Part I of this series examined newly-leaked internal chats from the Conti ransomware group, and how the crime gang dealt with its own internal breaches. Part II explored what it’s like to be an employee of Conti’s sprawling organization. Today’s Part III looks at how Conti abused popular commercial security services to undermine the security of their targets, as well as how the team’s leaders strategized for the upper hand in ransom negotiations with victims.

Conti is by far the most aggressive and profitable ransomware group in operation today. Image: Chainalysis

Conti is by far the most successful ransomware group in operation today, routinely pulling in multi-million dollar payments from victim organizations. That’s because more than perhaps any other ransomware outfit, Conti has chosen to focus its considerable staff and talents on targeting companies with more than $100 million in annual revenues.

As it happens, Conti itself recently joined the $100 million club. According to the latest Crypto Crime Report (PDF) published by virtual currency tracking firm Chainalysis, Conti generated at least $180 million in revenue last year.

On Feb. 27, a Ukrainian cybersecurity researcher who is currently in Ukraine leaked almost two years’ worth of internal chat records from Conti, which had just posted a press release to its victim shaming blog saying it fully supported Russia’s invasion of his country. Conti warned it would use its cyber prowess to strike back at anyone who interfered in the conflict.

The leaked chats show that the Conti group — which fluctuated in size from 65 to more than 100 employees — budgeted several thousand dollars each month to pay for a slew of security and antivirus tools. Conti sought out these tools both for continuous testing (to see how many products detected their malware as bad), but also for their own internal security.

A chat between Conti upper manager “Reshaev” and subordinate “Pin” on Aug. 8, 2021 shows Reshaev ordering Pin to quietly check on the activity of the Conti network administrators once a week — to ensure they’re not doing anything to undermine the integrity or security of the group’s operation. Reshaev tells Pin to install endpoint detection and response (EDR) tools on every administrator’s computer.

“Check admins’ activity on servers each week,” Reshaev said. “Install EDR on every computer (for example, Sentinel, Cylance, CrowdStrike); set up more complex storage system; protect LSAS dump on all computers; have only 1 active accounts; install latest security updates; install firewall on all network.”

Conti managers were hyper aware that their employees handled incredibly sensitive and invaluable data stolen from companies, information that would sell like hotcakes on the underground cybercrime forums. But in a company run by crooks, trust doesn’t come easily.

“You check on me all the time, don’t you trust me?,” asked mid-level Conti member “Bio” of “Tramp” (a.k.a. “Trump“), a top Conti overlord. Bio was handling a large bitcoin transfer from a victim ransom payment, and Bio detected that Trump was monitoring him.

“When that kind of money and people from the street come in who have never seen that kind of money, how can you trust them 1,000%?” Trump replied. “I’ve been working here for more than 15 years and haven’t seen anything else.”

OSINT

Conti also budgeted heavily for what it called “OSINT,” or open-source intelligence tools. For example, it subscribed to numerous services that can help determine who or what is behind a specific Internet Protocol (IP) address, or whether a given IP is tied to a known virtual private networking (VPN) service. On an average day, Conti had access to tens of thousands of hacked PCs, and these services helped the gang focus solely on infected systems thought to be situated within large corporate networks.

Conti’s OSINT activities also involved abusing commercial services that could help the group gain the upper hand in ransom negotiations with victims. Conti often set its ransom demands as a percentage of a victim’s annual revenues, and the gang was known to harass board members of and investors in companies that refused to engage or negotiate.

In October 2021, Conti underling “Bloodrush” told his manager “Bentley” that the group urgently needed to purchase subscriptions to Crunchbase Pro and Zoominfo, noting that the services provide detailed information on millions of companies, such as how much insurance a company maintains; their latest earnings estimates; and contact information of executive officers and board members.

In a months-long project last year, Conti invested $60,000 in acquiring a valid license to Cobalt Strike, a commercial network penetration testing and reconnaissance tool that is sold only to vetted partners. But stolen or ill-gotten “Coba” licenses are frequently abused by cybercriminal gangs to help lay the groundwork for the installation of ransomware on a victim network. It appears $30,000 of that investment went to cover the actual cost of a Cobalt Strike license, while the other half was paid to a legitimate company that secretly purchased the license on Conti’s behalf.

