Conti – and will not end with them.
For around two years the Conti ransomware group rampaged across the internet. They attacked hospitals, educational institutions, businesses, governments, and many more, raking in hundreds of millions of dollars in ransomware payments.
Business was booming for the cybercriminals. At least it was until the Russian President Vladimir Putin announced the full-scale invasion of Ukraine. The Conti leadership quickly pledged their loyalty to Russia and then everything began to fall apart.
This is the story of one of the most professional, prolific, and devastating organized cybercriminal groups in history.
Speaker(s):
Selena Larson – Senior Threat Intelligence Analyst and DISCARDED Podcast Co-host at Proofpoint - Twitter
Berk Albayrak, Threat Intelligence Analyst within the PRODAFT Threat Intelligence team and expert on Wizard Spider - Twitter
Conor Gallagher – Crime and Security Correspondent of the Irish Times - Twitter
Allan Liska, Threat Intelligence Analyst at Recorded Future and author of Ransomware: Understand. Precent. Recover. - Twitter
Juan Ignacio Nicolossi, the team leader for the Threat Intelligence Team at PRODAFT.
Zoë Brammer, Cyber & Information Operations Associate at the Institute for Security and Technology - Ransomware Ecosystem Map
Jake Moore, Global Cybersecurity Advisor for ESET.
Artwork by Paulina Rosol-Barrass
Additional Reading:
Reports/Papers:
PRODAFT - Conti Ransomware Group In-Depth Analysis
PRODAFT - Wizard Spider In-Depth Analysis
Google - Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
DISCARDED Podcast (Proofpoint) - Defending Against Cyber Criminals: Emotet’s Resurrection & Conti’s Implosion - April 12 2022
pwc - Conti cyber attack on the HSE: Independent Post Incident Review
Proofpoint - The Human Factor Report 2022 - Threat Report
Ransomware Task Force (Institute for Security and Technology - Blueprint for Ransomware Defense
Ransomware Task Force (Institute for Security and Technology - Combating Ransomware
Ransomware Task Force (Institute for Security and Technology - MAPPING THE RANSOMWARE PAYMENT ECOSYSTEM - Video: Mapping the Ransomware Payment Ecosystem & Opportunities for Friction
Ransomware Task Force (Institute for Security and Technology - MAPPING THREAT ACTOR BEHAVIOR IN THE RANSOMWARE PAYMENT ECOSYSTEM: A MINI-PILOT
Ransomware Task Force (Institute for Security and Technology - GAINING GROUND
Book - Ransomware: Understand. Precent. Recover.
Recorded Future - The Business of Fraud: Botnet Malware Dissemination
Recorded Future - Russia’s War Against Ukraine Disrupts the Cybercriminal Ecosystem
Sophos - The State of Ransomware 2023
Europol - Wasabi Wallet Report
Wasabi - CoinJoin Legal Concern
vmware - Emotet Exposed: A Look Inside the Cybercriminal Supply Chain
Krebs on Security - Conti Ransomware Group Diaries
Elliptic - Conti Leaks Investigation - The $19m in DAI found in an account linked to Conti Member ‘Target
The Chainalysis 2022 Crypto Crime Report
The Chainalysis 2023 Crypto Crime Report
AdvIntel - DisCONTInued: The End of Conti’s Brand Marks NewChapter For Cybercrime Landscape
FinCEN - Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021
FinCEN - Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments
(Forescout) Vedere Labs - Analysis of Conti Leaks
FATF - Professional Money Laundering
Links:
https://cybermagazine.com/articles/the-state-of-ransomware-2023
https://cert.gov.ua/article/339662
https://cert.gov.ua/article/39934
https://cert.gov.ua/article/39708
https://cert.gov.ua/article/39609
https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/+
https://www.wired.co.uk/article/conti-leaks-ransomware-work-life
https://twitter.com/HoldSecurity/status/1498364291468169219
https://twitter.com/ContiLeaks/status/1509159431904374793?s=20
https://www.trellix.com/en-gb/about/newsroom/stories/research/conti-leaks-examining-the-panama-papers-of-ransomware.html
https://twitter.com/ContiLeaks/status/1498030708736073734?s=20
https://twitter.com/contileaks?lang=en
https://go.chainalysis.com/2023-crypto-crime-report.html
https://www.techtarget.com/whatis/feature/Colonial-Pipeline-hack-explained-Everything-you-need-to-know
https://www.state.gov/darkside-ransomware-as-a-service-raas/
https://www.bbc.com/news/technology-64586361
https://intel471.com/blog/conti-emotet-ransomware-conti-leaks
