The bottom line
- Combining chat transcripts leaked in February with subsequent analysis of blockchain data, researchers have gained new insight into the infamous Conti ransomware gang.
- According to a CoinDesk analysis of the leaked chats, the gang used over-the-counter brokers in Russia to disburse cryptocurrencies extorted from victims and pay members for their work.
- At least one U.S. hospital attacked by the Conti ransomware during the coronavirus pandemic paid the ransom, internal communications from the hackers show.
- According to an analysis by Crystal Blockchain published Tuesday, ransom payments to the gang may have been as high as 725 BTC or more.
- New wallets used by Conti have been located, Crystal said.
In February, a hacker released chat logs from a notorious ransomware gang that provided a rare glimpse into the day-to-day operations of this criminal business and the important role cryptocurrencies play in it. But blockchain data helps paint a more complete picture.
The leaked messages show that the Conti hackers had more victims than previously known. They also revealed that some of these organizations paid to get their IT systems back, and that the gang had ties to another notorious cybercrime ring known as Ryuk. Perhaps most importantly, the cache revealed Conti's previously unknown Bitcoin (BTC) wallet addresses.
This served as a starting point for sleuths on the chain to complete other pieces of the puzzle. For example, blockchain data shows that at least one of the U.S. hospitals attacked during the pandemic may have paid ransom to the Conti hackers.
CoinDesk examined the Conti members' leaked messages and analyzed the hackers' crypto wallets and transactions using on-chain analytics firm Crystal Blockchain. The exercise underscores a persistent paradox of cryptocurrency: while an unsealed network with unblockable transactions is very useful to criminals, the public ledger leaves a trail of crumbs for law enforcement and researchers to find later.
Hackers get hacked
Ransomware gangs are a threat that has emerged in the cyber age. While the havoc they wreak on businesses is sometimes visible and tangible (remember the gas shortage caused by the Colonial Pipeline attack last year?), their identities and modus operandi remain mostly hidden.
Now the curtain has lifted somewhat as an indirect result of the war in Ukraine.
On February 25, after the invasion of Ukraine, the Conti Group declared its affiliation with the Russian government. On its official website, Conti threatened retaliation against the West in response to possible cyberattacks against Russia. This cyber saber-rattling appears to have been the catalyst for the leaks that surfaced in several places.
According to CNN, a Ukrainian security researcher who gained access to the group's IT infrastructure leaked to journalists and security researchers the messages that accumulated on the group's internal Jabber/XMPP server between 2020 and 2021. According to other media reports, the leak was caused by a disgruntled Ukrainian member of the Conti gang. The archived messages were published by a Twitter account dedicated to malware strain research, known as @vxunderground.
"The Conti ransomware group previously posted a message siding with the Russian government. Today, a Conti member started spreading data with the message 'F**k the Russian government, Glory to Ukraine!", @vxunderground tweeted.
The leaked communications of the Conti gang shed light on how different ransomware strains can be connected.
According to Conti's messages, the group has worked with various ransomware strains and groups that run those strains: Members mention working with Ryuk, Trikbot and Maze Ransomware. According to the news, Conti members not only ran their own ransomware business, but also provided tools and services to other hacker groups.
On June 23, 2020, the group's leader, nicknamed Stern, tells a subordinate manager, who goes by Target, in Russian, "Ryuk will be back from vacation soon. He will take all the bots we have. For him we need 5k companies." (It is not clear from the previous and subsequent messages which companies Stern was referring to).
The news also left a financial trail of this partnership: a bitcoin transaction between the Conti and Ryuk gangs, mentioned by Crystal Blockchain in a March blog post.
In September 2019, one of the bitcoin wallets linked to Conti sent 26.25 BTC (worth about $200,000 at the time) to a wallet linked to Ryuk, blockchain data shows.
"The payment information contained in the leaked chats supports this connection and shows that Conti likely tried to contact Ryuk," Crystal said in a blog post. "We also observed Ryuk sending payments directly to a Conti wallet that was mentioned several times in the chat history; this suggests an affiliation and some level of operational coordination between these two groups."
Read also: DarkSide hackers' bitcoin stash tracked down
Previously, cybersecurity researchers had pointed to a possible connection between the Ryuk and Conti ransomware operators, as the malware contained similar pieces of code. However, financial links between the Ryuk and Conti attackers have not been uncovered yet.