Likewise, Conti’s Human Resources Department budgeted thousands of dollars each month toward employer subscriptions to numerous job-hunting websites, where Conti HR employees would sift through resumes for potential hires. In a note to Conti taskmaster “Stern” explaining the group’s paid access on one employment platform, Conti HR employee “Salamandra” says their workers have already viewed 25-30 percent of all relevant CVs available on the platform.

“About 25% of resumes will be free for you, as they are already opened by other managers of our company some CVs are already open for you, over time their number will be 30-35%,” Salamandra wrote. “Out of 10 CVs, approximately 3 will already be available.”

Another organizational unit within Conti with its own budget allocations — called the “Reversers” — was responsible for finding and exploiting new security vulnerabilities in widely used hardware, software and cloud-based services. On July 7, 2021, Stern ordered reverser “Kaktus” to start focusing the department’s attention on Windows 11, Microsoft’s newest operating system.

“Win11 is coming out soon, we should be ready for this and start studying it,” Stern said. “The beta is already online, you can officially download and work.”

BY HOOK OR BY CROOK

The chats from the Conti organization include numerous internal deliberations over how much different ransomware victims should be made to pay. And on this front, Conti appears to have sought assistance from multiple third parties.

Milwaukee-based cyber intelligence firm Hold Security this week posted a screenshot on Twitter of a conversation in which one Conti member claims to have a journalist on their payroll who can be hired to write articles that put pressure on victim companies to pay a ransom demand.

“There is a journalist who will help intimidate them for 5 percent of the payout,” wrote Conti member “Alarm,” on March 30, 2021.

The Conti team also had decent working relationships with multiple people who worked at companies that helped ransomware victims navigate paying an extortion demand in virtual currency. One friendly negotiator even had his own nickname within the group — “The Spaniard” — who according to Conti mid-level manager Mango is a Romanian man who works for a large ransomware recovery firm in Canada.

“We have a partner here in the same panel who has been working with this negotiator for a long time, like you can quickly negotiate,” Trump says to Bio on Dec. 12, 2021, in regards to their ransomware negotiations with LeMans Corp., a large Wisconsin-based distributor of powersports equipment [LeMans declined to comment for this story].

Trump soon after posts a response from their negotiator friend:

“They are willing to pay $1KK [$1 million] quickly. Need decryptors. The board is willing to go to a maximum of $1KK, which is what I provided to you. Hopefully, they will understand. The company revenue is under $100KK [$100 million]. This is not a large organization. Let me know what you can do. But if you have information about their cyber insurance and maybe they have a lot of money in their account, I need a bank payout, then I can bargain. I’ll be online by 21-00 Moscow time. For now, take a look at the documents and see if there is insurance and bank statements.”

In a different ransom discussion, the negotiator urges Conti to reconsider such a hefty demand.

“My client only has a max of $200,000 to pay and only wants the data,” the negotiator wrote on Oct. 7, 2021. “See what you can do or this deal will not happen.”

Many organizations now hold cyber insurance to cover the losses associated with a ransomware attack. The logs indicate Conti was ambivalent about working with these victims. For one thing, the insurers seemed to limit their ability to demand astronomical ransom amounts. On the other hand, insured victims usually paid out, with a minimum of hassle or protracted back-and-forth negotiations.

“They are insured for cyber risks, so what are we waiting for?” asks Conti upper manager “Revers,” in a conversation on Sept. 14, 2021.

“There will be trades with the insurance company?” asks Conti employee “Grant.”

“That’s not how it works,” Revers replied. “They have a coverage budget. We just take it and that’s it.”

Conti was an early adopter of the ransomware best practice of “double extortion,” which involves charging the victim two separate ransom demands: One in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed. Indeed, some variation of the message “need decryptors, deletion logs” can be seen throughout the chats following the gang’s receipt of payment from a victim.

Conti victims were directed to a page on the dark web that included a countdown timer. Victims who failed to negotiate a payment before the timer expired could expect to see their internal data automatically published on Conti’s victim shaming blog.

The beauty of the double extortion approach is that even when victims refuse to pay for a decryption key — perhaps because they’re confident they can restore systems from backups — they might still pay to keep the breach quiet.

