KELA analyzed Conti’s leaks to understand the group’s evolution and TTPs, as well as organizational structure.
Read KELA’s Report to learn more about key findings:
- Internal conversations show an evolution of a gang of ransomware attackers who at first were not a part of a specific ransomware group. They discussed Ryuk, Conti, and Maze as separate projects. Their activity eventually led to the formation of the modern Conti operation.
- The group used various malware and tools. KELA found proof of Conti’s strong connection to Trickbot and Emotet, as well as BazarBackdoor, used for gaining initial access. The Diavol ransomware appears to be Conti’s side project. As for legitimate tools, Conti attempted to test products of VMware CarbonBlack and Sophos..
- Conti used services of Initial Access Brokers to gain initial access.
- Conversations regarding almost 100 victims – about a half of which were not publicly disclosed on Conti’s blog – shed light on the attacks’ process, including multiple steps before and after the ransomware deployment.