https://www.bleepingcomputer.com/news/security/emotet-botnet-comeback-orchestrated-by-conti-ransomware-gang/
https://therecord.media/putin-speech-television-ddos-ukraine-it-army
https://t.me/itarmyofukraine2022/1054
https://www.bbc.com/news/technology-65250356
https://www.computerweekly.com/news/365530999/Killnet-DDoS-attacks-disrupt-Nato-websites
https://www.malwarebytes.com/blog/news/2021/07/the-life-and-death-of-the-zeus-trojan
https://cybernews.com/security/the-8-biggest-botnets-of-all-time/
https://www.malwarebytes.com/glossary/bot-herder
https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware/
https://www.npu.gov.ua/news/kiberpolitsiya-vikrila-transnatsionalne-ugrupovannya-khakeriv-u-rozpovsyudzhenni-naynebezpechnishogo-v-sviti-kompyuternogo-virusu-emotet
https://www.npu.gov.ua/news/kiberpolitsiya-vikrila-transnatsionalne-ugrupovannya-khakeriv-u-rozpovsyudzhenni-naynebezpechnishogo-v-sviti-kompyuternogo-virusu-emotet
https://www.youtube.com/watch?v=_BLOmClsSpc
https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/
https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/
https://www.bleepstatic.com/images/news/ransomware/c/conti/leaked-playbook/folder-listing.jpg
https://cyberhoot.com/cybrary/tactics-techniques-and-procedures-ttp/
https://www.redscan.com/news/key-insights-from-the-conti-ransomware-playbook-leak-foothold/
https://www.bleepstatic.com/images/news/ransomware/c/conti/leaked-playbook/forum-post.jpg
https://www.state.gov/reward-offers-for-information-to-bring-conti-ransomware-variant-co-conspirators-to-justice/
https://www.irishtimes.com/crime-law/courts/2023/05/18/up-to-100-cases-taken-over-hse-cyberattack-judge-told/
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9486432/
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9486432/
https://www.irishtimes.com/crime-law/2022/12/12/cost-of-hse-cyberattack-rises-to-80m-letter-shows/
https://www.proofpoint.com/us/resources/threat-reports/human-factor
https://edition.cnn.com/2022/03/30/politics/ukraine-hack-russian-ransomware-gang/index.html
https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis
https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/
https://www.huntress.com/defenders-handbook/persistence-in-cybersecurity
https://www.blumira.com/glossary/malicious-macro/%5d
https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/macro-malware?view=o365-worldwide
https://www.gov.ie/en/press-release/96eb4c-statement-from-the-national-public-health-emergency-team/
https://cyberscoop.com/conti-ransomware-russia-ukraine-critical-infrastructure/
https://www.wired.co.uk/article/conti-ransomware-russia
https://www.darkreading.com/analytics/ukraine-war-fault-line-cybercrime-forever
https://www.darkreading.com/threat-intelligence/dark-web-revenue-down-after-hydras-demise
https://flashpoint.io/blog/history-of-conti-ransomware/
https://thehackernews.com/2022/05/us-offering-10-million-reward-for.html
https://www.state.gov/reward-offers-for-information-to-bring-conti-ransomware-variant-co-conspirators-to-justice/
https://www.cisecurity.org/insights/blog/the-conti-leaks-a-case-of-cybercrimes-commercialization
https://www.economist.com/science-and-technology/2022/11/30/how-cybercriminals-have-been-affected-by-the-war-in-ukraine
https://theintercept.com/2022/03/14/russia-ukraine-conti-russian-hackers/
https://theintercept.com/document/2022/03/14/contileaks-translations/
https://www.theregister.com/2023/02/24/russian_cybercrime_economy/
https://blog.chainalysis.com/reports/crypto-ransomware-revenue-down-as-victims-refuse-to-pay/
https://www.theregister.com/2022/03/11/conti_leaks_code/
https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/
https://www.theregister.com/2023/02/10/conti_ryuk_trickbot_sanctions/
https://www.theregister.com/2023/01/27/10m_hive_reward_russia/
https://www.theregister.com/2022/05/18/wizard-spider-ransomware-conti/
https://www.bbc.co.uk/news/technology-61323402
https://blog.checkpoint.com/security/ransomware-cyber-attacks-in-costa-rica-and-peru-drives-national-response/
https://securityaffairs.co/131093/cyber-crime/conti-ransomware-peru-direccion-general-de-inteligencia.html
https://www.darkreading.com/attacks-breaches/fin7-former-conti-gang-members-collaborate-domino-malware
https://www.wired.com/story/conti-leaks-ransomware-work-life/
