Ukraine, Conti, and the law of unintended consequences

The Russian invasion of Ukraine has demonstrated the law of unintended consequences in a most unexpected way.  By publicly backing the invasion, the heretofore most prolific ransomware group in the world inspired a backlash that appears to have temporarily crippled the group’s ability to operate and given unprecedented insight into the world of ransomware operators.

Conti ransomware 101

Advances in cryptography have spawned new types of applications and business models.  Unfortunately, one of them is ransomware.   Combined with cloud computing, you get an especially virulent variety, ransomware-as-a-service (RaaS).  Among the practitioners of this dark art, the most successful in 2021 was Conti, a Russia-based group.

The basic premise behind ransomware is to encrypt data on computer systems such that only the holder of the decryption key can decipher the data (in Conti’s case, a variant of AES-256).  The organization behind the attack then offers to sell the key to the victim.  This is often combined with a dual-extortion scheme, where stolen data is threatened to be released.

Conti has taken this basic “business model” and refined it to the tune of almost $200 million in 2021. 

The basic idea has a wide range of variations in the wild.  The most prominent perpetrators of this kind of extortion are organized gangs.  Many of these gangs are known to operate in Russia, with the tacit (or possibly explicit) approval of Russian security services.  These often explicitly do not attack targets within Russia.

Although the Colonial Pipeline attack of 2021 was not the work of Conti, it brought wide attention to the issue (and sweeping regulatory response).  It saw a major piece of US oil infrastructure fall prey to ransomware, and ultimately the company paid out the 75 bitcoin ransom demand (the lion’s share of which was later recovered by the US Federal Bureau of Investigation, though how they did this is not known).

Conti is egalitarian in picking their victims, including government institutions, corporations, and individuals.  Although Conti (and other such groups) claim not to target hospitals, schools, and the like, Conti’s attacks have included first-responder and medical systems, hampering their ability to deal with the Covid pandemic and a devastating attack on Ireland’s Public Healthcare System.  In the world of cybercrime, Conti seems to dispense with honor among thieves.

According to reports, a steady stream of victims pay out their ransoms quietly, without fanfare.  Meanwhile, national and international cybersecurity experts work to counter them and educate the public as to their approaches.

On this global stage, a dramatic plot twist unfolded: Russia invaded Ukraine. 

The unraveling

The Russian invasion of Ukraine inspired Conti to issue a threat to those who opposed the invasion, making clear its support for Putin’s actions.  This was a bold public statement of support for Putin’s invasion, and it apparently exposed fault lines within Conti itself.  In short order, someone within the organization, or who obtained access, began unleashing a torrent of jaw dropping leaks giving insight into the internals of the so-called company.

These leaks are still arriving at the time of writing on this Twitter account.  They include chat logs, source code, infrastructure details, and identities—including GitHub profiles—of alleged gang members.

The chat logs are primarily from the Jabber service and purport to include communications from the highest levels of the Conti.  In addition to clear-eyed discussion of cyberextortion as though it were a legitimate line of business, they reveal a nasty environment of bigotry, antisemitism and misogyny, as well as a banal setting similar in tone to remote office workers everywhere.

It’s a curious mix of the everyday and the astonishing that reveals a lot about the world of cybercrime.  Perhaps the most telling is just how commonplace, work-a-day the process has become.  The organization has developed hacking kits that make the process of compromising networks something even entry level folks can get into.  (Amazingly, some new hires are even led to believe that they are working on legitimate white hat penetration testing.)

The logs also reveal an intense interest in cryptocurrencies like Bitcoin within chats soliciting ideas about how best to get into crypto.  These ambitions include building their own decentralized systems, possibly for expediting the exchange of ransoms, or perhaps as a new means of driving income, or perhaps simply because it’s the cool thing to do these days.

Conti is constantly updating their capabilities to reflect the latest vulnerabilities, for example, Conti was all over the Log4Shell vulnerability.

The leaks also reveal more about the ties of Conti to Russia and the FSB.

The sources are posted to VirusTotal in this tweet.  BleepingComputer has successfully compiled and run the locker/decryptor package without issue.   The leaks also include sources for the notorious TrickBot malware, a kind of all-in-one hacking package.

Hacktivists have their day

This is not the first time the group has been offered a taste of their own medicine.  In 2021, a disgruntled ‘partner’ revealed other information about the group.

This recent leak, however, is of a more thoroughgoing character, and has apparently compromised the ability of the group to function.  Although experts think the group will reconfigure to continue its activities, it’s not clear they will be able to operate at the same level as previously seen.  They dismantled a significant portion of their infrastructure in response to the leaks.

Much of the leak is in Cyrillic, and there is a lot of it.  It’s an epic undertaking to parse and contextualize the information, especially as regards the practical technical information it provides for identifying and counteracting ransomware operators, but it’s clear the information is already having a profound effect on Conti, whose top boss has reportedly gone into hiding as a result.

This is not the only instance of hacktivism inspired by the Ukraine invasion.  For instance, the @beehivecybersec group posted a successful attack that brought the Russian foreign ministry website down.  A broader implication here is the power of sentiment in the global community to sway the force of cybersecurity and hacking activity one way or the other.  There is an interplay of the actual and virtual worlds here, and the invasion may have altered the shape of things in a fundamental way going forward.

By dividing the previous unity found in not attacking Slavic nations, the invasion has introduced a rift into the ransomware community.  Conti will probably reconfigure itself and return to its business of extortion, but the landscape in which it operates may never look the same.

The role that cybersecurity and cybercrime play in world events grows ever more prominent, as made clear in a March 21, 2021 announcement from US President Biden, where the threat of cyberattack from Russia is clearly spelled out.

The US Cybersecurity and Infrastructure Security Agency has issued an ongoing advisory covering the general cybersecurity situation, and a specific one for Conti, with up-to-date alerts.  These advisories are updated to reflect developments as the agency incorporates information from the leaks, including indicators of compromise as well as data on the various elements of their tactics for gaining access to networks.