“Hello [victim company redacted],” the gang wrote in January 2022. “We are Conti Group. We want to inform that your company local network have been hacked and encrypted. We downloaded from your network more than 180GB of sensitive data. – Shared HR – Shared_Accounting – Corporate Debt – Departments. You can see your page in the our blog here [dark web link]. Your page is hidden. But it will be published if you do not go to the negotiations.”

“We came to an agreement before the New Year,” Conti member “Skippy” wrote later in a message to the victim company. “You got a lot of time, more than enough to find any sum and fulfill your part of this agreement. However, you now ask for additional time, additional proofs, etc. Seems like you are preparing to break the agreement and flee, or just to decrease the sum. Moreover, it is a very strange request and explanation. A lot of companies pay such amounts without any problems. So, our answer: We are waiting for the above mentioned sum until 5 February. We keep our words. If we see no payment and you continue to add any conditions, we begin to upload data. That is all.”

And a reputation for keeping their word is what makes groups like Conti so feared. But some may come to question the group’s competence, and whether it may now be too risky to work with them.

On Mar. 3, a new Twitter account called “Trickbotleaks” began posting the names, photos and personal information of what the account claimed were top Trickbot administrators, including information on many of the Conti nicknames mentioned throughout this story. The Trickbotleaks Twitter account was suspended less than 24 hours later.

On Mar. 2, the Twitter account that originally leaked the Conti chat (a.k.a. “jabber”) records posted fresh logs from the Conti chat room, proving the infiltrator still had access and that Conti hadn’t figured out how they’d been had.

“Ukraine will rise!,” the account tweeted. “Fresh jabber logs.”

There may yet be at least one more piece in this series. Look here next week for a story about some of Conti’s more interesting extracurricular moneymaking and investment schemes.

President Biden joined European leaders this week in enacting economic sanctions against Russia in response to its invasion of Ukraine. The West has promised tougher sanctions are coming, but experts warn these will almost certainly trigger a Russian retaliation against America and its allies, which could escalate into cyber attacks on Western financial institutions and energy infrastructure.

Michael Daniel is a former cybersecurity advisor to the White House during the Obama administration who now heads the Cyber Threat Alliance, an industry group focused on sharing threat intelligence among members. Daniel said there are two primary types of cyber threats the group is concerned about potentially coming in response to sanctions on Russia.

The first involves what Daniel called “spillover and collateral damage” — a global malware contagion akin to a NotPeyta event — basically some type of cyber weapon that has self-propagating capabilities and may even leverage a previously unknown security flaw in a widely-used piece of hardware or software.

Russia has been suspected of releasing NotPetya, a large-scale cyberattack in 2017 initially aimed at Ukrainian businesses that mushroomed into an extremely disruptive and expensive global malware outbreak.

“The second level [is that] in retaliation for sanctions or perceived interference, Russia steps up more direct attacks on Western organizations,” Daniel said. “The Russians have shown themselves to be incredibly ingenious and creative in terms of how they come up with targets that seem to catch us by surprise. If the situation escalates in cyberspace, there could be some unanticipated organizations that end up in the crosshairs.”

What kinds of attacks are experts most concerned about? In part because the Russian economy is so dependent on energy exports, Russia has invested heavily in probing for weaknesses in the cyber systems that support bulk power production and distribution.

Ukraine has long been used as the testing grounds for Russian offensive hacking capabilities targeting power infrastructure. State-backed Russian hackers have been blamed for the Dec. 23, 2015 cyberattack on Ukraine’s power grid that left 230,000 customers shivering in the dark.

Experts warn that Russia could just as easily use its arsenal of sneaky cyber exploits against energy systems that support U.S. and European nations. In 2014, then National Security Agency Director Mike Rogers told lawmakers that hackers had been breaking into U.S. power utilities to probe for weaknesses, and that Russia had been caught planting malware in the same kind of industrial computers used by power utilities.

“All of that leads me to believe it is only a matter of when, not if, we are going to see something dramatic,” Rogers said at the time.

That haunting prophecy is ringing anew as European leaders work on hammering out additional sanctions, which the European Commission president says will restrict the Russian economy’s ability to function by starving it of important technology and access to finance.

