When the hackers get hacked – Part II
A blog series unveiling the Conti ransomware family
In the previous blog, we presented the contents and origins of the leaked data related to Conti ransomware gang . In addition to that, we translated the entire dataset and made it publicly available to the security community . In this blog, we dive into details of the internal conversation among Conti gang actors. Our goal in this blog is to show what meaningful information we can subtract from the data. For this reason, we do not display all possible findings. Instead, we focus on the significant (most frequent) information. We acquired this information from an analysis of leaked files : “Conti Chat Logs 2020.7z” and “Conti Jabber Chat Logs 2021 – 2022.7z”. These two files compress hundreds of thousands of internal conversations from 2020 till 2022. The analysis in this blog is intended to provide answers to the following questions:
- What is in the data (an overview of the communication)?
- What roles are played by actors in the Conti gang?
- Can we identify the real identity of the Conti actors?
- What IP addresses and URLs (HTTP and HTTPS) are part of Conti’s infrastructure?
- How many Conti victims are there and who are they?
Besides answering these questions, we explain how we arrived at those answers. Opposed to other blogs and webpages that performed analysis on the same data, we are one of the few that added context to the data, employing data enrichments and using our vast experience from many ransomware incidents.
1. What is in the data (an overview of the communication)?
After uncompressing the two leaked files (“Conti Chat Logs 2020.7z” and “Conti Jabber Chat Logs 2021 – 2022.7z”) it showed 544 .json files. After those files were merged, we’ve observed almost 169k records dating from 21/06/2020 till 02/03/2022. Overall, the data containing internal chats between actors of the Conti gang. It is important to stress that it doesn’t contain direct conversations between Conti actors and their victims. However, we’ve found some conversations in which Conti actors pasted snapshots of their conversation with a victim. On the following table we summarize the overall information of the data.
|#||File name||Content||Records||First record||Last record||Unique users|
|1||Conti Chat Logs 2020.7z||148 files||107.967||2020-06-21||2020-11-16||465|
|2||Conti Jabber Chat Logs 2021 – 2022.7z||396 files||60.773||2021-01-29||2022-03-02|
After plotting the number of messages exchanged per day, depicted in the graph below, we noticed three gaps: (1) from 17/11/2020 to 18/01/2021, (2) on 07/02/2021 and (3) on 13/02/2021. The reason for the first gap is mainly related to law enforcement actions , according to Brian Krebs, a security journalist. The other two gaps still have an unclear explanation.
On average, actors in the chats sent 272 messages per day. Conversations in 2020 were clearly more frequent than in 2021 and 2022. Interestingly, on 23/07/2020, there was a peak of 2465 messages. Northwave is still investigating the reason for peaks in the entire dataset.
2. What roles are played by actors in the Conti gang?
Our analysis discovered 465 distinct actors. This section classifies the top ten actors who sent and received the most messages. In addition to the top ten, we decided to include the actor who occupies position 13 (bio). The reason for this is that, while 150 actors were active for more than one year, bio was active for only 49 days. Despite this, bio was already among the top actors. Following, we describe how we manually inferred the role of each of the leading actors. Please note, whenever we write “he”, “she” can also be read.
|#||Actors||Total messages||First Message||Last Message||Diff Days||Inferred Role|
|1||target||36648||21/06/2020||22/10/2021||487||Human resource manager|
|2||bentley||36465||22/06/2020||01/03/2022||617||Manager (and tester) of ransomware|
|6||deploy||8955||22/06/2020||22/10/2021||487||Programmer of ransomware (crypto)|
|7||driver||7892||28/10/2020||22/02/2022||482||Operation lead programmers|
|10||professor||6565||22/06/2020||17/01/2022||574||Senior developer and tester|
1.Target. This actor proved to be one of the most difficult to determine the role of in the gang, because of the message volume. From his writing and statements, we arrive at several conclusions. First, we concluded he manages the testing department based on a message where he said, “[…] I am building a testing department […].” However, we are most certain on inferring that target is a manager of the human resources. We unravelled that since multiple actors talked to him regarding hiring. For example, salamandra said to target: “I am looking for candidates via mail on HH”; viper says to target “salary depends on who I am looking for standard schedule from 9 – 6 online payment 2 times a month on the card”. Target sent messages to 38 distinct users and received messages from 39 other distinct users.