Advanced Intel's Vitali Kremez told Bleeping Computer that the ransomware strain used by Conti changed hands several times over several years, first as Hermes in 2017, then it was allegedly bought by other hackers and renamed Ryuk (possibly named after a Japanese manga character). Then "the group split, renamed itself or decided to switch to the name 'Conti,' which appears to be based on Ryuk version 2 code," Bleeping Computer wrote.
Conti operated during the coronavirus pandemic and attacked healthcare facilities around the world, more than half of which were in the United States, according to the FBI. Cybersecurity experts have long suspected that Conti, like many other ransomware gangs, is linked to the Russian state.
Ryuk is known to have hacked the publishing facilities of The New York Times and The Wall Street Journal in 2018, as well as several other companies. Both Ryuk and Conti used a variant of AES-256 encryption to encrypt victims' files and extort ransom for decryption keys.
The leaked messages also shed light on the range of companies successfully attacked, many of which were previously unknown.
Minnesota-based Ridgeview Medical Center was known to have been attacked by the Ryuk and Trickbot malware strains in 2020, the first year of the pandemic, along with a number of other U.S. healthcare facilities. The Conti Group was apparently behind these attacks as well: Members talk about successfully hacking into Ridgeview's network and encrypting data the medical center needed to operate.
According to Crystal, one transaction on October 30, 2020, was most likely the payment of 301 BTC (over $4 million at the time) that Ridgeview sent to Conti as ransom.
A day earlier, on October 29, Conti members Target and Stern mentioned that Ridgeview was willing to pay $2 million, or 151 BTC; however, Conti's alleged partner, the organizer of the attack, "wanted 300 BTC."
The hackers later prevailed, according to the chat logs, and on Oct. 30, 301 BTC was sent from an address attributed to crypto exchange Gemini to a wallet that appears to be indirectly connected to another wallet that Conti members mentioned in the chats as a payment address for the extortion, Crystal said.
Ridgeview did not respond to CoinDesk's request for comment by press time.
It's worth remembering that blockchain analyses are based on assumptions to some degree, and that matching a blockchain address to a specific real-world entity is almost never 100% accurate. Still, Crystal is quite confident in this case: transfers of hundreds of BTC don't happen every day.
"The method we used was to look for related transactions that had the same value as the ransomware and were discussed in the group," said Nick Smart, head of blockchain intelligence at Crystal. He added that Crystal had "90% confidence" that the transaction was the ransomware payment in question, given the timing, amount and connection to previously reported Conti wallets.
There were other, even larger payments that the criminal group was able to collect.
The highest ransom payment made to Conti by an unidentified victim company was 725 BTC, according to chat logs, Crystal said. That bitcoin amount, equivalent to about $8 million at the time, was paid by Chicago-based job board CareerBuilder, Crystal said, because the company was mentioned in the chats in connection with the 725 BTC payment.
The recipient of that payment may have been this bitcoin wallet, Crystal told CoinDesk. On Oct. 10, 2020, the address received 725 BTC and immediately sent it on to another address not associated with any crypto service, on-chain data shows. Aside from those two transactions, there were no other transactions involving the address.
CareerBuilder did not respond to CoinDesk's request for comment.
According to the leaked news, there may have been about 30 previously unreported victims of Conti, including Xerox (XRX), the iconic photocopier manufacturer, Crystal said. It was known that Xerox had been hacked by a ransomware gang in 2020; however, cybersecurity experts linked the hack to the Maze gang.
Chat logs do not indicate whether Xerox paid the ransom. In 2020, Xerox's customer support data was leaked, suggesting the company refused to pay the ransom and viewed the leaked internal data as punishment, ZDNet reported. Xerox declined to comment for this report.
Some other attacks around the same time were quite successful.
Conti members specifically discuss the attacks on Canadian pool manufacturer Softub and several U.S.-based companies: transportation company Piper Logistics, retail chain Sam's Furniture, outdoor equipment maker Clarus and cash processor Loomis.
Tom Lalonde, director of operations at Softub, told CoinDesk in an email that the company had stored its data in cloud-based backups and therefore had not paid a ransom.
