• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • COVID-19 Update
  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • Latest News
  • About Us
    SEARCH
Compliance, IT Infrastructure, Network Security, News

The Conti Ransomware Leaks: Six Takeaways

Leaked internal information about the Conti ransomware group is giving IT and network defenders new insight into how cybercriminals operate.

March 7, 2022 Zachary Comeau Leave a Comment

Average Ransomware Payment 2021

Information security, nation-state hacking, ransomware and malware have been front and center of the Russia-Ukraine conflict, with hackers on each side allegedly launching large-scale attacks against the infrastructure of their opponent.

Although Russia is infamous for its hacking activities and ransomware groups long believed to be protected by the country’s government, threat actors in other countries in eastern Europe are also involved in the ransomware-as-a-service industry. That apparently includes Ukraine, as a purportedly Ukrainian affiliate leaked multiple years of chat logs and files from the Conti ransomware group.

The Conti group is one of the most notorious ransomware actors in recent history, so the massive amount of data contained in the leaks gives us an unprecedented look into how the ransomware-as-a-service industry operates.

We spoke with Chester Wisniewski, a principal research scientist at Sophos, for more context on what we can learn from the Conti ransomware leaks.

Ransomware is very lucrative

The Conti ransomware leaks included information about just how lucrative ransomware can be, as the group’s primary Bitcoin wallet has had upwards of $2 billion deposited in the last two years.

The group is apparently so flush with cash that it was able to purchase a Zero Day exploit in Internet Explorer 11 to use as an attack vector in late 2020. This is relevant because Zero Day exploits are very expensive, with many going for several million dollars.

According to Wisniewski, this was always suspected, but there has never been confirmation that a ransomware group purchased zero day exploits.

“’These groups are really rich, so I wonder if they’re buying zero days, was always the narrative before this,” Wisniewski says. “We’ve never had confirmation of a zero day sale with a ransomware group, to my knowledge, so this was kind of interesting.”

Conti, Ryuk and Trickbot

It has long been thought that Conti was somehow affiliated with the Ryuk ransomware and the Trickbot malware operators, but there was never any proof.

The Conti ransomware leaks were being released via a Twitter account called @ContiLeaks, and a new account called @TrickbotLeaks also emerged last week, which appears to stem from the Conti leaks, that has been leaking information about Trickbot, Conti, Mazo, Diavol, Ryuk and Wizard Spiders groups.

“There was some confirmation in their relationship with Trickbot and Ryuk, which all previously had been hearsay,” Wisniewski says. “This confirmed a whole bunch of assumptions that many of us had accurately put together.”

Conti’s Cooperation with the Russian government

Conti, like other ransomware groups believed to be operating out of Russia and other former Soviet states, has long been though to be untouchable when it comes to law enforcement action in Russia.

It is believed that the Ukrainian member of the group began leaking the information after the group posted a message to its dark web site declaring its “full support of the Russian government” and vowing to retaliate in the event of a cyberattack against Russia. Although, the group later deleted that statement in favor of a slightly more neutral stance.

“Another very interesting thing in the leaks was sort of tacit confirmation of cooperation with the FSB, in previous operations,” Wisniewski says.

Ransomware groups pass on well-secured targets

According to Wisniewski, another Conti ransomware affiliate last year produced leaks of internal training manuals and guides on how to compromise victims, what files to encrypt and threaten to leak and more.

“When you combine the two leaks, it does suggest that it’s pretty much a walk in the park for (Conti) in many of these cases,” he says.

However, the leaks also suggest that they move on to less secure organizations when they run into resistance when the would-be victim is well secured.

“If they’re doing hand-to-hand battle with a reasonably well-secured victim, they just don’t bother because there’s another 500 victims in the queue that have nothing,” Wisniewski says.

Ransomware hackers use Active Directory to move laterally

While the Conti ransomware leaks have produced a lot of chatter amongst cybersecurity professionals about the importance of patching VPNs and using multi-factor authentication, Wisniewski says securing Active Directory is far more important.

“There has been a lot of talk about how easy it is for [Conti and other ransomware groups] to pivot and move laterally using Active Directory and how poorly secured it is,” he says.

The tool is widely used by administrators to manage computers, which gives ransomware attackers the ability to infect entire organizations if they can compromise an admin account.

According to Wisniewski, simply following best practices in Active Directory deployment would throw a major hurdle at ransomware operators.

“They’re using Group Policy Objects in Active Directory to deploy ransomware [and] Microsoft tools like PsExec to remotely run the ransomware on computers. They’re [also] using PowerShell. All of these things can be carefully managed and maintained, and that would throw their playbook out the window,” Wisniewski says. “I mean, we all know how important it is to secure Active Directory. But to me, I would put more emphasis on it now because it just hadn’t really clicked in my head, how dependent they were on AD to do so much and what they do.”

Purchasing and testing of cybersecurity tools

The Conti ransomware leaks also contained evidence that the group was actively seeking trial copies of cybersecurity software to test against and find ways around firewalls and anti-malware tools.

Some of the chat logs indicated that products from Sophos and other leading security vendors proved too difficult to get around, which suggests that cybersecurity software is keeping up with attackers.

“It suggested that have been raising [ransomware groups’] cost of doing business,” Wisniewski says. “It’s good to know because it suggests that the direction the industry has been going is increasing the pain over there.”

Tagged With: Cybersecurity, ransomware

Related Content:

  • Google Password Manager Google Updates Password Manager For Unified Experience
  • VMware vSphere+ vSAN+ VMware Releases vSphere+ and vSAN+ to Enhance On…
  • Microsoft Cybersecurity Architect Expert Microsoft Adds New Expert-level Cybersecurity Architect Certification
  • Microsoft Basic Auth Prepare: Microsoft Begins Disabling Basic Auth in Exchange…

Free downloadable guide you may like:

  • Uber Advanced Technologies Group Drives its Business Forward

    The guiding principle for the new Uber meeting room redesign was “invisible comfort” to ensure that everyone could maximize productivity.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Uber Advanced Technologies Group Drives its Business Forward

The guiding principle for the new Uber meeting room redesign was “invisible comfort” to ensure that everyone could maximize productivity.

Windows 11
Blueprint Series: Upgrading to Windows 11

Upgrading end users to Windows 11 could be one of the most challenging tasks IT has to face in the coming years. Although the new version is touted...

The State of the IT Department in 2022

The role of the IT professional has shifted from one that supports the business to one that is deserving of a seat at the table when it comes to ma...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2022 Emerald X, LLC. All rights reserved.