Conti Operates Like A Sophisticated Corporation

Uploaded on 2022-03-29 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-Russia, FREE TO VIEW

After analysing leaked documents, Check Point Research (CPR) can give new details on the inside operations of Conti, the notorious Russian ransomware group. 

Conti is structured like a high-technology company, with clear management, finance and HR functions. Conti recruits not only from underground, but legitimate sources, borrowing CV pools without permission.

Indeed, some employees have no clue that they are part of a cyber criminal operation andCPR has also learned that Conti has business expansion plans for a crypto exchange and a Darknet social network.

CPR has gained new details into the inside-operations of Conti ransomware group which operates a ransomware-as-a-service (RaaS) business model, which allows affiliates to rent access to its infrastructure to launch attacks.

Industry experts have said Conti is based in Russia and may have ties to Russian intelligence. Conti has been blamed for ransomware attacks targeting dozens of businesses and critical infrastructure, like the Irish Health service. The Conti group has several physical offices, including in Russia where the HR team offers monthly bonuses, fines, nominates the employee of the month and undertakes performance reviews. 

On February 27 of this year, a cache of chat logs belonging to the Conti were leaked online at the hands of an alleged insider, who claimed to have objected to the group’s support for the Russian invasion of Ukraine. CPR analysed the leaked files, learning that the ransomware groups operates like a large technology company.

Conti has an HR department, a hiring process, offline office premises, salaries and bonus payments.

Details of Conti’s Inside-Operations

Conti operates like a technology company with a defined hierarchical structure. CPR identified the main people involved with their names: Stern (big boss), Bentley (technical lead), Mango (manager of general questions), Buza (technical manager), Target (manager responsible for coders and their products), Veron aka Mors (focal point of the group’s operations with Emotet).

  • Team leaders who report to upper management.
  • Main groups observed: HR, coders, testers, crypters, sysadmins, reverse engineers, offensive team, OSINT Specialists and Negotiation Staff.

Staff Work In A Physical Office

The Conti group has several physical offices. These are curated by "Target", Stern's partner and effective head of office operations, who is also responsible for the wage fund, office technical equipment, the hiring process and personnel training. 

During 2020, offline offices were mainly used by testers, offensive teams and negotiators; Target mentions 2 offices dedicated to operators who are speaking directly with victim representatives.

  •  In August 2020, an additional office was opened for sysadmins and programmers, under the purview of "Professor, who is responsible for the whole technical process of securing a victim infection.
  • Compensation: monthly bonuses, fines, employee of the month, performance reviews.
  • Members of Conti's negotiating team (including OSINT specialists) are paid by commissions, calculated as a percentage of the paid ransom amount that ranges from 0.5% to 1%. Coders and some of the managers are paid a salary in bitcoin, transferred once or twice a month.
  • Conti employees are not protected by their local labor boards, and so have to endure some practices that typical tech employees are exempt from, such as being fined for underperforming.
  • While fines are mostly used as an established tool in the coder department, they are sporadically employed on in other departments - for example, in IT and DevOps, where one person responsible for depositing money was fined $100 for a missed payment:

Talent Is Recruited From Both Legitimate & Criminal Sources  

For recruiting business staff used by Conti, the HR team use Russian-speaking headhunting services such as headhunter.ru. They have slso used other sites, but reportedly with less success.

Conti corporate policy forbids leaving traces of developer job openings on such websites, a regulation stringently enforced by one of the higher-ups, "Stern" For hiring developers, Conti bypasses the headhunter.ru job system, instead directly accessing the CV pool and contacting candidates by email. You might wonder "why does headhunter.ru offer such a service?", and the answer is, they don't. Conti simply "borrowed" the CV pool without permission, which seems to be standard practice in the cybercrime world.

Some Conti Employees Don’t Know It Is A Cyber Crime Business

In one online job interview, a manager tells a potential hire for the coding team: "everything is anonymous here, the main direction of the company is software for pen-testers". In another example, a group member known by the moniker "Zulas", most likely the person who developed Trickbot's backend in the Erlang programming language. Zulas is passionate about Erlang, eager to show examples of his other work, and even mentions his real name.

