Microsoft on Tuesday released software updates to plug at least 70 security holes in its Windows operating systems and related software. For the second month running, there are no scary zero-day threats looming for Windows users (that we know of), and relatively few “critical” fixes. And yet we know from experience that attackers are already trying to work out how to turn these patches into a roadmap for exploiting the flaws they fix. Here’s a look at the security weaknesses Microsoft says are most likely to be targeted first.

Greg Wiseman, product manager at Rapid7, notes that three vulnerabilities fixed this month have been previously disclosed, potentially giving attackers a head start in working out how to exploit them. Those include remote code execution bugs CVE-2022-24512, affecting .NET and Visual Studio, and CVE-2022-21990, affecting Remote Desktop Client. CVE-2022-24459 is a vulnerability in the Windows Fax and Scan service. All three publicly disclosed vulnerabilities are rated “Important” by Microsoft.

Just three of the fixes this month earned Microsoft’s most-dire “Critical” rating, which Redmond assigns to bugs that can be exploited to remotely compromise a Windows PC with little to no help from users. Two of those critical flaws involve Windows video codecs. Perhaps the most concerning critical bug quashed this month is CVE-2022-23277, a  remote code execution flaw affecting Microsoft Exchange Server.

“Thankfully, this is a post-authentication vulnerability, meaning attackers need credentials to exploit it,” Wiseman said. “Although passwords can be obtained via phishing and other means, this one shouldn’t be as rampantly exploited as the deluge of Exchange vulnerabilities we saw throughout 2021. Exchange administrators should still patch as soon as reasonably possible.”

CVE-2022-24508 is a remote code execution bug affecting Windows SMBv3, the technology that handles file sharing in Windows environments.

“This has potential for widespread exploitation, assuming an attacker can put together a suitable exploit,” Wiseman said. “Luckily, like this month’s Exchange vulnerabilities, this, too, requires authentication.”

Kevin Breen, director of cyber threat research at Immersive Labs, called attention to a trio of bugs fixed this month in the Windows Remote Desktop Protocol (RDP), which is a favorite target of ransomware groups.

“CVE-2022-23285, CVE-2022-21990 and CVE-2022-24503 are a potential concern especially as this infection vector is commonly used by ransomware actors,” Breen said. “While exploitation is not trivial, requiring an attacker to set up bespoke infrastructure, it still presents enough of a risk to be a priority.”

March’s Patch Tuesday also brings an unusual update (CVE-2022-21967) that might just be the first security patch involving Microsoft’s Xbox device.

“This appears to be the first security patch impacting Xbox specifically,” said Dustin Childs from Trend Micro’s Zero Day Initiative. “There was an advisory for an inadvertently disclosed Xbox Live certificate back in 2015, but this seems to be the first security-specific update for the device itself.”

Also on Tuesday, Adobe released updates addressing six vulnerabilities in Adobe Photoshop, Illustrator and After Effects.

Lumen Technologies, an American company that operates one of the largest Internet backbones and carries a significant percentage of the world’s Internet traffic, said today it will stop routing traffic for organizations based in Russia. Lumen’s decision comes just days after a similar exit by backbone provider Cogent, and amid a news media crackdown in Russia that has already left millions of Russians in the dark about what is really going on with their president’s war in Ukraine.

Monroe, La. based Lumen [NYSE: LUMN] (formerly CenturyLink) initially said it would halt all new business with organizations based in Russia, leaving open the possibility of continuing to serve existing clients there. But on Tuesday the company said it could no longer justify that stance.

“Life has taken a turn in Russia and Lumen is unable to continue to operate in this market,” Lumen said in a published statement. “The business services we provide are extremely small and very limited as is our physical presence. However, we are taking steps to immediately stop business in the region.”

“We decided to disconnect the network due to increased security risk inside Russia,” the statement continues. “We have not yet experienced network disruptions but given the increasingly uncertain environment and the heightened risk of state action, we took this move to ensure the security of our and our customers’ networks, as well as the ongoing integrity of the global Internet.”

According to Internet infrastructure monitoring firm Kentik, Lumen is the top international transit provider to Russia, with customers including Russian telecom giants Rostelecom and TTK, as well as all three major mobile operators (MTS, Megafon and VEON).

