CONTI RANSOMWARE GANG:Motives and Methods Part: 1

Ransomeware is malware that blocks access to the device until the victim pays a ransom

specified by the malware operator. Attackers typically require ransom payments paid via the

cryptographic currency system, Bitcoin, due to the anonymity of cryptocurrency (Paquet-

Clouston et al., 2019). Ransomware started as a proof of concept in 1996 by researchers Young

and Yung when they posed the idea of using cryptographic procedures offensively. They

suggested cryptography as an extortion technique by preventing access to a device until the

attacker’s demand is met (Hull et al., 2019). Today, ransomware attacks are the most concerning

form of cybercrime, and law enforcement agencies and cyber security professionals across the

globe are seeking ways to deal with the increasing threat (Paquet-Clouston et al., 2019).

The early days of ransomware saw its distribution on a massive scale, with little regard

for the infected victims’ financial holdings. These early ransomware attacks also saw malware

delivered on mass to infect as many victims as possible rather than specifically target a singular

entity (Eurpol, 2021). However, ransomware attacks changed to target private businesses,

government agencies, and critical infrastructures increasingly. The increase in attacks on larger

institutions shows that ransomware operators choose their victims based on their financial

capabilities and willingness to comply with ransoms. By doing so, perpetrators have the chance

to demand and receive higher ransoms more quickly from victims on the successful execution of

their ransomware. The Conti ransomware gang (Conti) is a prime example of a ransomware gang

that seeks high-profile targets for exploitation (Europol, 2021).

Ransomware-as-a-Service

Ransomware has evolved into two forms of attacks in preventing file access on infected

devices. The first is locking a user out of their device by disabling its operating system. In these attacks, the victim views the ransom note once the device is booted, preventing them from

accessing it until the ransom gets paid or removed (Paquet- Clouston et al., 2019). The second

form of attack is much more sophisticated and used by Conti. This attack sees the victim’s files

on a device become encrypted, so paying a ransom is the only way to decrypt the files (Paquet-

Clouston et al., 2019).

The RaaS model allows customers to use ransomware owned by service providers

through darknet marketplaces (Meland et al., 2020). These service providers deliver ransomware

tailored to the buyer’s specific target, with some providers offering additional services like

privilege escalation or ransom negotiation. After an attacker’s successful exploitation and the

victim pays the ransom, the service provider receives a portion of the ransom, 20%-30%, as a fee

(Meland et al., 2020). The RaaS model is most threatening because it empowers cybercriminals

without the necessary programming skills to utilize ransomware, increasing the number of

individuals behind ransomware attacks.

The Conti Ransomware Gang

Conti is one of the infamous ransomware families responsible for several high-profile

ransomware attacks. Conti gets credit as a descendant of the Ryuk ransomware, and the creators

of Ryuk are likely responsible for the development of Conti (Trend Micro, 2021). Conti’s attacks

are regularly against much larger targets. The Conti ransomware is also sold under the RaaS

model and significantly contributes to the spike in ransomware attacks. Conti extorts even more

money from their victims through the double extortion ransomware technique (Trend Micro,

2021). Through double extortion, Conti not only encrypted a victim’s files but also stole their

files and confidential data. Conti then forces their victims to pay for access to their files and a

separate ransom to prevent them from publishing or selling the stolen data (Trend Micro, 2021).

One of the aspects of Conti’s methods that are so threatening is their choice of targets.

Conti targets businesses and governments worldwide, but most attacks are against United States

institutions (Trend Micro, 2021). From January 1, 2021, to November 12, 2021, Conti attempted

over 1.6 million attacks against companies in the United States. The attacks against companies in

the Netherlands rank the second-highest during this period, at nearly 49 thousand attempted

attacks (Trend Micro, 2021). Part of the reason for the disparity in attack frequency comes from

the motivations of Conti. While most ransomware gangs are monetarily motivated, Conti is also

motivated by the desires of their country.

