Breaking: / KELA Launches Intelligence Driven Third-Party Cyber Risk Scoring Solution to Enhance Cybersecurity Posture

Read more
KELA Research

Analysis of Leaked Conti’s Internal Data 2022

On February 27, 2022, as a response to the Conti ransomware gang’s support of the Russian invasion of Ukraine, a suspected Ukrainian researcher leaked internal conversations of its members.

KELA analyzed Conti’s leaks to understand the group’s evolution and TTPs, as well as organizational structure.

Read KELA’s Report to learn more about key findings:

  • Internal conversations show an evolution of a gang of ransomware attackers who at first were not a part of a specific ransomware group. They discussed Ryuk, Conti, and Maze as separate projects. Their activity eventually led to the formation of the modern Conti operation.
  • The group used various malware and tools. KELA found proof of Conti’s strong connection to Trickbot and Emotet, as well as BazarBackdoor, used for gaining initial access. The Diavol ransomware appears to be Conti’s side project. As for legitimate tools, Conti attempted to test products of VMware CarbonBlack and Sophos..
  • Conti used services of Initial Access Brokers to gain initial access.
  • Conversations regarding almost 100 victims – about a half of which were not publicly disclosed on Conti’s blog – shed light on the attacks’ process, including multiple steps before and after the ransomware deployment.


Download Free Report