Category Archives: Hof

Conti Ransomware Group Diaries, Part II: The Office

Earlier this week, a Ukrainian security researcher leaked almost two years’ worth of internal chat logs from Conti, one of the more rapacious and ruthless ransomware gangs in operation today. Tuesday’s story examined how Conti dealt with its own internal breaches and attacks from private security firms and governments. In Part II of this series we’ll explore what it’s like to work for Conti, as described by the Conti employees themselves.

The Conti group’s chats reveal a great deal about the internal structure and hierarchy of the ransomware organization. Conti maintains many of the same business units as a legitimate, small- to medium-sized enterprise, including a Human Resources department that is in charge of constantly interviewing potential new hires.

Other Conti departments with their own distinct budgets, staff schedules, and senior leadership include:

Coders: Programmers hired to write malicious code, integrate disparate technologies
Testers: Workers in charge of testing Conti malware against security tools and obfuscating it
Administrators: Workers tasked with setting up, tearing down servers, other attack infrastructure
Reverse Engineers: Those who can disassemble computer code, study it, find vulnerabilities or weaknesses
Penetration Testers/Hackers: Those on the front lines battling against corporate security teams to steal data, and plant ransomware.

Conti appears to have contracted out much of its spamming operations, or at least there was no mention of “Spammers” as direct employees. Conti’s leaders seem to have set strict budgets for each of its organizational units, although it occasionally borrowed funds allocated for one department to address the pressing cashflow needs of another.

A great many of the more revealing chats concerning Conti’s structure are between “Mango” — a mid-level Conti manager to whom many other Conti employees report each day — and “Stern,” a sort of cantankerous taskmaster who can be seen constantly needling the staff for reports on their work.

In July 2021, Mango told Stern that the group was placing ads on several Russian-language cybercrime forums to hire more workers. “The salary is $2k in the announcement, but there are a lot of comments that we are recruiting galley slaves,” Mango wrote. “Of course, we dispute that and say those who work and bring results can earn more, but there are examples of coders who work normally and earn $5-$10k salary.”

The Conti chats show the gang primarily kept tabs on the victim bots infected with their malware via both the Trickbot and Emotet crimeware-as-a-service platforms, and that it employed dozens of people to continuously test, maintain and expand this infrastructure 24 hours a day, 7 days a week.

Conti members referred to Emotet as “Booz” or “Buza,” and it is evident from reading these chat logs that Buza had its own stable of more than 50 coders, and likely much of the same organizational structure as Conti.

According to Mango, as of July 18, 2021 the Conti gang employed 62 people, mostly low-level malware coders and software testers. However, Conti’s employee roster appears to have fluctuated wildly from one month to the next. For example, on multiple occasions the organization was forced to fire many employees as a security precaution in the wake of its own internal security breaches.

In May 2021, Stern told Mango he wanted his underlings to hire 100 more “encoders” to work with the group’s malware before the bulk of the gang returns from their summer vacations in Crimea. Most of these new hires, Stern says, will join the penetration testing/hacking teams headed by Conti leaders “Hof” and “Reverse.” Both Hof and Reverse appear to have direct access to the Emotet crimeware platform.

Trying to accurately gauge the size of the Conti organization is problematic, in part because cybersecurity experts have long held that Conti is merely a rebrand of another ransomware strain and affiliate program known as Ryuk. First spotted in 2018, Ryuk was just as ruthless and mercenary as Conti, and the FBI says that in first year of its operation Ryuk earned more than $61 million in ransom payouts.

“Conti is a Targeted version of Ryuk, which comes from Trickbot and Emotet which we’ve been monitoring for some time,” researchers at Palo Alto Networks wrote about Ryuk last year. “A heavy focus was put on hospital systems, likely due to the necessity for uptime, as these systems were overwhelmed with handling the ongoing COVID-19 pandemic. We observed initial Ryuk ransom requests ranging from US$600,000 to $10 million across multiple industries.”

On May 14, 2021, Ireland’s Health Service Executive (HSE) suffered a major ransomware attack at the hands of Conti. The attack would disrupt services at several Irish hospitals, and resulted in the near complete shutdown of the HSE’s national and local networks, forcing the cancellation of many outpatient clinics and healthcare services. It took the HSE until Sept. 21, 2021 to fully restore all of its systems from the attack, at at estimated cost of more than $600 million.

It remains unclear from reading these chats how many of Conti’s staff understood how much of the organization’s operations overlapped with that of Ryuk. Lawrence Abrams at Bleeping Computer pointed to an October 2020 Conti chat in which the Emotet representative “Buza” posts a link to a security firm’s analysis of Ryuk’s return.

