Conti-Group: In the sights of investigators thanks to earnings in the millions

The involuntarily disclosed internal communication of a cybercrime gang reveals organisational and technical deficits. This could be very useful for law enforcement agencies.

A Russian hacker group, of all things, recently learned what it means to be a victim of cyber espionage. Ranked by the FBI as one of the three most dangerous cybercrime gangs in 2021, the Conti group hit the headlines shortly after the Ukraine conflict began. A leak of several gigabytes of chat logs and documents made them public.

The Conti group focuses on ransomware (offers for protection against ransomware at it-sa 365) and concentrates on big fish: primarily financially strong corporations are attacked, where the ransom demands are in the millions. More than 1,000 organisations are said to have been successfully attacked so far, with the looted sums amounting to hundreds of millions of US dollars. 

Unpaid invoices and leaked Bitcoin addresses 

The Conti criminals are working very successfully with this, although they are struggling with self-inflicted problems. The chat logs show that they repeatedly lose numerous infected systems, so-called bots, due to their own failures, for example. This is because bills are regularly overlooked and thus not paid. This involves virtual servers, domain registrations, VPN access and similar cloud resources. Since the bots usually connect to the controlling servers via domain names reserved for this purpose, a few thousand bots are quickly lost if such domains are lost. Employees therefore regularly ask to top up the Bitcoin accounts used for payments. But this often happens too late or not at all. Managers are well aware of this problem. One manager wrote about this to the head of the Conti Group acting under the alias "Stern": "We have all the possibilities and the best conditions, we just have to become more professional". According to experts, the Bitcoin addresses that have become known in this context should be very useful for law enforcement agencies, for example to track the group's profits.

NSA throws a spanner in the works

The group has long been the focus of investigative authorities, and they keep making life difficult for the group. While the authorities are usually very cautious with details of their operations, the chat logs show what they have been able to achieve with clever measures. According to them, the FBI and NSA succeeded in infiltrating the group or gaining access to its systems some time ago, as managers of the group complain. As early as 2020, the NSA achieved control over the trickbot botnet also used by Conti. After extensive analysis of the network, NSA specialists finally sent all bots the order to log off from the botnet. Prior to this, the botnet's databases, in which victims' data was stored, were cluttered with vast amounts of fake data. Other measures included the clever encryption of important configuration files. At the same time, new configuration files were created that caused the bots to idle and thus not be able to cause any damage. To prevent these configurations from being changed, they were given the highest possible version number, making it impossible to populate them with new configurations because there could no longer be a valid version number. Weeks passed before the botnet became operational again after such measures, because new Windows systems first had to be infected and turned into bots. To do this, the group commissions pishing campaigns from underground providers. This illustrates how the groups work in a division of labour, only carrying out part of the operations themselves and using cybercrime-as-a-service.

The business with security problems as well as their own exposed threat situation leads Conti managers to pay strict attention to extensive security measures. The budget for security software amounts to several thousand dollars per month. For example, a tool for endpoint detection and response (EDR) must be installed on every admin computer. However, this also explicitly serves to monitor employees, as a Conti manager writes in the chats.

Details on internal structures of the Conti Group are described in the article "Conti leaks revealed: Cybercrime starting salary at 2,000 US dollars".

One of the most detailed analyses of the Conti chats can be found at security expert Brian Krebs.

Author: Uwe Sievers