https://www.bloomberg.com/news/features/2023-02-03/ireland-hospital-ransomware-attack-fractured-hacker-group-conti
https://cyberscoop.com/conti-ransomware-russia-ukraine-critical-infrastructure/#:~:text=The%20ransomware%20gang%20vowed%20to%20attack%20Russia's%20enemies.&text=An%20infamous%20ransomware%20group%20with,full%20support%20of%20Russian%20government.%E2%80%9D
https://www.ft.com/content/13d33a08-ce83-4f8a-8d93-a60a5e097ed8
https://www.bbc.co.uk/news/world-europe-57184977
https://www.bbc.co.uk/news/world-europe-57134916
https://www.bbc.co.uk/news/world-europe-57111615
https://www.bleepingcomputer.com/news/security/ransomware-gangs-cobalt-strike-servers-ddosed-with-anti-russia-messages/
https://cyberscoop.com/cisa-fbi-nsa-conti-ransomware-alert/
https://www.rte.ie/news/ireland/2022/0223/1282617-cyber-attack-cost/?utm_campaign=wp_the_cybersecurity_202&utm_medium=email&utm_source=newsletter&wpisrc=nl_cybersecurity202
https://heimdalsecurity.com/blog/conti-ransomware-shuts-down-and-rebrands-itself/
https://www.infosecurity-magazine.com/news/hse-cyber-attack-ireland-dollar83m/
https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/
https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-5th-2023-targeting-the-public-sector/
https://www.bleepingcomputer.com/news/security/google-says-former-conti-ransomware-members-now-attack-ukraine/
https://therecord.media/google-conti-repurposing-tools-for-ukraine-attacks-using-follina-bug-musk-impersonation
https://www.techtarget.com/searchsecurity/news/252507702/Two-suspected-ransomware-operators-arrested-in-Ukraine
https://www.wired.com/story/emotet-botnet-takedown/
https://flashpoint.io/blog/malware-loaders-continue-to-evolve-proliferate/
https://www.bleepingcomputer.com/news/security/emotet-botnet-disrupted-after-global-takedown-operation/
https://www.npu.gov.ua/news/kiberpolitsiya-vikrila-transnatsionalne-ugrupovannya-khakeriv-u-rozpovsyudzhenni-naynebezpechnishogo-v-sviti-kompyuternogo-virusu-emotet
https://explore.avertium.com/resource/an-in-depth-look-at-emotet-botnet
https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot
https://www.wired.co.uk/article/hacktivism-russia-ukraine-ddos
https://cybernews.com/security/the-8-biggest-botnets-of-all-time/
https://therecord.media/how-ukraines-cyber-police-fights-fraud-scams-and-attacks-on-critical-infrastructure
https://www.infosecurity-magazine.com/blogs/a-rundown-of-the-emotet-malware/
https://www.europol.europa.eu/media-press/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action
https://www.malwarebytes.com/emotet
https://www.ft.com/content/9895f997-5941-445c-9572-9cef66d130f5
https://www.bleepingcomputer.com/news/security/how-conti-ransomware-hacked-and-encrypted-the-costa-rican-government/
https://www.wired.co.uk/article/costa-rica-ransomware-conti
https://www.hoxhunt.com/blog/dawn-of-the-undead-king-of-malware-emotet
https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/
https://securereading.com/conti-ransomware-hits-jvckenwood/
https://www.redscan.com/news/key-insights-from-the-conti-ransomware-playbook-leak-foothold/
https://www.csoonline.com/article/3638056/conti-ransomware-explained-and-why-its-one-of-the-most-aggressive-criminal-groups.html
https://www.rte.ie/news/analysis-and-comment/2022/0507/1296538-cybersecurity-ireland/
https://www.bleepingcomputer.com/news/security/conti-ransomware-hacking-spree-breaches-over-40-orgs-in-a-month/
https://darktrace.com/blog/the-future-of-cyber-security-ransomware-groups-aim-for-maximum-disruption
https://go.checkpoint.com/2023-cyber-security-report/chapter-02.php
https://therecord.media/costa-ricas-ministry-of-public-works-and-transport-crippled-by-ransomware-attack
https://cyberint.com/blog/research/iocs-identified-to-hunt-conti-ransomware/
https://www.breachquest.com/blog/conti-leaks-insight-into-a-ransomware-unicorn/
https://cyberint.com/blog/research/contileaks/
https://explore.avertium.com/resource/in-depth-look-at-contis-leaked-log-chats
https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
https://www.coindesk.com/tech/2023/02/23/ransomware-group-conti-has-re-surfaced-under-a-new-name-trm-labs/
https://flashpoint.io/blog/crypto-cashouts-and-closures-the-darknet-ecosystem-after-hydra-market/
https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-backdoor/