When his manager mentions that his "trick" (Trickbot) project was seen by "half of the world", Zulas does not understand the reference, calls the system "lero" and reveals that he has no idea what his software is doing and why the team goes to such lengths to protect member identities. His interlocutor tells him that he is working on a backend for an ad analytics system.

Conti Is Working On Plans For A Crypto Exchange & A Darknet Social Network

One of the ideas discussed was creating a crypto exchange in the group's own ecosystem. Another project is the “darknet social network” (also: "VK for darknet" or "Carbon Black for hackers"), a project inspired by Stern and carried out by Mango, planned to be developed as a commercial project. In July 2021 Conti was already in contact with a designer, who produced a few mockups.

Lotem Finkelstein, Head of Threat Intelligence and Research, at Check Point Research commented, “For the first time, we have a glass door to a group that has been known to be the face of ransomware. Conti acts like a high-tech company. We see hundreds of employees in a hierarchy of managers. We see an HR function, with people responsible for different departments."

Even when employees find out the truth  they decide to stay, revealing that the Conti management team has developed a process for retaining employees. Conti has developed an internal culture to develop profits, as well as fining employees for undesirable behaviour. 

Check Point Research

You Might Also Read: 

Russian Hackers Account For 74% Of Ransomware Proceeds:

 

 

« Operating Technology Security Issues Are Increasing
LAPSUS$ Hackers Claim Responsibility For Large Scale Corporate Attacks »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Checkmarx

Checkmarx

Checkmarx provides state-of-the-art application security solutions with static code analysis software.

Digital Infrastructure Association (DINL)

Digital Infrastructure Association (DINL)

DINL is the leading representative for companies and organisations which are active within the Dutch digital infrastructure sector.

Ellipsis Technologies

Ellipsis Technologies

Ellipsis Technologies is a diversified technology company that develops innovative security software for websites and online applications.

GulfTalent

GulfTalent

GulfTalent is the leading job site for professionals in the Middle East and Gulf region covering all sectors and job categories, including cybersecurity.

Sixgill

Sixgill

Sixgill, an IoT sensor platform company, builds the universal data service and smart process automation software allowing any organization to effectively govern its IoE assets.

ITsMine

ITsMine

ITsMine’s Beyond DLP solution is a leading Data Loss Prevention solution used by organizations to protect against internal and external threats automatically.

CloudSEK

CloudSEK

CloudSEK has set its sights on building the world’s fastest and most reliable AI technology, that identifies and resolves digital threats.

Greenberg Traurig (GT)

Greenberg Traurig (GT)

Greenberg Traurig, LLP (GT) is a global law firm with offices in 40 locations in the United States, Latin America, Europe, Asia, and the Middle East.

CloudBolt Software

CloudBolt Software

CloudBolt provide solutions for your toughest cloud challenges. From automation, to cost and security, and hybrid IT governance — we have you covered.

Trisul Network Analytics

Trisul Network Analytics

Trisul helps organizations deploy full spectrum deep network monitoring which can serve as a single source of truth for performance monitoring, security analytics, threat detection and compliance.

Resourcive

Resourcive

Resourcive is the first Value Added Sourcing “VAS” consultancy. We deliver strategic IT sourcing solutions to mid-market and enterprise clients.

Washington Technology Solutions (WaTech)

Washington Technology Solutions (WaTech)

WaTech operates the state’s core technology infrastructure – the central network and data center, provides strategic direction for cybersecurity and protects state networks from growing cyber threats.

ARC Risk and Compliance

ARC Risk and Compliance

ARC Risk and Compliance is a consulting company comprised of a team of AML Specialists completely focused on anti-money laundering compliance and the technologies used to support compliance programs.

Precision Cybertechnologies & Digital Solutions (Precision-Cyber)

Precision Cybertechnologies & Digital Solutions (Precision-Cyber)

Precision-Cyber was founded on the philosophy of state-of-the-art cybersecurity and digital solutions. Our guiding principle is simply that we will provide and secure all your digital needs.

Nothreat

Nothreat

Nothreat has revolutionized how businesses like yours protect themselves from damaging cyber attacks. Our tech learns and adapts in real time, protecting clients from even zero-day attacks.

Securitybricks

Securitybricks

Securitybricks specialize in cloud security and compliance. Our mission is to automate regulatory compliance backed by human validation.