Conti Ransomware Attacks: Dead or Just Sleeping?

What is Conti ransomware?

Before we dive into answering the question “what is Conti ransomware?”, we need to first explain what ransomware is.

Ransomware is malicious software (malware) that is uploaded to a computer system to block access until a large sum of money is paid. It uses encryption to hold an organization's important files, databases, or applications to ransom.

In most cases, the hackers will set a payment deadline and if the victim doesn't pay on time, then the ransom increases until they do. Or...it's goodbye data!

Conti ransomware is a little bit different.

It's a type of two-pronged attack or “double-extortion” ransomware.

It doesn't just encrypt the data to block access but also copies it. When the ransom isn't paid, the cybercriminals leak the data to the public or sell it to an interested party on the dark web.

They might do this even if the ransom is paid!

But what made Conti ransomware so devastating was the speed at which it encrypted data and spread to other systems. According to “The 2022 Crypto Crime Report” by Chainalysis, Conti was the most successful ransomware strain in 2021.

How does Conti ransomware work?

Like many ransomware attacks, a Conti attack tends to start off with a highly targeted phishing attack. Using the social engineering method hackers will trick an employee into clicking on a malicious link that will upload the malware giving the hackers remote access to the system.

From there, Conti spreads like wildfire through servers, files, backups, and even security software, encrypting everything and making copies as it goes. Every folder will be blocked by a ransom note informing the victim of the takeover and the ransom terms.

Image source: Malwarebytes

What (or who) was the Conti group?

The Conti group was (or is) a cybercriminal gang offering Ransomware as a Service (RaaS)— a business model that basically takes the Software as a Service model to a dark place.

RaaS works on a subscription basis where bad-acting affiliates sign up to use already-developed ransomware tools to carry out the attacks. The big bucks go to the RaaS provider and the affiliate takes home a percentage of each successful ransom payment.

The Conti group is believed to be a cell of a Russia-based cybercriminal group known as Wizard Spider. That was until a member of the Conti ransomware gang leaks files... But more on that later!

Wizard Spider is like an umbrella group creating smaller cybercriminal groups and using them to develop and distribute highly sophisticated malware tools such as Ryuk, TrickBot, Bazar Loader, and Conti ransomware.

In fact, the Conti group is thought to be an evolution of Ryuk, using some of the same members and code for its ransomware attacks.

Wizard Spider has been active since about 2016 and according to one Irish Times reporter, is “the biggest and most advanced gang in the world's first cyber-cartel.”

The identity of its members is as yet unknown but both Spider Wizard and its Conti gang members are thought to be based in and around St Petersburg, Russia.

According to leaked Conti communications (which we'll get to a little later), there are key players known only by their “handles”.

The U.S. State Department's Rewards for Justice (RFJ) program has offered a $10,000 reward for any information that would lead to the identification or location of Conti members known only as: Target, Professor, Reshaev, Tramp, and Dandis.

Image source: Rewards for Justice

How Conti operated

The Conti gang operated much like a regular tech company. They had a website, internal management systems, business development units, RND activity, a finance department, and HR functions.

It also had a traditional organizational hierarchy with team leaders reporting to upper management. They even had an employee of the month program.

As of July 2021, the cybercriminal business had 87 salaried employees, several physical offices, and a diverse workforce including managers, coders, testers, ransom operators, hackers, sysadmin, HR, affiliates, and campaign engineers.

Conti would recruit via hacker forums on the dark web or by abusing the systems of regular recruitment services.

It appears that not every Conti member knew they were working as part of the world's most notorious cybercriminal gang, at least not in the beginning.

When the Conti ransomware gang leaks files, they showed details of a remote interview where a potential hire was told the company developed software “for pentesters”. (Pentesters identify security flaws within a network or computer system.) While other employees were led to believe they were working for an ad company.

Most notable Conti ransomware attacks

In the FBI's “Internet Crime Report 2021,” Conti's ransomware was the most active of the top three ransomware variants targeting critical infrastructure in the USA. In 2021, it was found that Conti most frequently victimized the Critical Manufacturing, Commercial Facilities, and Food and Agriculture sectors.

But they weren't their only focus.

Here are a few of Conti's biggest ransomware attacks:

Irish Health Service

In May 2021, Conti attacked Ireland's national health service. The ransom demand of $20 million for the decryption key was flatly refused by the Health Service Executive (HSE). The Minister of State for eGovernment described the Conti attack as "the most significant cybercrime attack on the Irish State".

It resulted in:

• the encryption of 80% of HSE systems
• the HSE's payment system crashed
• 700 GB of data stolen
• canceled outpatient appointments
• pediatric services and maternity services affected
• a vaccine portal for Covid-19 being shut down
• delays with issuing birth, death, or marriage certificates

The stolen data which included sensitive patient information, correspondence, minutes of meetings, and corporate documents were uploaded to VirusTotal, a malware scanning site, where it was downloaded 23 times before being removed.