A draft of the new penalties obtained by The New York Times would see the European Union ban the export of aircraft and spare parts that are necessary for the maintenance of Russian fleets.

“The bloc will also ban the export of specialized oil-refining technology as well as semiconductors, and it will penalize more banks — although it will stop short of targeting VTB, Russia’s second-largest bank, which is already crippled by American and British sanctions,” The Times wrote.

Dmitri Alperovitch is co-founder and former chief technology officer at the security firm CrowdStrike. Writing for The Economist, Alperovitch said America must tailor its response carefully to avoid initiating a pattern of escalation that could result in a potentially devastating hot war with Russia.

“The proposed combination of sanctions on top Russian banks and implementation of export controls on semiconductors would be likely to severely debilitate the Russian economy,” Alperovitch wrote. “And although many in the West may initially cheer this outcome as righteous punishment for Russia’s blatant violation of Ukrainian sovereignty, these measures will probably trigger significant Russian retaliation against America. That prospect all but guarantees that the conflict will not come to an end with an invasion of Ukraine.”

Faced with a potentially existential threat to its economic well-being — and seeing itself as having nothing more to lose — Russia will have several tools at its disposal with which to respond, he said: One of those will be carrying out cyber-attacks against American and European financial institutions and energy infrastructure.

“Having already exhausted the power of economic sanctions, America and its European allies would have few choices other than to respond to these attacks with offensive cyber-strikes of their own,” Alperovitch wrote. “This pattern of tit-for-tat cyber retaliation could place Russia and the West on a worrying path. It could end with the conflict spilling out of cyberspace and into the realm of a hot conflict. This outcome—a hot conflict between two nuclear powers with extensive cyber capabilities—is one that everyone in the world should be anxious to avoid.”

In May 2021, Russian cybercriminals unleashed a ransomware attack against Colonial Pipeline, a major fuel distributor in the United States. The resulting outage caused fuel shortages and price spikes across the nation. Alperovitch says a retaliation from Russia in response to sanctions could make the Colonial Pipeline attack seem paltry by comparison.

“The colonial pipeline is going to be like child’s play if the Russians truly unleash all their capability,” Alperovitch told CNBC this week.

For example, having your organization’s computers and servers locked by ransomware may seem like a day at the park compared to getting hit with “wiper” malware that simply overwrites or corrupts data on infected systems.

Kim Zetter, a veteran Wired reporter who now runs her own cybersecurity-focused Substack newsletter, has painstakingly documented two separate wiper attacks launched in the lead-up to the Russian invasion that targeted Ukrainian government and contractor networks, as well as systems in Latvia and Lithuania.

One contractor interviewed by Zetter said the wiper attacks appeared to be extremely targeted, going after organizations that support the Ukrainian government — regardless of where those organizations are physically located.

“The wiper, dubbed HermeticaWiper, appears to have been in the works for months but was only released on computers today,” Zetter wrote. “It follows on a previous wiper attack that struck Ukrainian systems in January called WhisperGate. Like that previous infection, HermeticaWiper is designed to overwrite files on systems to render them inoperable.”

A joint advisory last week by the FBI, National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) warned that Russian cyber actors have been targeting cleared defense contractors, and that since January 2020 and continuing through this month, the cyber actors had maintained a persistent presence on those contractor networks. The advisory said the attackers exfiltrated email and data, and were able to “acquire sensitive, unclassified information, as well as proprietary and export-controlled technology.”

A report Thursday by NBC News suggested President Biden had been presented with options for massive cyberattacks against Russia, including the disruption of Internet access across Russia, shutting off the power, and stopping trains in their tracks.

But White House National Security Council spokesperson Emily Home told Reuters the NBC News report was “wildly off base and does not reflect what is actually being discussed in any shape or form.”

That’s good news, according to Jim Lewis, director of the public policy program at the Center for Strategic and International Studies. Lewis said the United States and its allies have far more to lose if the West gets embroiled in an escalation of cyber attacks with Russia over sanctions.

