$30 off During Our Annual Pro Sale. View Details »

Conti Leaks: Practical walkthrough and what can we learn from it

Thomas Roccia
December 12, 2022

Conti Leaks: Practical walkthrough and what can we learn from it

This conference has been presented at Bsides Melbourne and Hack Sydney.

Conti, one of the most prolific ransomware gangs in recent years, conducted multiple targeted attacks against companies with multi-million dollars in revenue. The Conti ransomware gang is a well-organized group, with an affiliate model using Ransomware as Service (RaaS).

On February 28th, a major leak has been published on Twitter about the Conti group. The leaked chat logs revealed private discussions between Conti members and show the size of their network. The data provided a unique insight into the inner workings of the group.

This presentation will provide a practical approach to exploit the chat logs using Python applied for threat intelligence. We will dissect the available information and learn more about their process and operation. Eventually, we will see how we can take advantage of the available information to pivot and hunt for additional context and threat intelligence.

The talk will allow analysts to reuse the code and continue to search for the extracted information on their own. Additionally, it offers an out-of-the-box methodology for analysing chat logs, extracting indicators of compromise, and improving threat intelligence and defence process using Python.

Thomas Roccia

December 12, 2022
Tweet

More Decks by Thomas Roccia

Other Decks in Technology

Transcript

  1. View Slide

  2. View Slide

  3. Who is Conti? Why the Conti Leaks are valuable information?
    Practical Python for Threat Intelligence
    Exploring the Jabber Logs of the Conti Leaks
    Extracting and analyzing relevant information using MSTICpy

    View Slide

  4. " T h e i n f o r m a t i o n a n d
    k n o w l e d g e a b o u t a n a d v e r s a r y
    o b t a i n e d t h r o u g h o b s e r v a t i o n ,
    i n v e s t i g a t i o n , a n a l y s i s , o r
    u n d e r s t a n d i n g , i s t h e p r o d u c t
    t h a t p r o v i d e s b a t t l e s p a c e
    a w a r e n e s s "


    - E d w a r d W a l t z -

    View Slide

  5. Easy to use and to learn
    Versatile
    Powerful for both big and
    small apps
    Work perfectly with a lot
    of data (pandas)
    Can be used to create
    workflow with Jupyter
    Can be used to automate
    boring stuff
    Whatever you need, Python will cover your ass!

    View Slide

  6. Ransomware as a service Model
    and double extortion
    The state department official says. “They have
    been involved in malicious cyberactivity against
    our critical infrastructure. We view them as a
    national security threat.”
    Started in December 2019
    Believed to be based in Russia,
    ~$50 Million

    View Slide

  7. View Slide

  8. Jabber is used as an internal chat tool of the Conti organisation
    The logs are from 2020 to 2022 and written in Russian
    Multiple affiliate groups and criminal element are connected to
    it to discuss operation and coordination

    View Slide

  9. Jabber is used as an internal chat tool of the Conti organisation
    The logs are from 2020 to 2022 and written in Russian
    Multiple affiliate groups and criminal element are connected to
    it to discuss operation and coordination
    I don't read nor understand Russian
    The Size is about 35 MB
    I want a quick way to analyze them and find relevant information
    ChAllenge
    Accepted!

    View Slide

  10. View Slide

  11. https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b
    https://twitter.com/seadev3/status/1498783071969099777?s=20&t=Z2KJgYrjiUMCQ5Phif3ZbA

    View Slide

  12. View Slide

  13. View Slide

  14. Stern
    Defender
    Bentley
    Mango
    Buza
    Target
    Target
    https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/


    View Slide

  15. Querying log data from multiple sources
    Extracting Indicators of Activity (IoA)
    from logs and unpack encoded data
    Performing analysis such as
    anomalous session detection
    and time series decomposition
    Visualizing data using interactive
    timelines, process trees and
    multi-dimensional Morph Charts
    Enriching the data with TI,
    geolocations and Azure resource data
    Machine learning analysis

    View Slide

  16. View Slide

  17. View Slide

  18. View Slide

  19. View Slide

  20. Multiple
    services (HR,
    Coders, RE,
    Testers...)
    Defender
    Stern
    Mango
    Bentley
    Veron...
    Main Accounts:
    Interconnection
    with multiple
    cybercriminal
    groups that
    operates as
    affiliates.
    Conti
    deployment
    via
    CobaltStrike
    Trickbot,
    BazaLoader,
    Emotet...
    The chats represent a
    communication
    platform for
    coordination between
    multiple criminal
    elements that are in
    some cases distinct
    Well
    organised and
    Structured
    like a
    company


    🤯

    View Slide

  21. View Slide

  22. The cybercriminal economy is a continuously evolving connected
    ecosystem of many players with different techniques, goals, and
    skillsets.
    Threat intelligence can be used to proactively get details about a
    threat actor. Leaked data are valuable information.
    Python is the perfect companion for threat intelligence analysts
    MSTICpy can bolster your process in place for investigation

    View Slide

  23. Observation
    Investigation & Analysis
    Understand

    View Slide

  24. View Slide

  25. https://www.microsoft.com/security/blog/2022/06/01/using-python-to-unearth-a-goldmine-of-threat-
    intelligence-from-leaked-chat-logs/
    https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-
    gig-economy-and-how-to-protect-yourself/
    https://jupyter.securitybreak.io/Conti_Leaks_Analysis/Conti_Leaks_Notebook_TR.html
    https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-
    up-sort-of/
    https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b
    https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html
    https://www.trellix.com/en-au/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-
    ransomware.html
    https://twitter.com/seadev3/status/1498783071969099777?s=20&t=Z2KJgYrjiUMCQ5Phif3ZbA
    https://msticpy.readthedocs.io/en/latest/getting_started/Introduction.html
    https://twitter.com/fbi/status/1522939345711288320
    https://www.vx-underground.org/

    View Slide