Researchers at cyber threat intelligence company Prodaft discovered behind-the-scenes information on the notorious Conti ransomware group, identifying the real IP address of one of Conti’s payment portals in the process. Next, they monitored network traffic connecting to their servers for weeks. Prodaft shared their findings with the public and, in more detail, with law enforcement.
Ruthless Ransomware Gang
The Swiss-based Prodaft Threat Intelligence (PTI) team started analyzing Conti ransomware, which is affiliated with Ryuk, Hermes, and Wizard Spider, in September 2021, when the gang kept making headlines following attacks on high-profile organizations and particularly for their high ransom demands.
“Conti has shown itself to be a particularly ruthless group, indiscriminately targeting hospitals, emergency service providers, and police dispatchers”, said the PTI team in their report. “Conti also earned a reputation for not delivering decryption keys even after victims pay.”
Prodaft goes on to explain that simply telling companies not to pay isn’t enough. Therefore, they wanted to equip organizations and law enforcement agents with intelligence and insights to help them understand the threat, manage the risk, and find better practical solutions.
Conti Suffers a Security Breach
This time, it’s Conti’s turn to suffer a security breach. While tracing Conti’s steps, the PTI team detected a vulnerability in Conti’s recovery servers. They managed to use this vulnerability to identify the real IP address of a payment portal. The gang uses this portal to negotiate ransom payments with their victims.
PTI then monitored network traffic connecting to the server for several weeks. They also successfully gained access to several parts of Conti’s RaaS infrastructure. “This gave us cutting-edge insight into the way Conti manages its affiliates and ransomware technology”, emphasized Prodaft.
One of the security researchers’ main objectives was to reveal the identity of Conti affiliates, developers, and servers and gain insight into their methods of communication. During this phase of the investigation, the PTI team also discovered multiple victim chat sessions and captured login credentials.
Where the Money Flows
London-based blockchain analysis provider Elliptic Ltd wrote the financial section in Prodaft’s report. During the investigation, the PTI team identified 113 bitcoin addresses. “100 of these addresses related to a single ransomware attack in which the victim requested to pay Conti in 100 separate transactions in order to hide the payment from tax and audit authorities.”
As a result, Elliptic believes that the addresses identified during this research are connected to 14 separate ransomware incidents. 50% of these attacks resulted in a payment to Conti. Researching the addresses and the incoming payments, Elliptic estimates that, since July 2021, Conti has received over 500 bitcoin in ransomware payments, valued at over $25.5 million.
Most of the time, ransomware operators only take a small percentage of these payments. Affiliates receive the majority of the ransom. However, on 22 September 2021, the US Cybersecurity & Infrastructure Security Agency (CISA) issued an alert revealing that Conti developers pay the deployers a wage, rather than a percentage of the proceeds.
Server Offline, But Only Briefly
Following the publication of the report, the Conti gang scrambled to take their payment portals offline, fearing rival ransomware groups may try to hijack their servers. However, some 24 hours later, they were back online and couldn’t resist leaving a pejorative message on their blog.
“Looks like Europeans have also decided to abandon their manners and go full-gansta simply trying to break our systems. Well, it’s good to finally have a legit opponent, after all it gets boring when you only deal with chimpanzees […].”
Conti confirmed Prodaft’s findings but branded some of it as disinformation. “The reported 25kk which we ‘made since July’ is straight-up BS – we’ve made around 300kk at least.”