In February 2022, a Twitter account under the name of ‘ContiLeaks’ began releasing information about the Conti gang's activities. A big portion of the leaked information, some 60,000 internal chat messages, has already been analysed by the cybersecurity community. The analysis provides a remarkable glimpse into the internal entanglements of this gang. The robber den appears to be an ordinary office, where usual office hours are prevalent and there is hassle over salaries that have not been paid.
More interestingly, the leaked chats reveal that Conti wants to focus on crypto currencies and develop blockchain solutions. If the group succeeds in this, it could have a major impact. Especially since, according to reports, Conti is being disbanded and the Conti’s overarching infrastructure is also being dismantled. However, the ransomware gang is said to be continuing in smaller "business units. The Conti brand name disappears, but the organisation does not.
The leaked information includes a series of chats between top Conti figures. These chats divulge plans for the gang’s aspiration in blockchain and crypto currency being discussed between Stern, the chairman or president, and Mango, the chief operating officer in charge of internal affairs at Conti. Mango is responsible for turning Stern's ideas into reality and must employ the right people to do so. Stern repeatedly talks about his ‘blockchain dream’ and calls for a brainstorm around his vision.
Four scenarios
As far as we know, Conti itself has not yet developed a usable blockchain application, although the gang has used blockchain in the cloud before. Given the top executive's calls, there will certainly now be investment in the development of blockchain applications of its own. The chats don't provide a lot of details, but they do provide a picture of a wide range of possible applications, from launching their own crypto currency to using blockchain for smart contracts and internal communications, among other things.
Based on what we saw in the leaked chats, we arrived at four scenarios for blockchain applications that stand out: corporate espionage, extortion, crypto market manipulation and building an internal communications network.
Focus on corporate espionage
Proprietary blockchain would make it far easier for Conti to store stolen data it acquired in ransoms. If the gang succeeds in building their own blockchain, this data becomes nearly untouchable and therefore cannot be removed from a server by investigative agencies (or competitors). Having a place to store stolen data makes it easier to analyse and sift through for potential company secrets, as opposed to the current practice of simply dumping the data on leak blogs after a brief check. This opens up a possibility for Conti becoming more targeted in their operations, and more involved in corporate espionage, as opposed to the more prevalent ‘spray and pray’ tactic of ransomware affecting a very large array of different organizations and businesses. Less risk for Conti, more impact on the victim (e.g., by violating GDPR).
The stolen data is safely stored in a blockchain and can easily be compartmentalised in smaller portions of interest, and parts of it can be passed on to a company in Russia or sold to the highest bidder. Blockchain also enables closed auctions for the stolen data. There will certainly be buyers, and these sales are expected to go through private channels that are an extra degree obscured from the security community’s eyes. Ransomware gangs already do not sell things in public as a rule; most of their communications are completely covert – we mostly only see advertisements and partner (affiliate) program recruitment. Conti will want to stay away from the big dark web platforms; the bigger and more active the platform, the more attention it will receive from the investigative services.
Subscriptions and discounts
Blockchain applications are also expected to simplify extortion and promote Conti's ransomware business. Stolen data can be traded more easily, but it is also possible to break it down into microtransactions, allowing Conti to offer its victims an instalment plan, buying back the data in a number of instalments as opposed to paying for one big bulk of the entire leak at the time. In addition, automated transactions and smart contracts are conceivable. This would allow for a reliable 'subscription' for the recovery of data – a ‘data back’ plan, if you will.
Also, getting back important data such as company secrets, potential blackmail material or other sensitive pieces could be made more expensive than other, less significant pieces of information that might not hold the same zest for a cyber extortion operation. And Conti could also give offers and discounts if, for example, payment is made before a certain date or on the occasion of a holiday, as is the normal practice in the malware selling world. Valentine’s Day special offers and Black Friday deals exist underground as well as at your local retailer. All with the aim of making it easier to persuade the victim to pay.
