Inside Conti ransomware group’s leaked chat logs

April 6, 2022

In February, more than 60,000 messages were leaked from the backend of a Jabber server that the Conti ransomware group used for internal communications, dating back to January 2021. Digital Shadows has examined the leak and brought it into context with its own research, providing a rare look into the cybercriminal group’s inner workings.

The Conti ransomware group is one of the most prolific ransomware groups currently operating. The group claims to have compromised 50+ new victims, such as Oiltanking Deutschland GmbH and Mabanaft Deutschland GmbH.

In March, the Ukrainian cybersecurity researcher who leaked the chats also released a password-protected archive, which contained an older version of the Conti ransomware source code, as well as the source code for version three of the ransomware to VirusTotal, a website created by the Spanish security company Hispasec Sistemas.

“It’s rare to obtain reliable primary source intelligence about threat actors’ tactics, techniques, and procedures (TTPs), structures and hierarchies, working patterns, undisclosed victims, private infrastructure, and cryptocurrency usage,” Digital Shadows says. “And then the sheer size of the data set is both a blessing and a curse — while it’s a huge treasure trove of information, making your way through every single message would take years.”

Here are some four insights that the Digital Shadows Photon Research Team learned from examining the logs:

1. Conti doesn’t work during the weekend: Conti’s operations resemble those of a real-world professional establishment. The Photon Research Team looked at the time and date stamps of messages contained within the logs and noticed a significant drop-off in the number of messages the group members sent on Saturdays and Sundays (see graph below).

Graph showing the average number of messages sent per day throughout the data set. Image courtesy of Digital Shadows

2. Workload corresponds with chat activity: Data analyzed by the research team reveals a correction between successful ransomware attacks and message activity. The peak in attacks and increased number of victim tippers in November 2021 coincided with a peak in messaging activity before decreasing, which shows that the more victims Conti successfully attacks, the more work must go on behind the scenes to discuss tactics and illicit payments from victims.

Graph showing number of Digital Shadows’ portal tippers for new Conti victims

Graph showing the number of Digital Shadows’ portal tippers for new Conti victims mapped against the number of messages sent per month in the Conti logs data set. Image courtesy of Digital Shadows

3. Activity varies per month: The number of messages sent per month varied wildly, from a high of over 8,000 in November 2021 to less than 2,000 in February that same year.

Graph showing the number of messages sent per month in the Conti logs data set. Image courtesy of Digital Shadows

4. Leadership: When looking at the distribution of messages among all different users named in the chat logs, the cybersecurity research team observed that the top 10% of users accounted for 80% of the messages sent. This indicates that a handful of users play a major role in running operations, suggesting that important decisions and strategizing are concentrated in a small group. In particular, one user stood out with more than 80,000 messages. Users repeatedly referred to this user as “boss” or “chef,” indicating that they have a leading role within the organization.

5. Working hours: After looking at activity distributed over the working day, Digital Shadows found that several Conti affiliates focus their efforts on a limited number of hours per day, with activity increasingly slowly between 0500 and 1200, peaking between 1200 and 1800. Conti affiliates are likely located over a wide geographic area, which indicates the peak activity is a crossover time in which operators all over the globe are all online at the same time.

Graph showing messages sent by hour (time zone unknown). Image courtesy of Digital Shadows

For the full analysis, please visit https://www.digitalshadows.com/blog-and-research/five-things-we-learned-from-the-conti-chat-logs/.

Maria Henriquez joined Security Magazine in 2019 as its Associate Editor. Since then, she has been covering the security industry and reporting on issues affecting enterprise security leaders, to include cybersecurity, leadership and management, risk and resilience and pressing security challenges facing the industry. Within her role at Security, she works to produce several Special Reports and other stories for the monthly eMagazine, Newswire articles, Web Exclusive features, as well as manage social media, the 5 minutes with series, and the Today’s Cybersecurity Leader and Security enewsletter. She graduated from the University of Illinois at Urbana-Champaign with a bachelor’s in English and Creative Writing.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Inside Conti ransomware group’s leaked chat logs

Recent Articles by Maria Henriquez

Beware potential ransomware attacks on QNAP NAS products

3 key cybersecurity trends in the energy sector

U.S. warns against hiring North Korean IT staff

Hackers compromise NFT Discord channels

US, EU expand access to cybersecurity tools for SMBs

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Inside Conti ransomware group’s leaked chat logs

Recent Articles by Maria Henriquez

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.