Conti is based and primarily operated out of Russia. Russia allows cybercrime groups to

operate out of the country with relative freedom. The Russian government is widely known to

overlook ransomware attacks from their country as long as the perpetrators avoid attacks against

Russia and Russian companies (Burgess, 2022). Because of this freedom, most ransomware

gangs trace back to Russia. Some ransomware strains never attack Russian organizations because

of how the malware code. Some ransomware strains run scans on an infected network to detect if

that network lies within Russian Controlled areas. The ransomware will shut itself down if the

infected network is in a Russian-controlled state, preventing its execution (Freeze, 2022). Conti

is tied to the interests of the Russian government, specifically Vladimir Putin, on a much closer

level. Leaks from Conti’s chat messages show that the ransomware gang is connected to Russia

and is involved with the government’s state-sponsored hackers (Burgess, 2022).

Being encouraged by the Russian government led Conti to attack critical infrastructure

and industries. For example, the Coronavirus (COVID-19) pandemic began in March 2020 and

contributed to increased cyber-attacks against the healthcare industry. COVID-19 caused most

governments to perform lockdowns to prevent the spread of the disease, and with that came an increase in remote working (Minnaar & Herbig, 2021). Cybercriminals, including Conti, quickly

exploited the new remote working trend.

Conti’s Targets

Conti is responsible for a major attack on Ireland’s Healthcare Services Executive (HSE)

that caused significant disruptions and forced many healthcare professionals to revert to using

pen and paper to continue treating patients. The HSE attack began on May 14, 2021, when the

Conti ransomware compromised their network (PWC, 2021). Although the HSE attempted to

mitigate the damage by the ransomware through its Critical Incident Process, they lost access to

all Information Technology (IT) systems. The affected IT systems included critical systems like

patient information, clinical care, payroll, and procurement systems. Conti hid in the HSE’s

network before the ransomware’s execution, stealing confidential information. Despite the

HSE’s efforts, Conti demanded ransom for access to encrypted machines and the previously

stolen confidential information (PWC, 2021).

Although the attack against the HSE proves Conti does not regard the consequences of its

targets, Conti will also attack entire governments if they deem it necessary. Conti also attacked

the Costa Rican government in May 2022. Conti’s attack against Costa Rica is widely different

because Conti’s intent is much more sinister (Faife, 2022). The ransomware attack massively

disrupted the government and affected an estimated 27 government agencies, including the

Finance Ministry and the Ministry of Labor and Social Security. Costa Rica’s President Chaves

declared war against Conti due to their statements about their attack. Conti publicly stated that

their goal in the attack was to “overthrow the government utilizing a cyberattack” (Faife, 2022,

para. 4). Although the attack may seem non-monetarily motivated, Conti still demanded a large ransom from Costa Rica. The original ransom of $10 million changed to $20 million after Costa

Rica refused to pay (Faife, 2022).

Conti regularly partners with other malware gangs to aid in distributing their

ransomware. Documentation shows that threat actors such as Conti and Emotet will use a

combination of each other’s malware during an attack. Emotet is another malware gang based in

Russia. Emotet uses mass email phishing campaigns in its attacks against organizations. During

these attacks, Emotet sends emails with malicious attachments that, when executed, download

separate malware from a staging site (Computer Fraud & Security, 2021). The cybercrime

intelligence group Intel 471 assessed with high confidence that victims infected through

Emotet’s malware spam operation enter a collection where they eventually get infected with

Conti ransomware (Intel 471, 2022). This correlation between Emotet and Conti victims offers

an insight into how often and easily targets get infected with the Conti ransomware.

This research project discovered a gap in available research when attempting to uncover

Conti’s new encryption method for the Conti ransomware. Conti previously incorporated the

Advanced Encryption Standard-256 (AES-256) when the Conti ransomware initially executed

and encrypted files on an infected system (CrowdStrike Intel Team, 2022). AES is a block cipher

technique commonly used in standard encryption due to its speed and versatility. AES-256 builds

upon this by encrypting data with 256-bit keys, leading to more secure encryption (Utami et al.,

2019). However, an August 2020 update saw Conti’s ransomware use the ChaCha Cipher as a

new encryption method during execution. As a result, the ChaCha Cipher gets used in

subsequent Conti encryptions since the 2020 update. There is currently not much information on

the ChaCha Cipher, although the change in cipher will allow a more efficient approach to selecting files to encrypt (CrowdStrike Intel Team, 2022). Further studying the ChaCha Cipher

can lead to future decryption of the Conti ransomware.