Conti (ransomware)

Conti is malware developed and first used by the Russia-based hacking group "Wizard Spider" in December, 2019. It has since become a full-fledged ransomware-as-a-service (RaaS) operation used by numerous threat actor groups to conduct ransomware attacks.

The Conti malware, once deployed on a victim device, not only encrypts data on the device, but also spreads to other devices on the network, obfuscates its presence, and provides a remote attacker control over its actions on the objective. All versions of Microsoft Windows are known to be affected. The United States government offered a reward of up to $10 million for information on the group in early May 2022.

RaaS model
According to a leaked playbook, core team-members of a Conti operation manage the malware itself, while recruited affiliates are tasked with exploitation of victim networks and encryption of their devices.

Conti's ransomware as a service model varies in its structure from a typical affiliate model. Unlike other RaaS models, groups using the Conti model likely pay deployers of the malware in wages rather than in a percentage of the ransom (once paid). Conti operators have also been known to use double-extortion as a means to pressure victims into paying, including publishing the victim's stolen data. In cases where a victim organization refuses to pay, they've sold access to the organization to other threat actors.

Tactics and Techniques
Conti ransomware employs various stealth techniques, including the use of BazarLoader, to infiltrate its target systems. The ransomware is designed to encrypt files and render them inaccessible until a ransom is paid. It is often delivered through phishing emails, exploit kits, or compromised websites. Conti has gained notoriety for targeting healthcare institutions, as seen in its attacks on organizations in Ireland and New Zealand.

The Conti group has also been known to sell access to victim organizations that have refused to pay the ransom. This practice not only adds another layer of pressure on victims but also provides an additional source of revenue for the ransomware gang. These tactics, combined with the group's sophisticated techniques, have made Conti one of the most prolific and capable ransomware groups operating in 2021.

The software uses its own implementation of AES-256 that uses up to 32 individual logical threads, making it much faster than most ransomware. The method of delivery is not clear.

The gang behind Conti has operated a site from which it can leak documents copied by the ransomware since 2020. The same gang has operated the Ryuk ransomware. The group is known as Wizard Spider and is based in Saint Petersburg, Russia.

Once on a system it will try to delete Volume Shadow Copies. It will try to terminate a number of services using Restart Manager to ensure it can encrypt files used by them. It will disable real time monitor and uninstall the Windows Defender application. Default behaviour is to encrypt all files on local and networked Server Message Block drives, ignoring files with DLL, .exe, .sys and .lnk extensions. It is also able to target specific drives as well as individual IP addresses.

According to NHS Digital the only guaranteed way to recover is to restore all affected files from their most recent backup.

Membership and structure
The most senior member is known by the aliases Stern or Demon and acts as CEO. Another member known as Mango acts as a general manager and frequently communicates with Stern. Mango told Stern in one message that there were 62 people in the main team. The numbers involved fluctuate, reaching as high as 100. Because of constant turnover in members, the group recruits constantly from legitimate job recruitment sites and hacker sites.

Ordinary programmers earn around $1500 to $2000 per month, and members negotiating ransom payments can take a share of the profits. In April 2021 one member claimed to have an unnamed journalist who took a 5% share of ransomware payments by pressuring victims to pay up.

In May 2022, the United States government offered a reward of up to $15 million for information on the group: $10 million for the identity or location of its leaders, and $5 million for information leading to the arrest of anyone conspiring with it.

Affected Industries and Countries
Conti ransomware attacks have been detected across the globe, with the United States experiencing the highest number of attack attempts from January 1 to November 12, 2021, surpassing one million attempts. The Netherlands and Taiwan were ranked second and third, respectively.

The retail industry has been the primary target of Conti attacks, followed by insurance, manufacturing, and telecommunications sectors. Healthcare, which was targeted in high-profile attacks by the Conti group, ranks sixth on the list of affected industries.

Origin
Conti is often considered as the successor to Ryuk ransomware.

Leaks
During the 2022 Russian invasion of Ukraine, Conti Group announced its support of Russia and threatened to deploy "retaliatory measures" if cyberattacks were launched against the country. As a result, approximately 60,000 messages from internal chat logs were leaked by an anonymous person who indicated their support for Ukraine  along with source code and other files used by the group.

The leaks cover from the start of 2020 to 27 February 2022, and consists of more than 60,000 chat messages. Most leaked messages were direct messages sent via Jabber. Attacks were coordinated using Rocket.chat. The leaks are fragmented.

Some of the messages discuss the actions of Cozy Bear in hacking researchers into COVID-19. Kimberly Goody, director of cybercrime analysis at Mandiant says that references to an unnamed external source in the logs that could be helpful to the gang. She points to mention in the leaks of Liteyny Avenue in Saint Petersburg, home to local FSB offices, as evidence that the external source could be the Russian government.

Views expressed in the leaks include support for Vladimir Putin, Vladimir Zhirinovsky and antisemitism, including towards Volodymyr Zelenskyy. A member known as Patrick repeated several false claims made by Putin about Ukraine. Patrick lives in Australia and may be a Russian citizen.

Some messages show an obsession with Brian Krebs.

The messages use mat heavily. Messages containing homophobia, misogyny and references to child abuse were also found.

Dissolution
In the weeks following the leak, the group dissolved. A report from Recorded Future said that they did not think that the leak was not a direct cause of the dissolution, but that it had accelerated already existing tensions within the group.

Known targets

 * Scottish Environment Protection Agency
 * Fat Face
 * Health Service Executive in the Republic of Ireland.
 * Waikato District Health Board in New Zealand.
 * Shutterfly.
 * KP Snacks.
 * Nordic Choice Hotels