Professor,” the nickname chosen by one of Conti’s most senior generals, replies that indeed Ryuk’s tools, techniques and procedures are nearly identical to Conti’s.

“adf.bat — this is my fucking batch file,” Professor writes, evidently surprised at having read the analysis and spotting his own code being re-used in high-profile ransomware attacks by Ryuk.

“Feels like [the] same managers were running both Ryuk and Conti, with a slow migration to Conti in June 2020,” Abrams wrote on Twitter. “However, based on chats, some affiliates didn’t know that Ryuk and Conti were run by the same people.”

ATTRITION

Each Conti employee was assigned a specific 5-day workweek, and employee schedules were staggered so that some number of staff was always on hand 24/7 to address technical problems with the botnet, or to respond to ransom negotiations initiated by a victim organization.

Like countless other organizations, Conti made its payroll on the 1st and 15th of each month, albeit in the form of Bitcoin deposits. Most employees were paid $1,000 to $2,000 monthly.

However, many employees used the Conti chat room to vent about working days on end without sleep or breaks, while upper managers ignored their repeated requests for time off.

Indeed, the logs indicate that Conti struggled to maintain a steady number of programmers, testers and administrators in the face of mostly grueling and repetitive work that didn’t pay very well (particularly in relation to the earnings of the group’s top leadership). What’s more, some of the group’s top members were openly being approached to work for competing ransomware organizations, and the overall morale of the group seemed to fluctuate between paydays.

Perhaps unsurprisingly, the turnover, attrition and burnout rate was quite high for low-level Conti employees, meaning the group was forced to constantly recruit new talent.

“Our work is generally not difficult, but monotonous, doing the same thing every day,” wrote “Bentley,” the nickname chosen by the key Conti employee apparently in charge of “crypting” the group’s malware — ensuring that it goes undetected by all or at least most antivirus products on the market.

Bentley was addressing a new Conti hire — “Idgo” — telling him about his daily duties.

“Basically, this involves launching files and checking them according to the algorithm,” Bentley explains to Idgo. “Poll communication with the encoder to receive files and send reports to him. Also communication with the cryptor to send the tested assembly to the crypt. Then testing the crypt. If jambs appear at this stage , then sending reports to the cryptor and working with him. And as a result – the issuance of the finished crypt to the partner.”

Bentley cautioned that this testing of their malware had to be repeated approximately every four hours to ensure that any new malware detection capability added to Windows Defender — the built-in antivirus and security service in Windows — won’t interfere with their code.

“Approximately every 4 hours, a new update of Defender databases is released,” Bentley told Idgo. “You need to work for 8 hours before 20-21 Moscow time. And career advancement is possible.” Idgo agrees, noting that he’d started working for Conti a year earlier, as a code tester.

OBSERVATIONS

The logs show the Conti gang is exceedingly good at quickly finding many potential new ransomware victims, and the records include many internal debates within Conti leadership over how much certain victim companies should be forced to pay. They also show with terrifying precision how adeptly a large, organized cybercrime group can pivot from a single compromised PC to completely owning a Fortune 500 company.

As a well-staffed “big game” killing machine, Conti is perhaps unparalleled among ransomware groups. But the internal chat logs show this group is in serious need of some workflow management and tracking tools. That’s because time and time again, the Conti gang lost control over countless bots — all potential sources of ransom revenue that will help pay employee salaries for months — because of a simple oversight or mistake.

Peppered throughout the leaked Conti chats — roughly several times each week — are pleadings from various personnel in charge of maintaining the sprawling and constantly changing digital assets that support the group’s ransomware operation. These messages invariably relate to past-due invoices for multiple virtual servers, domain registrations and other cloud-based resources.

On Mar. 1, 2021, a low-level Conti employee named “Carter” says the bitcoin fund used to pay for VPN subscriptions, antivirus product licenses, new servers and domain registrations is short $1,240 in Bitcoin.

“Hello, we’re out of bitcoins, four new servers, three vpn subscriptions and 22 renewals are out,” Carter wrote on Nov. 24, 2021. “Two weeks ahead of renewals for $960 in bitcoin 0.017. Please send some bitcoins to this wallet, thanks.”

As part of the research for this series, KrebsOnSecurity spent many hours reading each day of Conti’s chat logs going back to September 2020. I wish I could get many of those hours back: Much of the conversations are mind-numbingly boring chit-chat and shop talk. But overall, I came away with the impression that Conti is a highly effective — if also remarkably inefficient — cybercriminal organization.