2. Bentley. After analysing messages from/to bentley, we concluded he is a Ransomware Binaries and Tester manager. We deduced that because he wrote chats to the actor deploy like: “Please make 1 crypt gi11.dll and da11.dll for Tilar”, “Please make a loader dll crypt with a simple icon”, “Please make more crypts for Merch”, and “Please make a crypt gi6.dll for Tilar”. Bentley also asks to deploy the creation of lockers on behalf of other actors (the actors tilar and merch). It is clear that bentley also tests the ransomware programs, this finding is based on the following chat: “Yes. I am a tester. I pass it on to Deploy and Marcel and then test the result. And give to clients. Or whoever orders”, “[…] I am a tester. I test and issue them to clients”, and “Will be your tester from tomorrow”. Bentley sent messages to 105 distinct users and received messages from 97 other distinct users.
3. Stern. After analysing messages from and to Stern, we concluded he is one of the big bosses and a task manager. We extrapolated that because he wrote, “handed out tasks to everyone here, as I see everything”. He receives messages of actors asking for instructions, for example, the message from ceram: “Good afternoon. I am a new employee. Please instruct me.” Stern also wrote: “I am a cashier”. Thus, he has access to the money of the group. Also, Stern sent messages to 233 distinct users and received messages from 152 other distinct users. This makes Stern one of the people that interacted with most actors in the data.
4. Defender. After analysing messages from and to defender, we concluded that he is the System Administrator. We inferred that because he reminded the bulk of the users to share their Jabber credentials. Also, defender receives questions on accounts and access to specific panels, such as (from stern) “give access to the mavemat project which is the proton checker bend” and (from viper): make a test acc for new admins”, (from salamandra): “need acc for new programmer”. Defender sent messages to 326 distinct users and received messages from 148 distinct users.
5. Hof. After analysing messages from and to hof, we concluded he is the manager of the programmers. We figured that because he received messages such as (from xoc) “Hello. I am a new programmer. I was told to ask you for assignments.” Hof sent messages to 51 distinct users and received 51 messages from distinct users.
6. Deploy. After analysing messages from/to deploy, we concluded that he is a programmer focused on cryptography (the ransomware). We deduced that since he receives requests from bentley to create binaries for other actors with antivirus (AV) obfuscation through cryptography. Deploy wrote to target: “in general, yes. Crypt largely solves the problem of signature detection”. From this, we deduce that in this case, ‘crypt’ refers to AV-evasion. Deploy sent messages to 30 distinct users and received messages from 26 distinct users.
7. Driver. After analysing messages from and to driver, we concluded that he resembles the operational lead of programmers. We inferred that, because he is involved with the programmers on a lower level. He reminds people of their tasks, for example when he wrote: “you made a commitment on Thursday that you would finish by tonight. Then he unilaterally violated it and wrote what you would do on Fri.[..] Where is the outcome? How are we going to work with you?” and “Ok, there you have another small task to change the width of the field”. Also, he corrects the code of programmers, as he wrote: “+= means a = a + b; // You didn’t specify the field in the selection that you have in the output”, “Hello, I corrected the task code a little there, uploaded it to git, look too. Such a question, does it work for you?” and “it is not necessary to look for the cause by modules. I found it. The hammer will appear to test.” Driver sent messages to 24 distinct users and received messages from 20 distinct users.
8. Mango. After analysing messages from and to mango, we concluded that he is a general manager. We deduced that as he mentioned: “I am a general manager, if you need to contact me”. Mango sent messages to 129 distinct users and received 125 messages from distinct users.
