Inside Conti, the world’s most feared ransomware gang

The leaking of more than a 100,000 internal messages has offered explosive insights into how Conti attacks its victims which include Australian companies.

Chris Griffith

3 min read

2:06PMMarch 07, 2022.

Updated 3:36PMMarch 07, 2022

The Australian Business Network

Depiction of a hacker infecting a computer network.

The leaking of more than a hundred thousand internal messages at the world‘s biggest ransomware gang has offered explosive insights into how it attacks its victims which include Australian companies.

When Conti announced “full support of the Russian government” in the war against Ukraine on February 25, it took only two days for Conti chat sessions to find their way onto the internet, with the likely source being a Ukrainian supporter within the cybercriminal group.

Bleeping Computer reports leaks of more than 160,000 internal messages, along with source code for the Conti ransomware encryptor, decryptor and builder.

Conti has reportedly clocked up more than 500 corporate victims. They include Ireland’s health service, Japanese multinational electronics company JVCKenwood, and in Australia, Queensland’s CS Energy, among others.

The Australian Cyber Security Centre (ACSC) says it is aware of multiple Australian victims.

“Conti has claimed to have compromised at least 500 organisations worldwide to date,” says ACSC. “This includes the targeting of Australian critical infrastructure, notably including healthcare and energy organisations in 2021.” ACSC says Conti’s activities are continuing in 2022.

The cybercriminal gang is renowned for its two-stage attack. Conti uses a ‘double extortion’ technique where it steals company data and threatens to sell it to extort a payment. It then encrypts data on victims’ systems and demands a ransom.

Apart from chat around working hours, salaries, and onboarding staff, the documents reveal the stunning reach of Conti, including its use of regular recruitment firms to hire staff, and its buying spree of public security software systems used to test the voracity of its malware.

The documents raise the prospects of company insiders working with the criminal gang.

Author of the KrebsOnSecurity blog Brian Krebs, who has examined the leaked documents, said Conti’s success comes from it targeting firms with more than $US100m in annual revenue.

He says Conti fluctuates in size from 65 to more than 100 staff and spends several thousand dollars monthly on security and antivirus tools. It includes spyware that checks the online activity of Conti’s own administrators. In the chat files, Conti staff complain about not being trusted.

The KrebsOnSecurity analysis says Conti budgets thousands of dollars each month for employer subscriptions to job-hunting websites, and had paid access to one employment platform where the cybercriminals sift through 25 to 30 per cent of relevant CVs. Employees worked a 5 day week. “Most employees were paid $US1,000 to $US2,000 monthly.”

Cybercriminals inform their victim of a ransomware attack.

Another Conti sector is tasked with finding and exploiting new security vulnerabilities in hardware, software and cloud based services.

Conti also has had offers from people willing to intimidate companies to pay up. “There is a journalist who will help intimidate them (victim companies) for 5 per cent of the payout,” wrote Conti member ‘Alarm’, on March 30, 2021.

Cybersecurity insurance firms meanwhile are engaging negotiators who seek to reduce the amount of ransom to be paid. Amounts often begin at unrealistic levels.

Co-founder and CEO of Internet 2.0 Robert Potter says negotiators not only seek to reach a resolution between companies and ransomware vendors, they also identify digital evidence for law enforcement.

Mr Potter says companies could possibly detect the first stage of an attack by criminal groups such as Conti when they seek to steal company data before encrypting it.

He says Conti has moved its website from the dark web to the regular internet to make it easier for victims to be blackmailed. Conti also has an active PR arm that sought media support for publicising their attacks, again to shame victim companies into paying.

Mr Potter says it was “not unheard of” for a company insider to help a ransomware vendor, especially in large organisations. “An insider threat is often a component of very sophisticated cyber attacks.”

He says there is evidence in the logs of Conti staff having second thoughts about supporting Russia.

Craig Searle, director, consulting & professional services (Pacific) at Trustwave, says it’s a “bit of a long bow” to suggest company insiders are supporting ransomware vendors.

Dale Heath, engineering manager, Rubrik ANZ, says if any doubts remain about the threat ransomware poses, the attack against CS Energy and the theft of personal information from thousands of South Australian public servants late last year surely puts them to rest. He says the Conti ransomware group claimed responsibility for both attacks.

“These attacks, which occurred within weeks of each other, highlight a number of ransomware trends and provide a window into what we can expect from such groups this year; the prevalence of supply chain attacks, a renewed focus on targeting critical infrastructure, and the rise of ransomware-as-a-service.”

Mr Heath says that in the South Australian case, Conti conducted a ‘supply chain attack’ which targeted Frontier Software. It provides payroll services to every South Australian government department except for the Department of Education.

“Thousands of South Australians had their bank account details, tax file numbers, and other sensitive information stolen.

“Supply chain attacks are becoming increasingly popular because they impact multiple organisations from a single breach. In this case, not only was data stolen from the South Australian Government, but the operations of Tasmania’s largest employer – the Federal Group – were also disrupted.”