However, the attack "caused quite a few issues," Lalonde said. The company had a number of ransomware attacks during that period," he added.
Piper Logistics, Sam's Furniture, Clarus and Loomis did not respond to requests for comment.
In the news, Conti members mention that they have attacked 89 companies, most of which are based in the U.S., as well as a number of Canadian, Australian and European companies. It's not clear how many of the attacks were successful and resulted in bitcoin payouts, but the scale of operations definitely appears to be massive, Crystal said in a blog post published Tuesday.
Conti members even mentioned plans to infect Pfizer (PFE), the major pharmaceutical manufacturer and co-developer of a COVID-19 vaccine, but it's not clear whether an attack was carried out and, if so, whether it was successful.
Crystal also claimed to have located several previously unreported Conti Group wallets thanks to the mention of these wallets in the chat logs: a wallet that received 200 BTC from an unidentified victim on October 26, 2020; a wallet that collected payouts from various attacks; a wallet used by gang members to manage operating expenses; and others.
The hacker's budgeting
According to the leaked chat logs, Conti had some big plans related to crypto and blockchain. For example, members toyed with the idea of creating their own peer-to-peer marketplace for cryptocurrencies and a smart contracts-based tool for extortion.
The group also discussed disinformation campaigns to depress prices for smaller cryptocurrencies and may have been involved in the Squid Game-themed exit scam, security researcher Brian Krebs wrote.
However, the group's interactions with cryptocurrencies were largely mundane, illustrating how exactly cryptocurrencies work and how they are converted into fiat money in the criminal underworld.
The leaked messages show the group's daily operations, with members discussing malicious code development, what works and what doesn't, payments due for IT services the group uses, and interactions with other criminal groups.
According to the messages reviewed by CoinDesk, Conti members used crypto to pay for cloud servers and software licenses, among other things. For example, in one message, a member nicknamed Defender asks Stern to send him $700 in bitcoin to pay for the server the group uses.
Although cryptocurrencies serve as the main payment method between group members, most preferred to receive their paychecks in paper money. For this purpose, Conti members used an over-the-counter broker, a popular method in Russia and Ukraine, where there were few central exchanges in the past.
In a message to a new member in July 2020, Stern explained how to receive a monthly paycheck: The new employee should find an OTC counter with a low price on the Russian-language OTC aggregator Bestchange.com, create an order to sell bitcoin for a debit card transfer, and tell Stern a deposit address that the OTC would generate.
In this way, the "employee" would receive money in fiat directly to his debit card, while the boss would issue cryptocurrencies, essentially using the OTC as a payment processor.
OTCs are also the main channel for ransomware payouts, chat logs show. In one dialogue, a member named Revers explains how the ransomed cryptocurrency is sold through OTC brokers: When bitcoin is transferred, Conti sends money couriers, known as drops, to collect the money, leaving the actual owners of the extorted bitcoins incognito.
"For $300,000, no one would go to Russia to look for you," Revers adds.
Paying for IT products and using servers often requires fiat liquidity as well, and this is where cryptocurrency-living cybercriminals might encounter some difficulty paying their bills. In a chat between two members, Strix and Carter, Strix asks how Carter pays servers via PayPal (PYPL), as OTC brokers only deal with larger sums than the 7 euros per month Strix had to pay to use his personal server.
Carter explains that he initially sells cryptocurrencies on the peer-to-peer market LocalBitcoins in exchange for a transfer to his debit card, which is linked to a PayPal account. The card, he adds, is a "phantom card," meaning it does not belong to him, but a money courier is allegedly used.
The PayPal account is verified, Carter says, which raises the question of whether the PayPal account he is using also belongs to a money courier or was verified with stolen or forged identification documents - a criminal service available and thriving on the darknet, as an earlier CoinDesk investigation showed.
In addition to the no-name OTC, Conti also used some well-known services to pay out ransom, Crystal said. Addresses associated with Conti sent bitcoin to: the now-sanctioned Russian OTC Suex; the Hydra darknet marketplace; the RenBTC exchange; and addresses associated with Wasabi, a non-custodial wallet that allows users to disguise the origin of their funds by merging them with other people's bitcoin in so-called CoinJoin transactions.