The Conti Leaks: A Case of Cybercrime’s Commercialization

This past year saw substantial growth in ransomware incidents. Verizon's DBIR reported that 2021-2022 saw a 13% increase, approximately the same level of growth observed in the last five years combined. 

Verizon's researchers took a closer look at this trend and unearthed some useful context. First, they found that ransomware had been present in about 70% of malware breaches over the previous year. Approximately two in five ransomware incidents used desktop sharing software and involved a confidentiality compromise with respect to the CIA Triad. Slightly fewer (35%) leveraged email as an attack vector.

What's Behind The Rise in Ransomware?

An important cause of ransomware's growth is the shift towards commercialization of cybercrime. Indeed, many of the most prolific cybercriminal groups have undergone significant changes in operations to scale efforts and expand revenue. In several instances, public reporting has shown these groups incorporating divisions previously associated with legitimate corporations including HR departments with recruiters, finance and accounting, as well as negotiators to coordinate ransom payment. Beyond these structures, likely the most significant trend has been the shift to Ransomware as a Service (RaaS), which has seen groups lease out malware to affiliates who conduct intrusions and share profits with the developers (often in a 70-30 split).

The below graphic depicts the RaaS relationship and the part that initial access brokers (IABs) play in greater detail.

Affiliates IAB graphic

 

Source: Alan Liska, Ransomware: Understand. Prevent. Recover.

Several sources of evidence point to cybercrime's growing commercialization but none as explicitly as the recent Conti leaks. Let’s examine what insights it offered below.

Overview of Conti RaaS

Conti was a notorious RaaS operation that used double extortion to pressure victims into paying up. It also appears to have had ties to other malware outfits, most notably TrickBot.

Conti ransom note template graphic

Conti ransom note template (Source: Bleeping Computer)

Following Russia's invasion of Ukraine on February 24, 2022, the Conti operators announced their "full support" for Russia. Just a few days following this commitment, a Twitter account dubbed "Contileaks" dumped an archive of chat messages taken from Conti's internal communications dating back to the beginning of 2021, as reported by KrebsonSecurity. It also published additional internal chats from 2020.

In the months that followed, Conti's handlers began dismantling their operations. In May 2022, Bleeping Computer wrote that the larger Conti platform had shut down and rebranded into several smaller units, gaining even greater mobility (and evasion from law enforcement) for its members. It was about a month after that when the RaaS operation shut down its data leaks and negotiation infrastructure.

Findings of the Conti Leaks

The Conti leaks have provided several important insights into how a major RaaS group carries out its operations. These include how Conti ran its "office" and how it worked to improve its "product."

Distinct Employees with Distinct Goals

In the second part of his investigation on the Conti leaks, KrebsonSecurity revealed that Conti's handlers divided their operations into several business units and brought on staff with specific skill sets. For example, it hired programmers as "Coders" to write malicious code and integrate different technologies, while it relied on "Testers" to validate how the ransomware payload performed against security technologies. The operation also had "Administrators," "Reverse Engineers," and "Penetration Testers/Hackers" working internally, with spamming functions contracted outside the organization. Each of those departments had its own budget, though business units were able to borrow funds from one another.

According to a Conti insider, the gang employed more than 60 people – mostly Coders and Testers – in July 2021. That number didn't remain consistent, however, as the group sometimes let people go following internal security breaches.

Streamlined Operations to Improve Their 'Product'

The third installment of KrebsonSecurity's analysis revealed that the Conti gang took several steps to improve its "product" on an ongoing basis. These initiatives included the following:

  • Allocating $60,000 to acquire a valid license for the Cobalt Strike network penetration testing and reconnaissance tool.
  • Budgeting several thousand dollars each month to pay for security and antivirus software that the "Testers" could use for their evaluations.
  • Redefining the focus of the "Reverse Engineers" in July 2021 to concentrate on Windows 11, Microsoft's newest operating system at the time.

The MS-ISAC Perspective on the Conti Leaks

To get more insight into the Conti leaks, we sat down with the Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center (MS-ISAC). Here's what they had to say.

How does commercialization help malicious actors like Conti's operators?

Organized ransomware groups operating in a corporate structure allow cybercriminals to conduct highly impactful attacks at scale. For example, instead of expending time and resources on gaining initial access to a victim’s environment, a ransomware group can outsource this work by purchasing already established access from IABs. As a result, ransomware affiliates tasked with conducting attacks are able to increase their number of victims, creating a more dangerous cyber threat landscape for network defenders.

Operating through affiliates offers several benefits to the RaaS operator. Principally, because they're not conducting intrusions themselves, they're able to offload risk and dramatically increase the number of potential targets, as there's theoretically no limit to the number of affiliates who can carry out these intrusions. This allows the developers to focus efforts and capital on developing and retooling their software, thereby reinvesting in the enterprise.

Has the MS-ISAC seen evidence of cybercrime's commercialization in the daily work of supporting members? If so, what has this looked like?

Yes, the MS-ISAC regularly receives reporting about SLTT ransomware attacks involving sophisticated RaaS groups like Conti. From mid-2020 through January 2022, for instance, 22 Conti-related SLTT ransomware attacks were reported to the MS-ISAC, impacting organizations ranging from municipal governments to education facilities. Open-source reporting indicates that the “Conti group” is also tied to the Ryuk ransomware variant, which impacted an additional 89 SLTT government entities from late 2018 through mid-2021. To this day, other RaaS groups continue to attack SLTT governments, including at least 23 ransomware attacks associated with the LockBit 2.0 variant since August 2021.

Where does cybercrime's commercialization put an emphasis for the future? 

I would say it only increases the victim set. Ultimately, there's no silver bullet against ransomware. But SLTTs can still do their best to have their bases covered and put themselves in the best position to prevent and react to breaches when they occur. That means becoming members of the MS-ISAC so they can receive our products, leverage our resources, and deploy appropriate protections. For our team, we need to watch closely for shifts in tactics, techniques, and procedures (TTPs) that could catch members by surprise, and we need to provide the timely intelligence and guidance that will help them proactively defend their networks. If threat actors evolve, we need to, as well. This also includes things like bolstering partnerships that allow us to share timely intel with members.

The Center for Internet Security and the MS-ISAC understand the formidable threat RaaS groups present to SLTTs. They offer services and resources to help organizations better defend themselves. These include no-cost services like Malicious Domain Blocking and Reporting (MDBR), which prevents IT systems from connecting to harmful web domains and thereby helps to limit infections related to known malware, ransomware, phishing, and other cyber threats. A robust ransomware defense should also involve some form of endpoint security solution such as the CIS Endpoint Security Services (ESS), which is available to SLTTs through a partnership with CrowdStrike. Finally, the threat underscores the importance for SLTTs to implement the cybersecurity best practices found in the CIS Critical Security Controls, which are designed to prevent all types of cyber attacks.

Defending Against Ransomware Like Conti

The CTI team's thoughts on the Conti leaks point to an important truth about ransomware. Certainly, some attackers have taken it upon themselves in recent years to restructure as RaaS operations and commercialize their business functions. But for all its innovations, ransomware's aims have not fundamentally changed as a threat. Its purpose still revolves around denying access to files by encrypting infected machines. Subsequently, MS-ISAC members can use the solutions identified by the CTI team along with these resources to strengthen their defenses against ransomware going forward.