“A backbone carrier disconnecting its customers in a country the size of Russia is without precedent in the history of the internet and reflects the intense global reaction that the world has had over the invasion of Ukraine,” wrote Doug Madory, Kentik’s director of Internet analysis.

It’s not clear whether any other Internet backbone providers — some of which are based outside of the United States — will follow the lead of Lumen and Cogent. But Madory notes that as economic sanctions continue to exact a toll on Russia’s economy, its own telecommunications firms may have difficulty paying foreign transit providers for service.

Ukrainian leaders petitioned the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit organization charged with overseeing the global domain name system — to disconnect Russia’s top-level domain (.ru) from the Internet. ICANN respectfully declined that request, but many technology giants, including Amazon, Apple and Microsoft, have moved on their own to suspend new business in the country.

Meanwhile, Russia recently cracked down on the last remaining vestiges of a free press within its borders, passing a new law that threatens up to 15 years in jail for anyone who publishes content that refers to the conflict in Ukraine as a “war” or “invasion.”

As Neil MacFarquhar writes for The New York Times, what little coverage there is on Russian television networks about the invasion does not include any footage of the devastation wrought by Russian troops on the Ukrainian citizenry. At the same time, the Russian government has blocked Facebook and partly blocked Twitter, while other platforms like TikTok have suspended services in the country.

“To spend several days watching news broadcasts on the main state channels, as well as surveying state-controlled newspapers, is to witness the extent of the Kremlin’s efforts to sanitize its war with the Orwellian term ‘special military operation’ — and to make all news coverage align with that message,” MacFarquhar wrote.

The Washington Post, which was the first to report on Cogent’s decision last week, wrote that these independent actions by private tech companies collectively “will leave Russians more dependent than ever on government propaganda that already dominates the nation’s newspapers and broadcast stations, leaving few ways to access independent sources of news at a time when the country has entered a severe political crisis.”

In a blog post titled “Why the World Must Resist Calls to Undermine the Internet,” Internet Society President Andrew Sullivan said cutting a whole population off the Internet will stop disinformation coming from that population — but it also stops the flow of truth.

“Without the Internet, the rest of the world would not know of atrocities happening in other places,” Sullivan wrote. “And without the Internet, ordinary citizens of many countries wouldn’t know what was being carried out in their name. Our best hope, however dim, is that those supporting an aggressive regime will change their support. More information can help, even as disinformation circulates. We need a better understanding of what is and is not disinformation.”

There is another — perhaps less popular — camp, which holds that isolating Russia from the rest of the Internet might be THE thing that encourages more Russians to protest the war in Ukraine, and ultimately to take back control of their own country from its autocratic and kleptocratic leaders.

Not long after Russia invaded Ukraine, I heard from an old pen-pal in Ukraine: Sergey Vovnenko, a.k.a. “Flycracker,” a.k.a the convicted Ukrainian cybercriminal who once executed a plot to have me framed for heroin possession. Vovnenko did his time in a U.S. prison, left Fly behind, and we have since buried the hatchet. He’s now hunkered down in Lviv, Ukraine, which is serving as a major artery for refugees seeking shelter outside Ukraine’s borders.

These days, Vovnenko says he is working with many sympathetic hackers to fight the Russians online. Asked what he thought about the idea of Russia being isolated from the rest of the Internet, Vovnenko said it couldn’t happen soon enough given the Russian government’s new media blitz to cast the war in a patriotic light.

“I think they should be disconnected, maybe Russian people will rebel against Putin after that,” he said.

Three stories here last week pored over several years’ worth of internal chat records stolen from the Conti ransomware group, the most profitable ransomware gang in operation today. The candid messages revealed how Conti evaded law enforcement and intelligence agencies, what it was like on a typical day at the Conti office, and how Conti secured the digital weaponry used in their attacks. This final post on the Conti conversations explores different schemes that Conti pursued to invest in and steal cryptocurrencies.

When you’re perhaps the most successful ransomware group around — Conti made $180 million last year in extortion payments, well more than any other crime group, according to Chainalysis — you tend to have a lot digital currency like Bitcoin.

This wealth allowed Conti to do things that regular investors couldn’t — such as moving the price of cryptocurrencies in one direction or the other. Or building a cryptocurrency platform and seeding it with loads of ill-gotten crypto from phantom investors.