9. Mushroom. After analysing messages from and to Mushroom, we concluded that he is a programmer. We discovered that, because he wrote memos on code changes, such as “I updated the bot in the admin panel, yesterday there was version 107, with non-working addresses. “. Also, in a conversation with Target where Target asked Mushroom about programmer’s recruitment advice, Mushroom wrote, “I didn’t come by myself, they found me through an ad. See what this RingCentral consists of (what languages and libraries are used in it), based on this, look for a person who worked with these libraries and knows these languages, come up with a test task based on this [ …] It is better that these people have at least some open source projects on github or other places. Even better, they should be able to program on different platforms (Windows and Linux) at least.” Mushroom sent messages to 20 distinct users and received messages from 20 distinct users
10. Professor. After analysing messages from and to professor we concluded he is a Senior Developer and Tester. We unveiled this since he received messages requesting him to test things, such as from Dorius: “Hello. on Monday you will need to test the shellcode to check the otstuk, there will be a check on the incodes that take the executable”. Also, he received the message, seemingly sent to all programmers: “Hi all. To all developers, including the web, please send me a short list of your skills by programming languages and stacks. Thanks.” Professor is a Senior which became clear from the following message from Target: “you are their teacher mentors” and “you are wikipedia for them”. Professor sent messages to 48 distinct users and received messages from 51 distinct users
13. Bio. After analysing messages from and to bio, we concluded he is a negotiator who also analyses the value of data extracted from victims. We discovered that based on dozens of statements, for example: “I think we will press up to 1.5k”, “I made a 25% discount and they will pay within 48 hours”, and “I have a mountain of information to analyse”. Bio sent messages to 8 distinct users and received messages from 8 distinct users. 80% of his messages were exchanged with skippy (his negotiator friend) and tramp (his manager).
The take-away message of this section is that by reading chats, we can identify the roles of most actors. Besides the top actors, we identified a list of actors under the management of other actors. For example, by recognising the programmers’ manager, we could compose a list of programmers. The same applies to the manager of the negotiators, the manager of the ransomware developers and others. Based on these inferences, we were able to identify more than half of the actors in the leaked chat. It was harder to classify actors with minimal interaction. Overall, we were impressed by the organisation and the size of the Conti gang. These aspects justify our observations on the number of victims the group could manage simultaneously.
3. Can we identify the real identity of the actors in the data?
We identified 1076 different email addresses in the communication. We’ve filtered out emails from protonmail.com and with .onion aiming at finding personal emails (for attribution purpose). After this filter 652 emails remain and will be discussed in this section.
After filtering, the top 10 addresses have a very similar syntax (especially the yahoo addresses). Three of these emails [email protected], [email protected], and [email protected] are listed as part of TrickBot in a “notice of hearing re plaintiffs’ motion” . We observed that these emails have a close relation. Each of these emails are part of conversations between ganesh and stern, in which the former updates the latter on the list of credentials used to obtain access to their infrastructure. These messages are a copy/paste of a table (because it contains \n and \t in a structured way). A snapshot of one message is the following:
The columns seem to show the username (root), the IP address, and the password to access an element of the infrastructure (VPSs). The user [email protected] in this case, is the user registered with the VPS provider.
While the email addresses that appeared the most (top) are related to the infrastructure, there are 322 addresses that were seen only once in a chat. These are the ones in which attribution is likely to happen. One example comes from the actor zulas who shared his personal jabber account [email protected]. Using this username (‘begemot_sun’) we easily discovered it is linked to an account on ‘habr.com’, on ‘github.com’, Skype, and others (see screenshot of Google). From those social networks or messaging systems we also discovered his personal email (‘[email protected]‘). Based on his personal email, much more information can be discovered. All these users from different systems and social networks are linked by either the same email (‘[email protected]‘), or name (Sergey Logunstov), or birthday (’15th of July’). A Twitter user @trickleaks created the full profile of Sergey Loguntsov .