Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
Beg, Borrow, Steal: Conti Leaks Reveal Ransomware Crossover
Groups Regularly Seek Partnerships, Steal Code, Borrow Ransom Notes and MoreRansomware groups get by with a little help from their cybercrime friends.
See Also: Gartner Guide for Digital Forensics and Incident Response
While calling them friends might be pushing things, ransomware-wielding criminal syndicates regularly communicate and collaborate, learn from each other's approaches and sometimes even outright steal or borrow from each other's work.
The extent of such activities has been highlighted by the leak of Conti's internal communications on Feb. 27. Credit for the leaked Jabber chat logs and source code has been taken by an anonymous Ukrainian security researcher using the Twitter handle @ContiLeaks, who said it's reprisal for the crime group publicly backing Russian President Vladimir Putin's decision to launch a war against Ukraine.
Despite the leaks, Conti appears to have carried on with its attacks, unimpeded. But the leaked communications have revealed numerous details about a 100-person-strong ransomware operation that the FBI says by January had amassed more than 1,000 victims and received over $150 million in ransom payments (see: Feds Post $10 Million Reward for Conti Ransomware Actors).
"The leaks are of an unprecedented level and show the world how a government-backed, multimillion-dollar ransomware gang operates," according to a report from cybersecurity firm Trellix's John Fokker and Jambul Tologonov. "In some fashion, it was almost like a normal business: Wages needed to be paid, software licenses obtained, customer service initiated, and strategic alliances had to be formed."
But at the same time, based on the leaked chats, they report that the head of Conti, codenamed "Stern," appears to have close ties to Russia's principal security agency, the Federal Security Service, aka FSB.
Regular 'Cooperation and Partnership'
The leaks also reveal numerous details about business arrangements between Conti and its sometime rivals. "Ransomware gangs do not operate in a vacuum," threat intelligence firm Intel 471 says in a recent blog post. "While each gang wants to make as much money as possible, there is a level of cooperation and partnership that each gang uses to ultimately boost their ill-gotten gains."
This includes partnerships and other business arrangements designed to boost everyone's profit-making potential. "Given all of the other ways ransomware gangs have followed a legitimate business model, it should not be surprising that they would strike accords or lean on each other in order to make as much money as possible," Intel 471 says.
In some cases, it's not clear if those activities were sanctioned by the leaders of a group, or perhaps involved contractors such as developers who moonlight for different cybercrime groups. As in the real world, it's likely that cybercrime groups rely on numerous participants and that their precise roles won't always be well-defined or clear.
Multiple Crossovers With Other Groups
But the leaks reveal crossovers between Conti and at least four other operations or groups.
Maze
The notorious Maze ransomware operation first appeared in May 2019 and later that year pioneered the double extortion tactic of exfiltrating data and leaking it if victims didn't pay. The group ultimately announced its retirement in November 2020.
According to the leaked Conti chats, in July 2020, a Conti team leader called "Prof" referred to negotiations with Maze that called for Maze to keep 25% to 30% of every ransom payment.
"It seems that Prof contacted developers of Maze and managed to get the ransomware build, which was later given to Conti reversers to figure out how it works and build a locker 'not worse than Maze, and even better,'" the Trellix researchers report.
If true, that means that early version of Conti might be based in part on Maze's crypto-locking malware.
In September 2020, Conti followed in Maze's footsteps - as so many other ransomware groups have done - by launching its own, dedicated data leak site.
Ryuk
When Conti first appeared at the end of 2019, experts noted that it also reused code from Ryuk, which debuted around August 2018, leading many experts to suggest that it was a spinoff.
In June 2020, Conti attacks started to surge, while the next month Ryuk attacks began to decline, which suggested there might be a changing of the guard.
Based on the leaked communications, some members of Conti appeared to be extremely well-versed in Ryuk's activities. "These chats, among others, show that high-level Conti managers were knowledgeable about Ryuk ransomware operations and most likely had direct access to the threat actors using it," Intel 471 says.
LockBit 2.0
The Conti leaks have revealed that "in November 2021, two high-level Conti managers discussed a partnership with LockBit 2.0," Intel 471 says. Their leaked conversation "lines up with what a LockBit 2.0 representative shared on an underground forum in April, where they admitted that they had been in contact with Conti representatives primarily due to interest in using TrickBot."
The precise nature and history of TrickBot - formerly often used as part of a trifecta with Ryuk and Emotet - isn't clear. But in early 2021, Conti appears to have started an arrangement with TrickBot giving it exclusive use of access to new victims' networks, and sometime later absorbed its operations, New York-based threat intelligence firm Advanced Intelligence, aka AdvIntel, has reported (see: Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware).
RagnarLocker
Not all of Conti's inspiration came from working with other ransomware-wielding groups or apparently stealing or repurposing their source code.
Impressed with Ragnar Locker's ransom note, for example, a Conti team leader in September 2021 copied portions of it, including a threat to immediately leak all stolen data if the victim attempted to contact law enforcement agencies or investigators (see: Ragnar Locker: 'Talk to Cops or Feds and We Leak Your Data').
Built to Pressure
As that highlights, ransomware-as-a-service groups continue to test new tactics for pressuring victims into paying a ransom. Ideally, victims will pay quickly and quietly, since doing so means less effort for attackers, and also because it complicates investigators' ability to track attackers' moves.
When victims do not pay, ransomware groups that run data leak sites - not all of them do - may leak the victim's identity to add pressure on them to pay and then begin leaking stolen data. If a victim still doesn't pay, the ransomware group might dump all of the stolen data and use it as a warning to future victims.
Conti, for example, last month hit the government of Costa Rica, infecting systems at multiple ministries, and then began leaking data when the government didn't pay.
"In the future I will definitely carry out attacks of a more serious format with a larger team, Costa Rica is a demo version," reads a message recently posted to Conti's data leak site. On Sunday, a tweet from Costa Rican journalist Amelia Rueda stated that Costa Rica's newly elected president, Rodrigo Chaves Robles, who was sworn in the same day, declared a national emergency. But that could not be independently confirmed. Also, it's not clear if what Chaves reportedly said equated to declaring a state of emergency or was a warning that the rising incidence of cybercrime posed a threat to national security.
Conti on its data leak site Sunday claimed another such victim: Peru's National Directorate of Intelligence.
Even if these attacks turn out to be a bust - because a victim doesn't pay - the practice of listing victims and threatening to leak their data means free publicity for ransomware groups and potentially drives future victims to avoid the public embarrassment and pay up straightaway. Ultimately, whatever arrangements different groups have in place to beg, borrow, steal or partner, the impetus remains the same: to earn an illicit profit as easily, quickly and safely as possible.