Conti – which uses malware to block access to computer data until a “ransom” is paid – operates much like a regular tech company, say cybersecurity experts who analyzed the leaked documents of the group.
A Russian group identified by the FBI as one of the most prolific ransomware groups of 2021 can now understand what it feels like to be the victim of cyber espionage.
A series of leaked documents reveals details about the size, direction and business operations of the group known as Conti, as well as what is perceived to be its most prized asset: the source code for its ransomware.
Shmuel Gihon, a security researcher at threat intelligence firm Cyberint, said the group emerged in 2020 and became one of the biggest ransomware organizations in the world. He estimates that the group has around 350 members who have collectively earned some $2.7 billion in cryptocurrency in just two years.
In its “Internet Crime Report 2021,” the FBI warned that Conti ransomware was among “top three variants” that targeted critical infrastructure in the United States last year. Conti “has most often victimized the critical manufacturing, commercial facilities, and food and agriculture sectors,” the bureau said.
“They were the most successful group up to that point,” Gihon said.
Act of revenge?
In an online post analyzing the leaks, Cyberint said the leak appeared to be an act of revenge, prompted by a since-edited article by Conti published in the wake of Russia’s invasion of Ukraine. The group could have remained quiet, but “as we suspected, Conti chose to side with Russia, and that’s where it all went south,” Cyberint said.
The leaks began on February 28, four days after Russia invaded Ukraine.
Shortly after the publication, someone opened a Twitter account named “ContiLeaks” and began leaking thousands of internal messages from the group alongside pro-Ukrainian statements.
The Twitter account has disabled direct messages, so CNBC was unable to contact its owner.
The account owner claims to be a “security researcher,” said Lotem Finkelstein, head of threat intelligence at Check Point Software Technologies.
The funder appears to have retired from Twitter, writing on March 30, “My final words…see you all after we win! Glory to Ukraine!”
The impact of the leak on the cybersecurity community was enormous, said Gihon, who added that most of his global colleagues spent weeks going through the documents.
US cybersecurity firm Trellix called the leak the “Panama Papers of Ransomware” and “one of the largest ‘crowdsourced cyber investigations’ ever”.
Classic organizational hierarchy
Conti is completely underground and does not comment to the media as, for example, Anonymous sometimes does. But Cyberint, Check Point and other cyber specialists who analyzed the messages said they show Conti operates and is organized like a regular tech company.
After translating numerous messages, which were written in Russian, Finkelstein said the intelligence arm of his company, Check Point Research, determined that Conti had clear management, finance and human resources functions, as well as a classic organizational hierarchy with team leaders who report to senior management. .
There is also evidence of research and development units (“RND” below) and commercial development, according to Cyberint’s findings.
The messages showed Conti had physical offices in Russia, Finkelstein said, adding that the group may have ties to the Russian government.
“Our … hypothesis is that such a huge organization, with physical offices and huge revenues, would not be able to operate in Russia without the full approval, if not some cooperation, of Russian intelligence,” said he declared.
The Russian Embassy in London did not respond to CNBC’s requests for comment. Moscow has previously denied participating in cyberattacks.
‘Employees of the Month’
Check Point Research also found that Conti has:
- Employees – some of whom are paid in bitcoins – as well as performance reviews and training opportunities
- Negotiators who receive commissions ranging from 0.5% to 1% of the ransoms paid
- An employee referral program, with bonuses awarded to employees who recruit others who have worked for at least a month, and
- An “employee of the month” who receives a bonus equal to half of his salary
Unlike honest companies, Conti fines its underperformers, according to Check Point Research.
Workers’ identities are also obscured by pseudonyms, such as Stern (the “big boss”), Buza (the “technical manager”) and Target (“Stern’s partner and effective office operations manager”), a said Check Point Research.
Translated posts showing Conti finable infractions.
Source: Check Point Research
“When communicating with employees, senior executives often argued that working for Conti was the deal of a lifetime – high pay, challenging work, career growth (!),” according to Check Point Research.
However, some of the messages paint a different picture, with threats of termination for not responding to messages quickly enough — within three hours — and working hours over weekends and holidays, Check Point Research said. .
The hiring process
Conti hires both legitimate sources, such as Russian headhunting services, and the criminal underground, Finkelstein said.
The hiring was significant because “unsurprisingly, turnover, attrition, and burnout rates were quite high for low-level Conti employees,” wrote Brian Krebs, a former Washington Post reporter, on his KrebsOnSecurity cybersecurity website.
Some recruits weren’t even computer scientists, according to Check Point Research. Conti hired people to work in call centers, he said. According to the FBI, “tech support fraud” is on the rise, where scammers pose as well-known companies, offer to fix computer problems or waive subscription fees.
Employees in the dark
“Alarmingly, we have evidence that not all employees are fully aware that they are part of a cybercrime group,” Finkelstein said. “These employees think they work for an advertising company, when in fact they work for a notorious ransomware group.”
The messages show that managers lied to job applicants about the organization, with one telling a potential hire: “Everything is anonymous here, the main management of the company is software for pentesters” – referring to penetration testers, who are legitimate cybersecurity specialists who simulate cyberattacks against their own company’s computer networks.
In a series of posts, Stern explained that the group kept coders in the dark by having them work on a module, or part of the software, rather than the entire program, Check Point Research said.
If the employees eventually catch on, Stern said, they are offered a raise to stay, according to the translated messages.
Down but not out?
Even before the leak, Conti was showing signs of distress, according to Check Point Research.
Stern remained silent around mid-January and salary payments ceased, according to the messages.
A few days before the leak, an internal message stated: “There have been numerous leaks, there have been…arrests…there is no boss, there is no clarity…there is no no money either… I have to ask you all to take a 2-3 month holiday.”
Although the group has been hampered, it will likely rise again, according to Check Point Research. Unlike former rival REvil – whose Russian members said they were arrested in January – Conti is still “partially” active, the company said.
The group has survived other setbacks, including the temporary deactivation of Trickbot – a malware used by Conti – and the arrest of several suspected Trickbot associates in 2021.
Despite continued efforts to combat ransomware groups, the FBI expects attacks against critical infrastructure to increase in 2022.