Five things we learned from the Conti chat logs

At the end of February, the cybersecurity community was rocked by the appearance of alleged chat logs recording conversations between members of the prolific Russian-speaking ransomware group Conti. A Ukrainian cybersecurity researcher published over 60,000 messages allegedly taken from the backend of a Jabber server that Conti used for internal communications. Other cybersecurity researchers have since confirmed the validity of the messages. The leak contained 393 JSON files, consisting of 60,694 messages sent since 21 Jan 2021. 

At the start of March, the same researcher released a password-protected archive containing an older version of the Conti ransomware source code; the archive was subsequently cracked and the source code published online. Later that month, the researcher uploaded the source code for version three of the ransomware to VirusTotal.

Conti is one of the most prolific ransomware groups currently in operation, with around 45 attacks per week on average, but it has repeatedly proved susceptible to having  sensitive material falling into the wrong hands. In August 2021, a user on a prominent Russian-language cybercriminal forum published training materials and the IP addresses of “cobalt servers” that Conti allegedly used. This latest leak came after Conti’s bold declaration of support for Russia’s invasion of Ukraine, in which the group threatened to conduct retaliatory attacks on the critical infrastructure of organizations or nations that try to “organize a cyber attack or any war activities” against Russia, before editing the message to soften the rhetoric.

The leaked chat logs provide a privileged and fascinating insight into the inner workings of a cybercriminal group. It’s rare to obtain reliable primary source intelligence about threat actors’ tactics, techniques, and procedures (TTPs), structures and hierarchies, working patterns, undisclosed victims, private infrastructure, and cryptocurrency usage. And then the sheer size of the data set is both a blessing and a curse – while it’s a huge treasure trove of information, making your way through every single message would take years. Here at Digital Shadows (now ReliaQuest), we’ve been poring over the messages and crunching some numbers. Here are some of the initial insights we’ve gleaned from the logs. 

1. Conti doesn’t work weekends

One of the most striking observations that jumped out at us from the chat logs was just how much Conti’s operations resemble those of a real-world professional establishment. Numerous messages in the data set would not have looked out of place in a genuine organization’s Slack channel. And when we did the math, we found that it’s not only the content of the messages – it seems that Conti members also follow a standard working pattern that most of us would be familiar with. 

As you can see from the graph below, once we looked at the time and date stamps of messages contained within the data set, we noticed a significant drop-off in the number of messages the group’s members sent on Saturdays and Sundays. The number of messages sent at the weekend was one fifth of the typical amount of communication seen during the week. We also noted that more messages were sent on Friday than on the quieter mid-week days of Wednesday and Thursday. It’s conceivable that the group ramps up its pace of work on a Friday, to get everything ready for a weekend with lighter staff levels. 

This valuable insight into the group’s modus operandi is important context for defenders. If we know a little more about our adversaries’ working patterns, we can develop a better anticipatory sense of when attacks or ransomware negotiations are most likely to occur. While we couldn’t rule out a huge Conti effort at the weekend, it’s helpful to know that the group’s members seem to take time off to enjoy Saturdays and Sundays.

2. Chat activity and workload

Here at Digital Shadows (now ReliaQuest), we monitor over 70 websites operated by extortion groups. Some of these facilitate the auctioning of victims’ data, while others are data-leak sites intended to pressure victims into paying a ransom as part of a double extortion attack. Each time a new victim is named on Conti’s site, our intelligence analysts release a tipper in our internal portal to inform our clients about the latest development. 

In the graph below, we’ve mapped the number of these ransomware tippers reporting new Conti victims against the number of messages contained within the chat logs by month.  The data reveals a correlation between successful ransomware attacks–when Digital Shadows (now ReliaQuest) analysts publish victim tippers–and message activity. The peak in attacks and increased number of victim tippers seen in November coincides with a peak in messaging activity, before dropping off at the same time. This data relationship is significant, as it shows that the more victims Conti successfully attacks, the more work must go on behind the scenes to discuss tactics and elicit payments from victims. 

One notable diversion from this trend occurred in July 2021, when the number of tippers decreased but the number of messages sent actually grew. A potential explanation for this is that Conti users were actively discussing how to respond to the increased scrutiny on extortion groups after a spate of high-profile ransomware attacks. The ransomware group REvil (aka Sodinokibi) dropped off the radar at a similar time.

