Conti Leak: A Ransomware Gang’s Chats Expose Its Crypto Plans

Credit to Author: Matt Burgess| Date: Thu, 17 Mar 2022 11:00:00 +0000

To revist this article, visit My Profile, then View saved stories.

To revist this article, visit My Profile, then View saved stories.

Not satisfied with extorting $180 million from companies last year, the Conti ransomware gang is investing its coerced cash in new moneymaking schemes. Since last summer, according to leaked details from the group, the Russia-linked cybercrime organization has been quietly developing its own social network and blockchain-based cryptocurrency platform. Its leader even suggested opening an online casino.

Conti’s unconventional expansion plans were revealed in 60,000 of the group’s chat messages and files, which were published by a Ukrainian cybersecurity researcher who infiltrated the group. The researcher, who has remained anonymous for safety reasons, exposed the Conti ransomware gang’s inner workings on February 27 via a Twitter account after the hacking group backed Vladimir Putin’s Ukraine invasion days earlier. WIRED has reviewed the documents in detail.

While many of the leaked chat messages detail the daily workings of the notorious ransomware group, they also show how it’s planning to expand beyond corporate extortion. The cryptocurrency and social media schemes are some of the more absurd proposals from the gang. However, they come at a time when law enforcement bodies are disrupting ransomware groups, including conducting aggressive takedown actions and making arrests around the world.

Conti’s diversification efforts start at the top of the group. “Is there anyone among us who considers himself a guru of blockchain and trends,” Stern, Conti’s CEO-like character, said in private messages sent to dozens of Conti members last summer. “We want to create our own crypto system,” Stern continued, citing the Ethereum code library Nethereum, blockchain platform Polkadot, and cryptocurrency trading company Binance. Members of the gang, which at times numbered around 100, replied with loose ideas about how to develop the technology, or with clueless responses. “I must have missed that wave,” one gang member replied.

“They even hold a meeting talking about this,” says Alex Holden, the CEO and founder of security firm Hold Security, who has watched Conti for years and knows the Ukranian researcher who leaked its secrets. “They dive fairly deeply into the technology and ideas,” Holden says.

Stern’s follow-up messages mention NFTs, decentralized finance, and peer-to-peer decentralized marketplaces known as DEX. These discussions have lasted months. In February, just days before the Conti files were leaked, Stern traded messages with one member of the team and discussed creating a system using the Rust programming language and the potential to use smart contracts with ransomware. Conti also appeared to drum up ideas for a cryptosystem by holding a competition on a hacker forum, as first reported by investigative journalist Brian Krebs. The group was also linked to a multimillion-dollar Netflix-inspired Squid Game crypto scam in November 2021, Krebs reported.

While it's unclear exactly how far along the development of the crypto platform is, Holden says he saw the gang members sharing a screenshot of a mockup cryptocurrency platform called Bablo, which roughly translates to “loot,” in July 2021. This was around the same time Stern messaged the group about developing the system. The logo for Bablo incorporated the “B” from Bitcoin’s logo.

The interest in cryptocurrency platforms is all about moving money, Holden says. “My explanation is that these guys want to control and be able to launder money,” he explains. “If they are able to launder the money, for example, they can move stolen proceeds into their own platform, they can hide or otherwise obfuscate their money trail.”

The vast majority of ransomware payments are made using cryptocurrencies. Blockchain tracking firm Chainalysis identified more than $600 million in crypto ransomware payments in both 2020 and 2021—Conti was the most prolific group. However, law enforcement bodies and investigators are becoming more adept at following ransomware payments on the blockchain and identifying individuals involved in the ransomware gangs.

By creating its own system, Conti could potentially help members avoid the attention of law enforcement. “They want to exercise more autonomy over their finances,” says Vitali Kremez, the CEO of security company AdvIntel. Creating any blockchain-based system, Kremez says, would potentially give Conti the “freedom to cash out and make their ransomware payouts easier than relying on any public crypto ledger.” Kremez says a cybercrime gang creating its own payment system wouldn't be totally unheard-of and fits with “previous philosophies.”

While a crypto platform may make some sense for the day-to-day running of Conti, its efforts to create a social network appear to lack a clear direction. Several high-profile Conti members have been involved in conversations about the development. These include Stern and Mango, a Conti general manager who reports directly to the boss and makes sure Conti’s members get paid.

“We make a social network primarily for ourselves and the community,” Mango explained to Conti member Ghost, after they had discussed it with Stern. Mango said it could be like Russia’s biggest social media website, VKontakte (aka VK), but with a twist: It would be for the “darknet.”

In July 2021, Stern explained to Mango that the social network is meant to be a commercial product. They said it would be a centralized, “code closed” system—much like Facebook, Twitter, and all other major social media platforms. The “main thing,” Stern said, would be “trade.” Communications and news could be added later.

As with its crypto project, Conti has created designs of what a social network could look like; two designs were shared in July 2021 and they appear to use the same designer. Using the name Wild Kingdom, the mockups show a logged-in user who is looking at another person’s profile page. An account’s most recent activity, contact information, when they were last active, and an option to message them are visible. There’s also space for advertisements. The social media mockups also fold in Conti’s crypto interests; they show how much bitcoin an account has.

“Everyone will be there,” Stern said in messages to Mango. “Reporters. Ordinary users. Buyers. There must be at least 1 million people on the social network.” Getting carried away, Stern even proposed turning to gambling: “Maybe we’ll make a casino.”

Despite Conti spending money and development time on these side projects, neither of them seem to have launched. And it’s likely they never will, says Kimberly Goody, director of cybercrime analysis at security firm Mandiant. “I don't think that some of those are achievable or realistically obtainable for them,” Goody says. However, she adds, it does show Conti has “big aspirational goals as an organization.”

Conti, or at least its senior members, are contemplating their life beyond ransomware. “They're not just individuals that are concerned about payouts,” Kremez says. “They're thinking about legacy, thinking about the long-term future.”

https://www.wired.com/category/security/feed/

Leave a Reply