“The asymmetry in pressure points makes the idea of us doing something probably not a good idea,” Lewis told KrebsOnSecurity. “If Putin hasn’t gone completely nuts, he’ll be cautious of doing anything that might be construed under international law as the use of force through cyber means.”

Lewis said a more likely response from Russia would include enlisting cybercriminals throughout Russia and the Commonwealth of Independent States to step up ransomware and other disruptive attacks against high-impact targets in specific industries.

“The pressure points for Putin are his political support — the oligarchs and security services,” Lewis said. “If we want to squeeze him, that’s where we have to squeeze, things like seizing all their real estate in Miami Beach, or putting them on no-fly lists. If you want to hurt Putin, a cyberattack probably wouldn’t do it. Unless it was against his bank account.”

In a call to action issued earlier this week dubbed “Shields Up,” CISA warned that Russia could escalate its destabilizing actions in ways that may impact others outside of Ukraine. CISA also published a new catalog of free public and private sector cybersecurity services.

Missouri Governor Mike Parson made headlines last year when he vowed to criminally prosecute a journalist for reporting a security flaw in a state website that exposed personal information of more than 100,000 teachers. But Missouri prosecutors now say they will not pursue charges following revelations that the data had been exposed since 2011 — two years after responsibility for securing the state’s IT systems was centralized within Parson’s own Office of Administration.

Missouri Gov. Mike Parson (R), vowing to prosecute the St. Louis Post-Dispatch for reporting a security vulnerability that exposed teacher SSNs.

In October 2021, St. Louis Post-Dispatch reporter Josh Renaud alerted Missouri education department officials that their website was exposing the Social Security numbers of more than 100,000 primary and secondary teachers in the state. Renaud found teachers’ SSNs were accessible in the HTML source code of some Missouri education department webpages.

After confirming that state IT officials had secured the exposed teacher data, the Post-Dispatch ran a story about their findings. Gov. Parson responded by holding a press conference in which he vowed his administration would seek to prosecute and investigate “the hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.”

“The state is committed to bringing to justice anyone who hacked our systems or anyone who aided them to do so,” Parson said in October. “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.”

Parson tasked the Missouri Highway Patrol to produce a report on their investigation into “the hackers.”  On Monday, Feb. 21, The Post-Dispatch published the 158-page report (PDF), which concluded after 175 hours of investigation that Renaud did nothing wrong and only accessed information that was publicly available.

Emails later obtained by the Post-Dispatch showed that the FBI told state cybersecurity officials that there was “not an actual network intrusion” and the state database was “misconfigured.” The emails also revealed the proposed message when education department leaders initially prepared to respond in October:

“We are grateful to the member of the media who brought this to the state’s attention,” was the proposed quote attributed to the state’s education commissioner before Parson began shooting the messenger.

The Missouri Highway Patrol report includes an interview with Mallory McGowin, the chief communications officer for the state’s Department of Elementary and Secondary Education (DESE). McGowin told police the website weakness actually exposed 576,000 teacher Social Security numbers, and the data would have been publicly exposed for a decade.

McGowin also said the DESE’s website was developed and maintained by the Office of Administration’s Information Technology Services Division (ITSD) — which the governor’s office controls directly.

“I asked Mrs. McGowin if I was correct in saying the website was for DESE but it was maintained by ITSD, and she indicated that was correct,” the Highway Patrol investigator wrote. “I asked her if the ITSD was within the Office of Administration, or if DESE had their on-information technology section, and she indicated it was within the Office of Administration. She stated in 2009, policy was changed to move all information technology services to the Office of Administration.”

The report was a vindication for Renaud and for University of Missouri-St. Louis professor Shaji Khan, who helped the Post-Dispatch verify that the security flaw existed. Khan was also a target of Parson’s vow to prosecute “the hackers.” Khan’s attorney Elad Gross told the publication his client was not being charged, and that “state officials committed all of the wrongdoing here.”

“They failed to follow basic security procedures for years, failed to protect teachers’ Social Security numbers, and failed to take responsibility, instead choosing to instigate a baseless investigation into two Missourians who did the right thing and reported the problem,” Gross told The Post-Dispatch. “We thank the Missouri State Highway Patrol and the Cole County Prosecutor’s Office for their diligent work on a case that never should have been sent to them.”