The clearnet and dark web payment portals operated by the Conti ransomware group have gone down in what appears to be an attempt to shift to new infrastructure after details about the gang’s inner workings and its members were made public.
According to MalwareHunterTeam, “while both the clearweb and Tor domains of the leak site of the Conti ransomware gang is online and working, both their clearweb and Tor domains for the payment site (which is obviously more important than the leak) is down.”
It’s not clear what prompted the shutdown, but the development comes as Swiss cybersecurity firm PRODAFT offered an unprecedented look into the group’s ransomware-as-a-service (RaaS) model, wherein the developers sell or lease their ransomware technology to affiliates hired from darknet forums, who then carry out attacks on their behalf while also netting about 70% of each ransom payment extorted from the victims.
The result? Three members of the Conti team have been identified so far, each playing the roles of admin (“Tokyo”), assistant (“[email protected][.]jp”), and recruiter (“IT_Work”) to attract new affiliates into their network.
While ransomware attacks work by encrypting the victims’ sensitive information and rendering it inaccessible, threat actors have increasingly latched on to a two-pronged strategy called double extortion to demand a ransom payment for decrypting the data and threaten to publicly publish the stolen information if the payment is not received within a specific deadline.
“Conti customers – affiliate threat actors – use [a digital] management panel to create new ransomware samples, manage their victims, and collect data on their attacks,” noted the researchers, detailing the syndicate’s attack kill chain leveraging PrintNightmare (CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958) and FortiGate (CVE-2018-13374 and CVE-2018-13379) vulnerabilities to compromise unpatched systems.
Emerging on the cybercrime landscape in October 2019, Conti is believed to be the work of a Russia-based threat group called Wizard Spider, which is also the operator of the infamous TrickBot banking malware. Since then, at least 567 different companies have had their business-critical data exposed on the victim shaming site, with the ransomware cartel receiving over 500 bitcoin ($25.5 million) in payments since July 2021.
What’s more, an analysis of ransomware samples and the bitcoin wallet addresses utilized for receiving the payments has revealed a connection between Conti and Ryuk, with both families heavily banking on TrickBot, Emotet, and BazarLoader for actually delivering the file-encrypting payloads onto victim’s networks via email phishing and other social engineering schemes.
PRODAFT said it was also able to gain access to the group’s recovery service and an admin management panel hosted as a Tor hidden service on an Onion domain, revealing extensive details of a clearnet website called “contirecovery[.]ws” that contains instructions for purchasing decryption keys from the affiliates. Interestingly, an investigation into Conti’s ransomware negotiation process published by Team Cymru last month highlighted a similar open web URL named “contirecovery[.]info.”
“In order to tackle the complex challenge of disrupting cybercriminal organizations, public and private forces need to work collaboratively with one another to better understand and mitigate the wider legal and commercial impact of the threat,” the researchers said.
Update: The Conti ransomware’s payment portals are back up and running, more than 24 hours after they were first taken down in response to a report that identified the real IP address of one of its recovery (aka payment) servers — 217.12.204[.]135 — thereby effectively bolstering its security measures.
“Looks like Europeans have also decided to abandon their manners and go full-gansta simply trying to break our systems,”the gang said in a statement posted on their blog, effectively confirming PRODAFT’s findings, but characterizing the details as “simply disinformation,” and that “the reported 25kk which we ‘made since July’ is straight-up BS – we’ve made around 300kk at least.”