The recent leak of source code, chat logs, and tons of other sensitive data related to Conti has resulted in several revelations about its operational mechanism and organizational structure. Different researchers have studied, analyzed the leaked data to lay bare more information on the malware.
Organization structure of the group
Researchers from BreachQuest have provided a detailed organizational chart showing Conti’s operators at various levels of functioning.
The chart shows a person named Stern as the big boss and Salamandra as the person responsible for HR and recruitment processes.
There are reportedly other key figureheads of the group, identified as Bio (blogger/negotiator), Mango (team lead), Revers (tech lead), Bentley (system admin), and Twin (training).
According to Chainanysis, Conti extorted an estimated $180m last year, making it the top gainer for ransomware operations in 2021.
When the operators compromise any Active Directory, they seek potentially interesting people such as admin, engineer, or someone in IT.
One of the instructions reads ‘HOW AND WHAT INFO TO DOWNLOAD’ that was shown after escalating privileges to domain admin and invoking share finder.
Conti appears to be interested in financial documents, accounting, clients, and projects. It also looks for backup servers to encrypt the backups.
Source code analysis
CyberArk did an analysis of Conti’s source code and claims that the revealed information can aid organizations in protecting themselves.
One of the data leaks had 12 Git repositories of alleged internal Conti software. A quick inspection of these repositories disclosed that most of these code seems to be open-source software used by the group.
For example, yii2 or Kohana is used as part of the admin panel and is mostly written in PHP and managed by Composer. One of the repositories of a tool was written in Golang.
The recent leak of Conti secrets turns out to be a blessing for security researchers tracking the group as it offers unprecedented insights into the group’s activity and operations. It shall eventually help researchers and experts devise protective measures to ensure safety from similar threats in the future.