One Conti top manager — aptly-named “Stern” because he incessantly needled Conti underlings to complete their assigned tasks — was obsessed with the idea of creating his own crypto scheme for cross-platform blockchain applications.

“I’m addicted right now, I’m interested in trading, defi, blockchain, new projects,” Stern told “Bloodrush” on Nov. 3, 2021. “Big companies have too many secrets that they hold on to, thinking that this is their main value, these patents and data.”

In a discussion thread that spanned many months in Conti’s internal chat room, Stern said the plan was to create their own crypto universe.

“Like Netherium, Polkadot and Binance smart chain, etc.,” Stern wrote. “Does anyone know more about this? Study the above systems, code, principles of work. To build our own, where it will already be possible to plug in NFT, DEFI, DEX and all the new trends that are and will be. For others to create their own coins, exchanges and projects on our system.”

It appears that Stern has been paying multiple developers to pursue the notion of building a peer-to-peer (P2P) based system for “smart contracts” — programs stored on a blockchain that run whenever predetermined conditions are met.

It’s unclear under what context the Conti gang was interested in smart contracts, but the idea of a ransomware group insisting on payments via smart contracts is not entirely new. In 2020, researchers from Athens University School of Information Sciences and Technology in Greece showed (PDF) how ransomware-as-a-service offerings might one day be executed through smart contracts.

Before that, Jeffrey Ladish, an information security consultant based in Oakland, Calif., penned a two-part analysis on why smart contracts will make ransomware more profitable.

“By using a smart contract, an operator can trustlessly sell their victims a decryption key for money,” Ladish wrote. “That is, a victim can send some money to a smart contract with a guarantee that they will either receive the decryption key to their data or get their money back. The victim does not have to trust the person who hacked their computer because they can verify that the smart contract will fairly handle the exchange.”

The Conti employee “Van” appears to have taken the lead on the P2P crypto platform, which he said was being developed using the Rust programming language.

“I am trying to make a p2p network in Rust,” Van told a co-worker “Demon” on Feb. 19, 2022. “I’m sorting it out and have already started writing code.”

“It’s cool you like Rust,” Demon replied. “I think it will help us with smart contracts.”

Stern apparently believed in his crypto dreams so much that he sponsored a $100,000 article writing contest on the Russian language cybercrime forum Exploit, asking interested applicants to put forth various ideas for crypto platforms. Such contests are an easy way to buy intellectual property for ongoing projects, and they’re also effective recruiting tools for cybercriminal organizations.

“Cryptocurrency article contest! [100.000$],” wrote mid-level Conti manager “Mango,” to boss Stern, copying the title of the post on the Exploit forum. “What the hell are you doing there…”

A few days later Mango reports to Stern that he has “prepared everything for both the social network and articles for crypto contests.”

DISTRIBUTED DENIAL OF DISCORD?

On June 6, 2021, Conti underling “Begemot” pitched Stern on a scheme to rip off a bunch of people mining virtual currencies, by launching distributed denial-of-service (DDoS) attacks against a cryptocurrency mining pool.

“We find young forks on exchanges (those that can be mined), analyze their infrastructure,” Begemot wrote.

Begemot continues:

“Where are the servers, nodes, capitalization, etc. Find a place where crypto holders communicate (discord, etc. ). Let’s find out the IP of the node. Most likely it will be IPv6. We start ddosing. We fly into the chat that we found earlier and write that there are problems, the crypt is not displayed, operations are not carried out (because the crypt depends on mining, there will really be problems ). Holders start to get nervous and withdraw the main balance. Crypto falls in price. We buy at a low price. We release ddos. Crypto grows again. We gain. Or a variant of a letter to the creators about the possibility of a ransom if they want the ddos ​​to end. From the main problem points, this is the implementation of Ipv6 DDoS.”

Stern replies that this is an excellent idea, and asks Begemet to explain how to identify the IP address of the target.

SQUID GAMES

It appears Conti was involved in “SQUID,” a new cryptocurrency which turned out to be a giant social media scam that netted the fraudsters millions of dollars. On Oct. 31, 2021, Conti member “Ghost” sent a message to his colleagues that a big “pump” moneymaking scheme would be kicking off in 24 hours. In crypto-based pump-and-dump scams, the conspirators use misleading information to inflate the price of a currency, after which they sell it at a profit.