Some of Conti’s disorganized nature is probably endemic in the cybercrime industry, which is of course made up of criminals who are likely accustomed to a less regimented lifestyle. But make no mistake: As ransomware collectives like Conti continue to increase payouts from victim organizations, there will be increasing pressure on these groups to tighten up their operations and work more efficiently, professionally and profitably.

Stay tuned for Part III in this series, which will look at how Conti secured access to the cyber weaponry needed to subvert the security of their targets, as well as how the team’s leaders approached ransom negotiations with their victims.

Conti Ransomware Group Diaries, Part I: Evasion

A Ukrainian security researcher this week leaked several years of internal chat logs and other sensitive data tied to Conti, an aggressive and ruthless Russian cybercrime group that focuses on deploying its ransomware to companies with more than $100 million in annual revenue. The chat logs offer a fascinating glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also provide insight into how Conti has dealt with its own internal breaches and attacks from private security firms and foreign governments.

Conti’s threatening message this week regarding international interference in Ukraine.

Conti makes international news headlines each week when it publishes to its dark web blog new information stolen from ransomware victims who refuse to pay an extortion demand. In response to Russia’s invasion of Ukraine, Conti published a statement announcing its “full support.”

“If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy,” the Conti blog post read.

On Sunday, Feb. 27, a new Twitter account “Contileaks” posted links to an archive of chat messages taken from Conti’s private communications infrastructure, dating from January 29, 2021 to the present day. Shouting “Glory for Ukraine,” the Contileaks account has since published additional Conti employee conversations from June 22, 2020 to Nov. 16, 2020.

The Contileaks account did not respond to requests for comment. But Alex Holden, the Ukrainian-born founder of the Milwaukee-based cyber intelligence firm Hold Security, said the person who leaked the information is not a former Conti affiliate — as many on Twitter have assumed. Rather, he said, the leaker is a Ukrainian security researcher who has chosen to stay in his country and fight.

“The person releasing this is a Ukrainian and a patriot,” Holden said. “He’s seeing that Conti is supporting Russia in its invasion of Ukraine, and this is his way to stop them in his mind at least.”

GAP #1

The temporal gaps in these chat records roughly correspond to times when Conti’s IT infrastructure was dismantled and/or infiltrated by security researchers, private companies, law enforcement, and national intelligence agencies. The holes in the chat logs also match up with periods of relative quiescence from the group, as it sought to re-establish its network of infected systems and dismiss its low-level staff as a security precaution.

On Sept. 22, 2020, the U.S. National Security Agency (NSA) began a weeks-long operation in which it seized control over the Trickbot botnet, a malware crime machine that has infected millions of computers and is often used to spread ransomware. Conti is one of several cybercrime groups that has regularly used Trickbot to deploy malware.

Once in control over Trickbot, the NSA’s hackers sent all infected systems a command telling them to disconnect themselves from the Internet servers the Trickbot overlords used to control compromised Microsoft Windows computers. On top of that, the NSA stuffed millions of bogus records about new victims into the Trickbot database.

News of the Trickbot compromise was first published here on Oct. 2, 2020, but the leaked Conti chats show that the group’s core leadership detected something was seriously wrong with their crime machine just a few hours after the initial compromise of Trickbot’s infrastructure on Sept. 22.

“The one who made this garbage did it very well,” wrote “Hof,” the handle chosen by a top Conti leader, commenting on the Trickbot malware implant that was supplied by the NSA and quickly spread to the rest of the botnet. “He knew how the bot works, i.e. he probably saw the source code, or reversed it. Plus, he somehow encrypted the config, i.e. he had an encoder and a private key, plus uploaded it all to the admin panel. It’s just some kind of sabotage.”

“Moreover, the bots have been flooded with such a config that they will simply work idle,” Hof explained to his team on Sept. 23, 2020. Hof noted that the intruder even kneecapped Trickbot’s built-in failsafe recovery mechanism. Trickbot was configured so that if none of the botnet’s control servers were reachable, the bots could still be recaptured and controlled by registering a pre-computed domain name on EmerDNS, a decentralized domain name system based on the Emercoin virtual currency.

“After a while they will download a new config via emercoin, but they will not be able to apply this config, because this saboteur has uploaded the config with the maximum number, and the bot is checking that the new config should be larger than the old one,” Hof wrote. “Sorry, but this is fucked up. I don’t know how to get them back.”

