What is Conti?
Conti is a form of ransomware operated by a Russian-based hacker group that was first identified in 2020. It is notorious for the speed at which it is able to encrypt files and move laterally within an environment in addition to its double-extortion technique.
This method doesn’t just encrypt the victim’s data, but creates a copy of it which is published on the group’s extortion site, or sold to a 3rd party buyer if payment is not sent to the ransomware group in time, creating more pressure on the victim to pay up.
How Conti Operates & Ransomware as a Service
Like most ransomware creators today, the group behind Conti follows a Ransomware-as-a-service (RaaS) model. This means the developers lease their software to users who then gain access to a target’s infrastructure and deploy Conti within it. This may sound crazy—we are discussing malicious hackers after all, but attack groups do typically follow certain rules of engagement. However, unlike most other RaaS groups, Conti seems to lack any moral integrity.
In recent attacks, security researchers have documented the group targeting hospitals, emergency medical services, and emergency dispatchers. To make matters worse, the group has also been known to stiff victims who have paid a ransom and refuse to decrypt the files in question.
These actions set them apart from other well-known groups. Others don’t target life-saving systems and will work with victims who pay to decrypt their data—both establish ‘credibility’ in the ransomware world.
Here, we’ll look at how Conti has been reintroduced into the hacking news cycle, and what has been discovered about their inner workings.
Repercussions of One’s Actions
During the outset of Russia’s attempt to invade Ukraine, Conti released the following statement:
“The Conti Team is officially announcing a full support of Russian government. If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all-possible resources to strike back at the critical infrastructures of an enemy.”
This statement was modified a few hours later to backtrack a little about Conti’s ‘full support of Russia’ to more of a propaganda piece against the west, and more specifically America:
“As a response to Western warmongering and America threats to use cyber warfare against the citizens of Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well-being and safety of peaceful citizens will be at stake due to American cyber aggression.”
We’re Not So Different, You and I
Two days after these statements were published by Conti, an alleged Ukrainian security researcher published logs containing hundreds of thousands of Conti’s internal messages and communications.
Security researchers have since combed through these messages to get a better understanding of the group behind Conti. As it turns out, they are a functioning business with many of the same functions and relationships you might find in a typical corporate environment (to an extent).
For instance, Conti was found to have an established hierarchy made up of:
- Ransom Operators
- System Administrators
- Campaign Engineers
Researchers discovered an “employee of the month” incentive program discussed in the messages, with the promise of a bonus equal to 50% of the employee’s salary. The salaries in question are paid out on a schedule: the 1st and 15th of the month. Performance reviews discussing how the ‘employee’ fared throughout the year, and how they could improve were also noted.
Communication around what the Conti Ransomware group was planning to accomplish in the coming year was highlighted, and even information that indicated relatively normal relationships between coworkers. Friendships were identified, and the messages contained information regarding meetups and sending money to help a fellow coworker who was in a bind.
Disciplinary action was observed as well, usually revolving around salary deductions or outright termination. These seemed to be employed at the mercy of middle management and how they were feeling that day, or for unreliable workers failing to show up.
What does it mean to the world of information security when we discover that the group behind Conti has so many similarities to average corporate life? What do we make of a world where senior and middle management, HR, a standardized payment schedule, and camaraderie amongst “employees” exist among ransomware groups?
If nothing else, it’s unsettling to learn that such an organized group is out there using their skills for evil and taking advantage of those who are most vulnerable.
As an information security provider, we share stories and news like this to make you aware of the harm that can befall a business that is unprepared. It’s worth mentioning that the group has been told to lay low for a few months due to international attention related to the victims they target and their stance on Russia’s invasion of Ukraine. Unfortunately, this doesn’t mean that we should expect to see them dissolve entirely, and we will likely see more of them in the near future under a new name, or otherwise. You can prepare yourself by mitigating your risk, and ensuring that your highest-value assets are as secure as you can make them.
As always, if you need any help with your security program, don’t hesitate to reach out to us.