“The big day has arrived,” Ghost wrote. “24 hours remaining until the biggest pump signal of all time! The target this time will be around 400% gains possibly even more. We will be targeting 100 million $ volume. With the bull market being in full effect and volumes being high, the odds of reaching 400% profit will be very high once again. We will do everything in our power to make sure we reach this target, if you have missed our previous big successful pumps, this is also the one you will not want to miss. A massive pump is about to begin in only 24 hours, be prepared.”

Ghost’s message doesn’t mention which crypto platform would be targeted by the scam. But the timing aligns with a pump-and-dump executed against the SQUID cryptocurrency (supposedly inspired by the popular South Korean Netflix series). SQUID was first offered to investors on Oct. 20, 2021.

As Gizmodo first reported on Nov. 1, 2021, just prior to the scam SQUID was trading at just one cent, but in less than a week its price had jumped to over $2,856.

Gizmodo referred to the scam as a “rug pull,” which happens when the promoter of a digital token draws in buyers, stops trading activity and makes off with the money raised from sales. SQUID’s developers made off with an estimated $3.38 million (£2.48m).

“The SQUID crypto coin was launched just last week and included plenty of red flags, including a three-week old website filled with bizarre spelling and grammatical errors,” Gizmodo’s Matt Novak wrote. “The website, hosted at SquidGame.cash, has disappeared, along with every other social media presence set up by the scammers.”

Part I of this series examined newly-leaked internal chats from the Conti ransomware group, and how the crime gang dealt with its own internal breaches. Part II explored what it’s like to be an employee of Conti’s sprawling organization. Today’s Part III looks at how Conti abused a panoply of popular commercial security services to undermine the security of their targets, as well as how the team’s leaders strategized for the upper hand in ransom negotiations with victims.

Conti is by far the most successful ransomware group in operation today, routinely pulling in multi-million dollar payments from victim organizations. That’s because more than perhaps any other ransomware outfit, Conti has chosen to focus its considerable staff and talents on targeting companies with more than $100 million in annual revenues.

As it happens, Conti itself recently joined the $100 million club. According to the latest Crypto Crime Report (PDF) published by virtual currency tracking firm Chainalysis, Conti generated at least $180 million in revenue last year.

On Feb. 27, a Ukrainian cybersecurity researcher who is currently in Ukraine leaked almost two years’ worth of internal chat records from Conti, which had just posted a press release to its victim shaming blog saying it fully supported Russia’s invasion of his country. Conti warned it would use its cyber prowess to strike back at anyone who interfered in the conflict.

The leaked chats show that the Conti group — which fluctuated in size from 65 to more than 100 employees — budgeted several thousand dollars each month to pay for a slew of security and antivirus tools. Conti sought out these tools both for continuous testing (to see how many products detected their malware as bad), but also for their own internal security.

A chat between Conti upper manager “Reshaev” and subordinate “Pin” on Aug. 8, 2021 shows Reshaev ordering Pin to quietly check on the activity of the Conti network administrators once a week — to ensure they’re not doing anything to undermine the integrity or security of the group’s operation. Reshaev tells Pin to install endpoint detection and response (EDR) tools on every administrator’s computer.

“Check admins’ activity on servers each week,” Reshaev said. “Install EDR on every computer (for example, Sentinel, Cylance, CrowdStrike); set up more complex storage system; protect LSAS dump on all computers; have only 1 active accounts; install latest security updates; install firewall on all network.”

Conti managers were hyper aware that their employees handled incredibly sensitive and invaluable data stolen from companies, information that would sell like hotcakes on the underground cybercrime forums. But in a company run by crooks, trust doesn’t come easily.

“You check on me all the time, don’t you trust me?,” asked mid-level Conti member “Bio” of “Tramp” (a.k.a. “Trump“), a top Conti overlord. Bio was handling a large bitcoin transfer from a victim ransom payment, and Bio detected that Trump was monitoring him.

“When that kind of money and people from the street come in who have never seen that kind of money, how can you trust them 1,000%?” Trump replied. “I’ve been working here for more than 15 years and haven’t seen anything else.”

