Analysis of leaked Conti’s internal data

On February 27, 2022, as a response to the Conti ransomware gang’s support of the Russian invasion of Ukraine, a suspected Ukrainian researcher leaked internal conversations of its members. KELA analyzed the leaks to understand the group’s evolution and TTPs, as well as organizational structure.

Main findings:

  • Internal conversations show an evolution of a gang of ransomware attackers who at first were not a part of a specific ransomware group. They discussed Ryuk, Conti, and Maze as separate projects. Their activity eventually led to the formation of the modern Conti operation.
  • The group used various malware and tools. KELA found proof of Conti’s strong connection to Trickbot and Emotet, as well as BazarBackdoor, used for gaining initial access. The Diavol ransomware appears to be Conti’s side project. As for legitimate tools, Conti attempted to test products of VMware CarbonBlack and Sophos.
  • Conti used services of Initial Access Brokers to gain initial access.
  • Conversations regarding almost 100 victims – about a half of which were not publicly disclosed on Conti’s blog – shed light on the attacks’ process, including multiple steps before and after the ransomware deployment.
  • The gang’s members expressed interest in attacking the US public sector.
  • Conti’s team is highly organized and includes the following teams: hackers, coders, testers, reverse specialists, crypters, OSINT specialists, negotiators, IT support, HR.
  • KELA prepared descriptions of the top-15 actors based on the amount of their messages, as well as their connection maps.