The Conti ransomware attack on Ireland's national health service (HSE) has reportedly cost the country $48 million so far but the total recovery cost is expected to rise to $100 million.

Graff Diamonds, high-end jeweler

Graff Diamonds Corp. was hit by the Russian hacker group in October 2021. The British luxury jeweler has a high-profile client list that includes some of the wealthiest people in the world including Ophra, Donald Trump, and the royal families of Saudi Arabia, the United Arab Emirates, and Qatar.

The ransomware gang demanded a payment of $15 million in bitcoin (BTC) of which Graff offered half.

This time, the gang got their payday.

But not before Conti had leaked 69,000 confidential documents including customer lists, invoices, receipts, and credit notes.

The group claimed the leaked details were just 1% of the stolen files in their possession. To avoid any further leaks and potential embarrassment for their high-profile clients, Graff paid up. Graff is now having to sue their insurers for their refusal to cover the ransom payment.

Costa Rica

On May 8th, 2022, Costa Rica's newly elected president took office, and his first order of business was to declare a national state of emergency. All thanks to a month-long Conti ransomware battle that was crippling the economy and reduced the country's services to pen and paper.

The ransomware which had attacked at least 27 institutions was estimated as costing the country $38 million each day they were down.

The ransom demand started out at $10 million but was doubled when the Costa Rican government refused to pay. Conti leaked 97% of the stolen data and encouraged the people of Costa Rica to rise up and pressure their government into paying.

Costa Rica stood their ground and instead reached out for help from more tech-savvy nations of the USA and Spain who sent expert teams and donated software from Microsoft, IBM, and Cisco.

But what was Conti's most impactful ransomware attack so far— bringing an entire country to its knees— was to be its last.

In the middle of the attack, Conti disbanded and was suddenly no more.

This brings us neatly to...

The demise of Conti

So, what made Conti close down its very successful ransomware powerhouse? Well, as it turns out, all was not well in the house of Conti. At the end of February, shortly after Russia stomped its way into Ukraine, Conti released a statement in full support of the Russian government.

Image source: Twitter

This message was later edited to be slightly less damning but still declared that the group was ready to retaliate should any Western state attempt to attack Russian infrastructure.

Image source: Krebs On Security

This didn't sit well with one “Ukrainian security researcher” who claims to have infiltrated the group sometime before. However, the scale of the leak and the type of data, it's much more likely that the “researcher” was a former group member.

Via a Twitter account called “Conti Leaks”, the individual shared files of approximately 60,000 messages from the Conti chat logs for the past 2 years, plus source code, bitcoin transaction details, and other files.

The logs not only showed the inner workings of the cybercrime syndicate but also the cracks.

As it turns out, cybercrime gangs experience organizational problems just like regular companies. Issues of fast turnover, attrition, and a high burnout rate plagued the organization. Brian Krebs, the well-known cybersecurity investigative journalist, analyzed the Conti chat logs to find vents about endless work days with no breaks, and complaints of repetitive work and poor pay.

Over the next couple of months after the leak, the gang began dismantling its operations, and Conti gang members stopped receiving their salaries. This was all happening while the Costa Rica attack was in full swing. By the end of May, the two Tor servers that Conti used to leak data and negotiate with its ransomware victims finally went offline.

It seems strange that the gang would close down mid-attack, especially one that had an entire country by the balls!

Was it an attempt to go out with a bang that backfired?

Or was it simply a distraction? A misdirection allowing their members to slip away and regroup into smaller cells?

Conti Group: Dead or just sleeping?

While organizations may be tempted to breathe a sigh of relief that Conti is no more, there are few in the cybersecurity industry who believe that to be true.

The general consensus is that Conti group members haven't retired, but have either been reassigned to other Wizard Spider-controlled cyber cells, formed new ones, or merged with or infiltrated smaller groups. It's also highly possible that Spider Wizard will continue to control its web of hackers in its dispersed state.

There has also been speculation that a new strain of ransomware called Monti is just Conti rebranded. It uses the same base code as Conti and of course, there is the ridiculously similar name.

It could be a rebrand with the same threat actors at the helm or it could simply be a doppelganger that has taken advantage of the Conti ransomware gang leaked files which included the Conti code and the space in the cybercriminal market.

Really, only time will tell.

But as Vitali Kremez, CEO of the cybersecurity firm AdvIntel said, “They will reemerge more powerful and better than ever and more bulletproof. They will adapt, they will improve, some members will relocate. But they [Conti] will definitely not be pushed out of the market.”

Staying informed about cybersecurity risks is just one of the ways to protect your data and your privacy. Of course, cybercriminals are always developing new ways to get what they want. Check out the 6 Cyber Threats to Prepare for in 2023.