OSINT

Conti also budgeted heavily for what it called “OSINT,” or open-source intelligence tools. For example, it subscribed to numerous services that can help determine who or what is behind a specific Internet Protocol (IP) address, or whether a given IP is tied to a known virtual private networking (VPN) service. On an average day, Conti had access to tens of thousands of hacked PCs, and these services helped the gang focus solely on infected systems thought to be situated within large corporate networks.

Conti’s OSINT activities also involved abusing commercial services that could help the group gain the upper hand in ransom negotiations with victims. Conti often set its ransom demands as a percentage of a victim’s annual revenues, and the gang was known to harass board members of and investors in companies that refused to engage or negotiate.

In October 2021, Conti underling “Bloodrush” told his manager “Bentley” that the group urgently needed to purchase subscriptions to Crunchbase Pro and Zoominfo, noting that the services provide detailed information on millions of companies, such as how much insurance a company maintains; their latest earnings estimates; and contact information of executive officers and board members.

In a months-long project last year, Conti invested $60,000 in acquiring a valid license to Cobalt Strike, a commercial network penetration testing and reconnaissance tool that is sold only to vetted partners. But stolen or ill-gotten “Coba” licenses are frequently abused by cybercriminal gangs to help lay the groundwork for the installation of ransomware on a victim network. It appears $30,000 of that investment went to cover the actual cost of a Cobalt Strike license, while the other half was paid to a legitimate company that secretly purchased the license on Conti’s behalf.

Likewise, Conti’s Human Resources Department budgeted thousands of dollars each month toward employer subscriptions to numerous job-hunting websites, where Conti HR employees would sift through resumes for potential hires. In a note to Conti taskmaster “Stern” explaining the group’s paid access on one employment platform, Conti HR employee “Salamandra” says their workers have already viewed 25-30 percent of all relevant CVs available on the platform.

“About 25% of resumes will be free for you, as they are already opened by other managers of our company some CVs are already open for you, over time their number will be 30-35%,” Salamandra wrote. “Out of 10 CVs, approximately 3 will already be available.”

Another organizational unit within Conti with its own budget allocations — called the “Reversers” — was responsible for finding and exploiting new security vulnerabilities in widely used hardware, software and cloud-based services. On July 7, 2021, Stern ordered reverser “Kaktus” to start focusing the department’s attention on Windows 11, Microsoft’s newest operating system.

“Win11 is coming out soon, we should be ready for this and start studying it,” Stern said. “The beta is already online, you can officially download and work.”

BY HOOK OR BY CROOK

The chats from the Conti organization include numerous internal deliberations over how much different ransomware victims should be made to pay. And on this front, Conti appears to have sought assistance from multiple third parties.

Milwaukee-based cyber intelligence firm Hold Security this week posted a screenshot on Twitter of a conversation in which one Conti member claims to have a journalist on their payroll who can be hired to write articles that put pressure on victim companies to pay a ransom demand.

“There is a journalist who will help intimidate them for 5 percent of the payout,” wrote Conti member “Alarm,” on March 30, 2021.

The Conti team also had decent working relationships with multiple people who worked at companies that helped ransomware victims navigate paying an extortion demand in virtual currency. One friendly negotiator even had his own nickname within the group — “The Spaniard” — who according to Conti mid-level manager Mango is a Romanian man who works for a large ransomware recovery firm in Canada.

“We have a partner here in the same panel who has been working with this negotiator for a long time, like you can quickly negotiate,” Trump says to Bio on Dec. 12, 2021, in regards to their ransomware negotiations with LeMans Corp., a large Wisconsin-based distributor of powersports equipment [LeMans declined to comment for this story].

Trump soon after posts a response from their negotiator friend:

“They are willing to pay $1KK [$1 million] quickly. Need decryptors. The board is willing to go to a maximum of $1KK, which is what I provided to you. Hopefully, they will understand. The company revenue is under $100KK [$100 million]. This is not a large organization. Let me know what you can do. But if you have information about their cyber insurance and maybe they have a lot of money in their account, I need a bank payout, then I can bargain. I’ll be online by 21-00 Moscow time. For now, take a look at the documents and see if there is insurance and bank statements.”

In a different ransom discussion, the negotiator urges Conti to reconsider such a hefty demand.

