Site icon Check Point Blog

Check Point Research Reveals Leaks of Conti Ransomware Group

Conti’s Inside Operations Revealed: Employees think they are Working for a Legal High-Tech Company

After analyzing leaked documents, Check Point Research (CPR) gives new details on the inside-operations of Conti, the notorious Russian ransomware group. Conti is structured like a high-technology company, with clear management, finance and HR functions. Conti recruits not only from underground, but legitimate sources, borrowing CV pools without permission. Some employees at Conti have no clue that they are part of a cybercriminal operation. CPR has also learned that Conti has future plans for a crypto exchange and a darknet social network.

 

Check Point Research (CPR) has gained new details into the inside-operations of Conti ransomware group. Conti is a ransomware-as-a-service (RaaS) group, which allows affiliates to rent access to its infrastructure to launch attacks. Industry experts have said Conti is based in Russia and may have ties to Russian intelligence. Conti has been blamed for ransomware attacks targeting dozens of businesses, including clothing giant Fat Face and Shutterfly, as well as critical infrastructure, like the Irish healthcare service and other first-responders networks.

On February 27 of this year, a cache of chat logs belonging to the Conti were leaked online at the hands of an alleged insider, who claimed to have objected to the group’s support for the Russian invasion of Ukraine. CPR analyzed the leaked files, learning that the ransomware groups operates like a large technology company. Conti has an HR department, a hiring process, offline office premises, salaries and bonus payments.

Details of Conti’s Inside-Operations

  1. Conti operates like a technology company
    • Hierarchical and defined structure
      1. team leaders who report to upper management
      2. Main groups observed: HR, coders, testers, crypters, sysadmins, reverse engineers, offensive team, OSINT Specialists and Negotiation Staff

 

  1. Talent is recruited from both legitimate and underground sources  
    • The main resource typically used by Conti HR for hiring is Russian-speaking headhunting services such as headhunter.ru. They’ve also used other sites such as superjobs.ru, but reportedly with less success. Conti OPSec forbids leaving traces of developer job openings on such websites, a regulation stringently enforced by one of the higher-ups, “Stern”
    • So for hiring developers, Conti bypasses the headhunter.ru job system, instead directly accessing the CV pool and contacting candidates by email. You might wonder “why does headhunter.ru offer such a service?”, and the answer is, they don’t. Conti simply “borrowed” the CV pool without permission, which seems to be standard practice in the cybercrime world

 

  1. Some Conti employees don’t know they are even part of a cybercriminal operation
    • In one online job interview, a manager tells a potential hire for the coding team: “everything is anonymous here, the main direction of the company is software for pentesters”.
    • In another example, a group member known by the moniker “Zulas”, most likely the person who developed Trickbot’s backend in the Erlang programming language. Zulas is passionate about Erlang, eager to show examples of his other work, and even mentions his real name. When his manager mentions that his “trick” (Trickbot) project was seen by “half of the world”, Zulas does not understand the reference, calls the system “lero” and reveals that he has no idea what his software is doing and why the team goes to such lengths to protect member identities. His interlocutor tells him that he is working on a backend for an ad analytics system.

 

  1. Conti is actively discussing future plans: crypto exchange and a darknet social network
    • One of the ideas discussed was creating a crypto exchange in the group’s own ecosystem
    • Another project is the “darknet social network” (also: “VK for darknet” or “Carbon Black for hackers”), a project inspired by Stern and carried out by Mango, planned to be developed as a commercial project. In July 2021 Conti was already in contact with a designer, who produced a few mockups.

 

Read the full detailed research 

Appendix: Graph of Conti’s Organizational Structure

Link is here: https://research.checkpoint.com/wp-content/uploads/2022/03/map_index_v2.html

 

Exit mobile version