Researchers were able to break into an attack server used by Conti and discovered several details about its attacks. Moreover, a close connection between Conti/Diavol ransomware and the Karakurt data extortion group was discovered, indicating that these groups are part of the same operation.
The discovery of attack infrastructure
The researchers were able to gain access to an internal Conti VPS server, with the credentials of a user, allegedly the leader of the cybercrime enterprise. This resulted in several revelations about its connection with other groups.
The researchers had breached the attacker’s ProtonMail account and discovered the required access credentials, which they used to login into the Conti VPS server.
The server contained more than 20TB of data that Conti stole from its victims before encrypting the data.
The server is hosted by Inferno Solutions, which is a provider in Russia that supports anonymous payment methods and accepts orders over TOR and VPN connections.
An analysis of the details saved on the storage server disclosed that Conti had data with an older timestamp belonging to yet not disclosed victims, which researchers returned back to the victims.
A connection between the groups
Additionally, researchers were able to identify several factors that indicate some association with the Karakurt group.
One connection was made to the IP address 209[.]222[.]98[.]19, where the Karakurt extortion group was hosting its site and published stolen data of victims that denied payment.
Several Karakurt wallets sent cryptocurrency to wallets evidently managed by Conti. Further, Karakurt’s victim payment addresses hosted by Conti wallets point toward a strong connection.
Moreover, a victim had previously paid Conti to unlock their data. Later, that particular client was compromised by Karakurt through the Cobalt Strike backdoor left by Conti.
Diavol: Another connection?
Researchers further discovered that Karakurt and Diavol operators were sharing a common infrastructure for some time.
Analysis of the blockchain revealed Diavol’s connections with Karakurt and Conti.
One of the extortion addresses used during a Diavol attack carried addresses used during Conti ransomware attacks, indicating that the group is operated by the same attackers operating Conti and Karakurt.
It is evident that Karakurt and Diavol are sub-group or extensions of Conti to monetize from failed encryption attacks. Further, Conti has become big enough to expand its cybercrime operations. Therefore, it is suspected that Conti may attempt to further extend its scope by developing more connections and getting support from other groups.