“My client only has a max of $200,000 to pay and only wants the data,” the negotiator wrote on Oct. 7, 2021. “See what you can do or this deal will not happen.”

Many organizations now hold cyber insurance to cover the losses associated with a ransomware attack. The logs indicate Conti was ambivalent about working with these victims. For one thing, the insurers seemed to limit their ability to demand astronomical ransom amounts. On the other hand, insured victims usually paid out, with a minimum of hassle or protracted back-and-forth negotiations.

“They are insured for cyber risks, so what are we waiting for?” asks Conti upper manager “Revers,” in a conversation on Sept. 14, 2021.

“There will be trades with the insurance company?” asks Conti employee “Grant.”

“That’s not how it works,” Revers replied. “They have a coverage budget. We just take it and that’s it.”

Conti was an early adopter of the ransomware best practice of “double extortion,” which involves charging the victim two separate ransom demands: One in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed. Indeed, some variation of the message “need decryptors, deletion logs” can be seen throughout the chats following the gang’s receipt of payment from a victim.

Conti victims were directed to a page on the dark web that included a countdown timer. Victims who failed to negotiate a payment before the timer expired could expect to see their internal data automatically published on Conti’s victim shaming blog.

The beauty of the double extortion approach is that even when victims refuse to pay for a decryption key — perhaps because they’re confident they can restore systems from backups — they might still pay to keep the breach quiet.

“Hello [victim company redacted],” the gang wrote in January 2022. “We are Conti Group. We want to inform that your company local network have been hacked and encrypted. We downloaded from your network more than 180GB of sensitive data. – Shared HR – Shared_Accounting – Corporate Debt – Departments. You can see your page in the our blog here [dark web link]. Your page is hidden. But it will be published if you do not go to the negotiations.”

“We came to an agreement before the New Year,” Conti member “Skippy” wrote later in a message to the victim company. “You got a lot of time, more than enough to find any sum and fulfill your part of this agreement. However, you now ask for additional time, additional proofs, etc. Seems like you are preparing to break the agreement and flee, or just to decrease the sum. Moreover, it is a very strange request and explanation. A lot of companies pay such amounts without any problems. So, our answer: We are waiting for the above mentioned sum until 5 February. We keep our words. If we see no payment and you continue to add any conditions, we begin to upload data. That is all.”

And a reputation for keeping their word is what makes groups like Conti so feared. But some may come to question the group’s competence, and whether it may now be too risky to work with them.

On Mar. 3, a new Twitter account called “Trickbotleaks” began posting the names, photos and personal information of what the account claimed were top Trickbot administrators, including information on many of the Conti nicknames mentioned throughout this story. The Trickbotleaks Twitter account was suspended less than 24 hours later.

On Mar. 2, the Twitter account that originally leaked the Conti chat (a.k.a. “jabber”) records posted fresh logs from the Conti chat room, proving the infiltrator still had access and that Conti hadn’t figured out how they’d been had.

“Ukraine will rise!,” the account tweeted. “Fresh jabber logs.”

There may yet be at least one more piece in this series. Look here next week for a story about some of Conti’s more interesting extracurricular moneymaking and investment schemes.

Earlier this week, a Ukrainian security researcher leaked almost two years’ worth of internal chat logs from Conti, one of the more rapacious and ruthless ransomware gangs in operation today. Tuesday’s story examined how Conti dealt with its own internal breaches and attacks from private security firms and governments. In Part II of this series we’ll explore what it’s like to work for Conti, as described by the Conti employees themselves.

The Conti group’s chats reveal a great deal about the internal structure and hierarchy of the ransomware organization. Conti maintains many of the same business units as a legitimate, small- to medium-sized enterprise, including a Human Resources department that is in charge of constantly interviewing potential new hires.

Other Conti departments with their own distinct budgets, staff schedules, and senior leadership include:

–Coders: Programmers hired to write malicious code, integrate disparate technologies
–Testers: Workers in charge of testing Conti malware against security tools and obfuscating it
–Administrators: Workers tasked with setting up, tearing down servers, other attack infrastructure
–Reverse Engineers: Those who can disassemble computer code, study it, find vulnerabilities or weaknesses
–Penetration Testers/Hackers: Those on the front lines battling against corporate security teams to steal data, and plant ransomware.