A crypto currency of their own
A more complicated but attractive business step for Conti is to create its own crypto currency. Such a coin will not be called a Conti coin of course, but will be legally marketed through a sham scheme. Proprietary crypto coins can then be used for money laundering, but can also be manipulated, for example, by pump & dump tactics, artificially inflating the price and selling the coin just before the bubble bursts. Manipulation can also consist of mixing legitimate and dirty crypto currencies.
While this remains in the realm of speculation, there is an instance of a Russian ex-hacker Peter “Severa” Levashov who has successfully launched his own crypto community and currency called SeveraDAO, whose project is going well, which could at the very least be an inspiration for aspiring ransomware gangs looking to delve into DeFi markets. Like in most crypto communities, its members have a say in how things go, making it a communal market of sorts. Now would also be a good time to launch a crypto currency, as there is lots of interest in crypto because the returns can be higher than on savings and other investments. Crypto is also attractive to a growing group of people who distrust the government. The topic has also become more accessible and less obscure to the larger public with the development of a large number of altcoins over the past decade and supporting wallets, decentralised mining centres, and mobile applications.
Communication under the radar
A very interesting application of blockchain Conti is considering is to build an internal communication platform, and possibly an entire mini social network. The leaked chats show that internal communication is by no means smooth, often having to go through a number of trusted middlemen.
Conti has problems not only with communication, but also with a negative psychological impact of an unclear chain of command. A blockchain-based social network makes the exchange of information clearer, easier and above all safer – in theory. One can also think of possibilities such as automated decision-making. Another important aspect is the certainty that internal communication will not be corrupted - or perhaps better communication will not embitter the team as much as it did. This will enable Conti to operate more efficiently and at the same time be much less visible, which will make it more difficult for investigative agencies to get a grip on the group.
The leaks make it clear that Conti is getting serious about blockchain. The top command has appointed dedicated researchers who have been looking into competitively solid alternatives Conti might get inspired by, and consistently inquired about recruiting new talent with experience and interest in DeFi and blockchain technologies. But there is still a long way to go. For now, it is a dream of Conti and that dream does not have to come true.
But if Conti succeeds in realizing one or more of the above-mentioned blockchain applications, it could have a major impact on the way this gang operates and therefore on the way Conti will have to be dealt with. Given statements made by gang leader Stern, it cannot even be ruled out that Conti will swap the ransomware business for more lucrative cybercrime enabled by blockchain and crypto currencies. Now that the organisation is going to split into business units, this is an even more plausible scenario. And now that the leaks are public, well, who knows if someone else out there reading them might get some fresh ideas to spice up their own criminal enterprise?
New approach needed
After the leaks we have not observed increased activity. Recently it has been 'business as usual' by continuing to compromise networks, exfiltrate data and finally deploy their ransomware. In the Netherlands, for example, Conti is still present and has recently left a mark in the form of a successful ransomware attack on housing corporations.
We have published a blog on methods and techniques observed during the recent incidents that Conti was involved in after the leak took place. But what is clear is that a technical angle for getting visibility into Conti’s activities will no longer suffice. We will have to rely much more on the follow-the-money principle and plug financial investigations in the already existing ones to a larger degree as the blockchain is becoming more and more of a factor to consider. That is not easy, but not impossible because most (crypto) money flows can, in principle, be followed. Financial investigations are not new. Focusing much more on disruption is fairly new since it is considered a grey area in cyber and normally reserved for national security forces.
Attacking and disrupting can possibly be a solution to tackle Conti. This means that a different mindset is needed for detection. For example, we will have to look more closely at how the secret services operate. Whether that is legally possible and morally permissible is another discussion. The best thing, however, would be to tightly regulate the crypto market. But that raises questions of how realistic that goal is.
Most worryingly, if Conti achieves success with blockchain, other ransomware gangs will undoubtedly follow suit, with major implications for how these gangs are dealt with.