3. Activity timeline

Let’s take a closer look at the number of messages in the chat logs sent per month, from January 2021 through February 2022. This featured in the graph in the previous section, but it’s interesting to look at these statistics in isolation. As indicated by the graph below, the number of messages sent per month varied wildly, from a high of over 8,000 in November 2021 to less than 2,000 in February that same year. 

We can only speculate about the reasons behind peaks and troughs in chat activity. In November 2021, Conti acknowledged an attack on its infrastructure, where— according to the group’s representative on a cybercriminal forum—no information about the group’s “system” or “people” was lost. The representative also claimed that all of the group’s systems had been restored and that the group was working as normal following a security audit. It is realistically possible that the record high number of messages sent in November 2021 was linked to this attack; this may have included messages initiated as part of the security audit, for example, or Conti members reacting to the controversy and trying to ascertain the extent of the damage.

We also observed Conti attempting to recruit new members in November 2021. The same forum representative put out advertisements for “networkers and access providers”, penetration testers, or individuals with access to “corporate botnets”. Perhaps the spike in activity reflects these recruitment efforts, or part of the onboarding process to welcome new members to the team and teach them the ropes.

August 2021 represents another month with a notably high number of messages sent. As we mentioned at the start of this blog, Conti was dealing with fall-out from its own leak at this point. A cybercriminal forum user shared approximately 27 GB of Conti’s “videoinstruction […] + tools”, including “RedTeaming videos, RedTeaming tools, malicious PowerShell scripts”. In a separate thread, a different user leaked Conti “training materials”, the IP address of Conti’s “cobalt servers”, the username and Jabber ID of the Conti “admin”, as well as a link to the Conti “Tor chat”. The user alleged that Conti’s operators had not been paying their recruits a high enough proportion of any ransom extracted from victims. The increased levels of activity in August 2021, compared to the surrounding months, may reflect Conti dealing with the repercussions of the leak, attempting to identify the source, and arranging mitigatory measures. 

4. Chatterboxes and group leaders

Next we decided to take a look at the distribution of messages among all the different users named in the chat logs. The graph below shows the number of mentions of the various usernames, although we’ve removed the actual monikers for safety reasons, and we’ve only visualized users who sent at least 100 messages. This was a surprisingly low number – only 23 percent of users. This means that the vast majority of users who appeared in the chat logs sent a remarkably small number of messages. We can only speculate as to why these users did not get more involved… Perhaps their performance was found wanting, or perhaps Conti operators and affiliates switch between lots of different usernames for operational security reasons.

Our analysis showed that the top 10 percent of users in the data set accounted for 80 percent of the messages sent. This indicates that there is a handful of users who play a major role in running operations, suggesting that important decisions and strategizing are concentrated in a small group. Most of the individuals featured in the chat logs play more functional roles in the Conti operation. As you can see from the graph, one user in particular stands head and shoulders above the rest, with more than 8,000 messages from this account contained within the logs. Other users repeatedly referred to this user as “boss” or “chef”, indicating that they have a leading role within the organization. 

We were also interested to see when the most prolific users appeared in the logs, and whether there were any unexplained gaps in activity. The graph below shows a timeline of activity for the top ten most prolific users in terms of messages sent. Although two users had short spells of high activity before disappearing, the graph shows that many of the most active users consistently sent messages over the time period contained within the logs. This indicates that users who reach the upper echelons of the organization’s operational structure hold these positions on a long-term basis, perhaps building up their skills and expertise within the role.

5. Working hours

Finally, we decided to look at activity distributed over the working day. In addition to not working weekends, as we discussed earlier, it seems that many Conti affiliates concentrate their efforts in a limited number of hours per day. Although we don’t have an indication of the time zone that the messages were sent in, the graph below shows that activity increases slowly between 0500 and 1200, with the peak in activity occurring between 1200 and 1800. Given the number of indications that Conti operates like a professional organization–with working rules, HR policies, paid time off, and penalties for underperforming, it is perhaps surprising that we do not see consistent activity between the traditional working hours of 9 to 5. Conti affiliates are almost certainly spread over a wide geographic area, meaning that the peak in activity we see represents a crossover time in which operators all over the globe are all online at the same time. 

Using data analysis techniques like this to provide intelligence about the dark web is just one of the ways in which Digital Shadows (now ReliaQuest) monitors threat actor activity across the cybercriminal landscape, providing unique insights to help organizations understand the nature of the threat actors looking to get access to their assets. If you’d like to search the dark web and cybercriminal underworld for malicious mentions of your organization or exposed data for sale, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.