Conti appears to have contracted out much of its spamming operations, or at least there was no mention of “Spammers” as direct employees. Conti’s leaders seem to have set strict budgets for each of its organizational units, although it occasionally borrowed funds allocated for one department to address the pressing cashflow needs of another.

A great many of the more revealing chats concerning Conti’s structure are between “Mango” — a mid-level Conti manager to whom many other Conti employees report each day — and “Stern,” a sort of cantankerous taskmaster who can be seen constantly needling the staff for reports on their work.

In July 2021, Mango told Stern that the group was placing ads on several Russian-language cybercrime forums to hire more workers. “The salary is $2k in the announcement, but there are a lot of comments that we are recruiting galley slaves,” Mango wrote. “Of course, we dispute that and say those who work and bring results can earn more, but there are examples of coders who work normally and earn $5-$10k salary.”

The Conti chats show the gang primarily kept tabs on the victim bots infected with their malware via both the Trickbot and Emotet crimeware-as-a-service platforms, and that it employed dozens of people to continuously test, maintain and expand this infrastructure 24 hours a day, 7 days a week.

Conti members referred to Emotet as “Booz” or “Buza,” and it is evident from reading these chat logs that Buza had its own stable of more than 50 coders, and likely much of the same organizational structure as Conti.

According to Mango, as of July 18, 2021 the Conti gang employed 62 people, mostly low-level malware coders and software testers. However, Conti’s employee roster appears to have fluctuated wildly from one month to the next. For example, on multiple occasions the organization was forced to fire many employees as a security precaution in the wake of its own internal security breaches.

In May 2021, Stern told Mango he wanted his underlings to hire 100 more “encoders” to work with the group’s malware before the bulk of the gang returns from their summer vacations in Crimea. Most of these new hires, Stern says, will join the penetration testing/hacking teams headed by Conti leaders “Hof” and “Reverse.” Both Hof and Reverse appear to have direct access to the Emotet crimeware platform.

Trying to accurately gauge the size of the Conti organization is problematic, in part because cybersecurity experts have long held that Conti is merely a rebrand of another ransomware strain and affiliate program known as Ryuk. First spotted in 2018, Ryuk was just as ruthless and mercenary as Conti, and the FBI says that in first year of its operation Ryuk earned more than $61 million in ransom payouts.

“Conti is a Targeted version of Ryuk, which comes from Trickbot and Emotet which we’ve been monitoring for some time,” researchers at Palo Alto Networks wrote about Ryuk last year. “A heavy focus was put on hospital systems, likely due to the necessity for uptime, as these systems were overwhelmed with handling the ongoing COVID-19 pandemic. We observed initial Ryuk ransom requests ranging from US$600,000 to $10 million across multiple industries.”

On May 14, 2021, Ireland’s Health Service Executive (HSE) suffered a major ransomware attack at the hands of Conti. The attack would disrupt services at several Irish hospitals, and resulted in the near complete shutdown of the HSE’s national and local networks, forcing the cancellation of many outpatient clinics and healthcare services. It took the HSE until Sept. 21, 2021 to fully restore all of its systems from the attack, at at estimated cost of more than $600 million.

It remains unclear from reading these chats how many of Conti’s staff understood how much of the organization’s operations overlapped with that of Ryuk. Lawrence Abrams at Bleeping Computer pointed to an October 2020 Conti chat in which the Emotet representative “Buza” posts a link to a security firm’s analysis of Ryuk’s return.

“Professor,” the nickname chosen by one of Conti’s most senior generals, replies that indeed Ryuk’s tools, techniques and procedures are nearly identical to Conti’s.

“adf.bat — this is my fucking batch file,” Professor writes, evidently surprised at having read the analysis and spotting his own code being re-used in high-profile ransomware attacks by Ryuk.

“Feels like [the] same managers were running both Ryuk and Conti, with a slow migration to Conti in June 2020,” Abrams wrote on Twitter. “However, based on chats, some affiliates didn’t know that Ryuk and Conti were run by the same people.”

ATTRITION

Each Conti employee was assigned a specific 5-day workweek, and employee schedules were staggered so that some number of staff was always on hand 24/7 to address technical problems with the botnet, or to respond to ransom negotiations initiated by a victim organization.