It would take the Conti gang several weeks to rebuild its malware infrastructure, and infect tens of thousands of new Microsoft Windows systems. By late October 2020, Conti’s network of infected systems had grown to include 428 medical facilities throughout the United States. The gang’s leaders saw an opportunity to create widespread panic — if not also chaos — by deploying their ransomware simultaneously to hundreds of American healthcare organizations already struggling amid a worldwide pandemic.

“Fuck the clinics in the USA this week,” wrote Conti manager “Target” on Oct. 26, 2020. “There will be panic. 428 hospitals.”

On October 28, the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”

Follow-up reporting confirmed that at least a dozen healthcare organizations were hit with ransomware that week, but the carnage apparently was not much worse than a typical week in the healthcare sector. One information security leader in the healthcare industry told KrebsOnSecurity at the time that it wasn’t uncommon for the industry to see at least one hospital or health care facility hit with ransomware each day.

GAP #2

The more recent gap in the Conti chat logs corresponds to a Jan. 26, 2021 international law enforcement operation to seize control of Emotet, a prolific malware strain and cybercrime-as-a-service platform that was used heavily by Conti. Following the Emotet takedown, the Conti group once again reorganized, with everyone forced to pick new nicknames and passwords.

The logs show Conti made a special effort to help one of its older members — All Witte — a 55-year-old Latvian woman arrested last year on suspicion of working as a programmer for the Trickbot group. The chat records indicate Witte became something of a maternal figure for many of Conti’s younger personnel, and after her arrest Conti’s leadership began scheming a way to pay for her legal defense.

Alla Witte’s personal website — allawitte[.]nl — circa October 2018.

“They gave me a lawyer, they said the best one, plus excellent connections, he knows the investigator, he knows the judge, he is a federal lawyer there, licensed, etc., etc.,” wrote Mango” — a mid-level manager within Conti — to “Stern,” a much higher-up Conti manager and taskmaster who frequently asked various units of the gang for updates on their daily assignments.

Stern agreed that this was the best course of action, but it’s unclear if it was successfully carried out. Also, the entire scheme may not have been as altruistic as it seemed: Mango suggested that paying Witte’s attorney fees might also give the group inside access to information about the government’s ongoing investigation of Trickbot.

“Let’s try to find a way to her lawyer right now and offer him to directly sell the data bypassing her,” Mango suggests to Stern on June 23, 2021.

The FBI has been investigating Trickbot for years, and it is clear that at some point the U.S. government shared information with the Russians about the hackers they suspected were behind Trickbot. It is also clear from reading these logs that the Russians did little with this information until October 2021, when Conti’s top generals began receiving tips from their Russian law enforcement sources that the investigation was being rekindled.

“Our old case was resumed,” wrote the Conti member “Kagas” in a message to Stern on Oct. 6, 2021. “The investigator said why it was resumed: The Americans officially requested information about Russian hackers, not only about us, but in general who was caught around the country. Actually, they are interested in the Trickbot, and some other viruses. Next Tuesday, the investigator called us for a conversation, but for now, it’s like [we’re being called on as] witnesses. That way if the case is suspended, they can’t interrogate us in any way, and, in fact, because of this, they resumed it. We have already contacted our lawyers.”

Incredibly, another Conti member pipes into the discussion and says the group has been assured that the investigation will go nowhere from the Russian side, and that the entire inquiry from local investigators would be closed by mid-November 2021.

It appears Russian investigators were more interested in going after a top Conti competitor — REvil, an equally ruthless Russian ransomware group that likewise mainly targeted large organizations that could pay large ransom demands.

On Jan. 14, 2022, the Russian government announced the arrest of 14 people accused of working for REvil. The Russian Federal Security Service (FSB) said the actions were taken in response to a request from U.S. officials, but many experts believe the crackdown was part of a cynical ploy to assuage (or distract) public concerns over Russian President Vladimir Putin’s bellicose actions in the weeks before his invasion of Ukraine.

The leaked Conti messages show that TrickBot was effectively shut down earlier this month. As Catalin Cimpanu at The Record points out, the messages also contain copious ransom negotiations and payments from companies that had not disclosed a breach or ransomware incident (and indeed had paid Conti to ensure their silence). In addition, there are hundreds of bitcoin addresses in these chats that will no doubt prove useful to law enforcement organizations seeking to track the group’s profits.

This is the first of several stories about the inner workings of Conti, based on the leaked chat records. Part II will be told through the private messages exchanged by Conti employees working in different operational units, and it explores some of the more unique and persistent challenges facing large-scale cybercriminal organizations today.