Like countless other organizations, Conti made its payroll on the 1st and 15th of each month, albeit in the form of Bitcoin deposits. Most employees were paid $1,000 to $2,000 monthly.

However, many employees used the Conti chat room to vent about working days on end without sleep or breaks, while upper managers ignored their repeated requests for time off.

Indeed, the logs indicate that Conti struggled to maintain a steady number of programmers, testers and administrators in the face of mostly grueling and repetitive work that didn’t pay very well (particularly in relation to the earnings of the group’s top leadership). What’s more, some of the group’s top members were openly being approached to work for competing ransomware organizations, and the overall morale of the group seemed to fluctuate between paydays.

Perhaps unsurprisingly, the turnover, attrition and burnout rate was quite high for low-level Conti employees, meaning the group was forced to constantly recruit new talent.

“Our work is generally not difficult, but monotonous, doing the same thing every day,” wrote “Bentley,” the nickname chosen by the key Conti employee apparently in charge of “crypting” the group’s malware — ensuring that it goes undetected by all or at least most antivirus products on the market.

Bentley was addressing a new Conti hire — “Idgo” — telling him about his daily duties.

“Basically, this involves launching files and checking them according to the algorithm,” Bentley explains to Idgo. “Poll communication with the encoder to receive files and send reports to him. Also communication with the cryptor to send the tested assembly to the crypt. Then testing the crypt. If jambs appear at this stage , then sending reports to the cryptor and working with him. And as a result – the issuance of the finished crypt to the partner.”

Bentley cautioned that this testing of their malware had to be repeated approximately every four hours to ensure that any new malware detection capability added to Windows Defender — the built-in antivirus and security service in Windows — won’t interfere with their code.

“Approximately every 4 hours, a new update of Defender databases is released,” Bentley told Idgo. “You need to work for 8 hours before 20-21 Moscow time. And career advancement is possible.” Idgo agrees, noting that he’d started working for Conti a year earlier, as a code tester.

OBSERVATIONS

The logs show the Conti gang is exceedingly good at quickly finding many potential new ransomware victims, and the records include many internal debates within Conti leadership over how much certain victim companies should be forced to pay. They also show with terrifying precision how adeptly a large, organized cybercrime group can pivot from a single compromised PC to completely owning a Fortune 500 company.

As a well-staffed “big game” killing machine, Conti is perhaps unparalleled among ransomware groups. But the internal chat logs show this group is in serious need of some workflow management and tracking tools. That’s because time and time again, the Conti gang lost control over countless bots — all potential sources of ransom revenue that will help pay employee salaries for months — because of a simple oversight or mistake.

Peppered throughout the leaked Conti chats — roughly several times each week — are pleadings from various personnel in charge of maintaining the sprawling and constantly changing digital assets that support the group’s ransomware operation. These messages invariably relate to past-due invoices for multiple virtual servers, domain registrations and other cloud-based resources.

On Mar. 1, 2021, a low-level Conti employee named “Carter” says the bitcoin fund used to pay for VPN subscriptions, antivirus product licenses, new servers and domain registrations is short $1,240 in Bitcoin.

“Hello, we’re out of bitcoins, four new servers, three vpn subscriptions and 22 renewals are out,” Carter wrote on Nov. 24, 2021. “Two weeks ahead of renewals for $960 in bitcoin 0.017. Please send some bitcoins to this wallet, thanks.”

As part of the research for this series, KrebsOnSecurity spent many hours reading each day of Conti’s chat logs going back to September 2020. I wish I could get many of those hours back: Much of the conversations are mind-numbingly boring chit-chat and shop talk. But overall, I came away with the impression that Conti is a highly effective — if also remarkably inefficient — cybercriminal organization.

Some of Conti’s disorganized nature is probably endemic in the cybercrime industry, which is of course made up of criminals who are likely accustomed to a less regimented lifestyle. But make no mistake: As ransomware collectives like Conti continue to increase payouts from victim organizations, there will be increasing pressure on these groups to tighten up their operations and work more efficiently, professionally and profitably.

Stay tuned for Part III in this series, which will look at how Conti secured access to the cyber weaponry needed to subvert the security of their targets, as well as how the team’s leaders approached ransom negotiations with their victims.