No content

No content

Who is Conti? Why the Conti Leaks are valuable information? Practical Python for Threat Intelligence Exploring the Jabber Logs of the Conti Leaks Extracting and analyzing relevant information using MSTICpy

" T h e i n f o r m a t i o n a n d k n o w l e d g e a b o u t a n a d v e r s a r y o b t a i n e d t h r o u g h o b s e r v a t i o n , i n v e s t i g a t i o n , a n a l y s i s , o r u n d e r s t a n d i n g , i s t h e p r o d u c t t h a t p r o v i d e s b a t t l e s p a c e a w a r e n e s s " - E d w a r d W a l t z -

Easy to use and to learn Versatile Powerful for both big and small apps Work perfectly with a lot of data (pandas) Can be used to create workflow with Jupyter Can be used to automate boring stuff Whatever you need, Python will cover your ass!

Ransomware as a service Model and double extortion The state department official says. “They have been involved in malicious cyberactivity against our critical infrastructure. We view them as a national security threat.” Started in December 2019 Believed to be based in Russia, ~$50 Million

No content

Jabber is used as an internal chat tool of the Conti organisation The logs are from 2020 to 2022 and written in Russian Multiple affiliate groups and criminal element are connected to it to discuss operation and coordination

Jabber is used as an internal chat tool of the Conti organisation The logs are from 2020 to 2022 and written in Russian Multiple affiliate groups and criminal element are connected to it to discuss operation and coordination I don't read nor understand Russian The Size is about 35 MB I want a quick way to analyze them and find relevant information ChAllenge Accepted!

No content

https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b https://twitter.com/seadev3/status/1498783071969099777?s=20&t=Z2KJgYrjiUMCQ5Phif3ZbA

No content

No content

Stern Defender Bentley Mango Buza Target Target https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/

Querying log data from multiple sources Extracting Indicators of Activity (IoA) from logs and unpack encoded data Performing analysis such as anomalous session detection and time series decomposition Visualizing data using interactive timelines, process trees and multi-dimensional Morph Charts Enriching the data with TI, geolocations and Azure resource data Machine learning analysis

No content

No content

No content

No content

Multiple services (HR, Coders, RE, Testers...) Defender Stern Mango Bentley Veron... Main Accounts: Interconnection with multiple cybercriminal groups that operates as affiliates. Conti deployment via CobaltStrike Trickbot, BazaLoader, Emotet... The chats represent a communication platform for coordination between multiple criminal elements that are in some cases distinct Well organised and Structured like a company 🤯

No content

The cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. Threat intelligence can be used to proactively get details about a threat actor. Leaked data are valuable information. Python is the perfect companion for threat intelligence analysts MSTICpy can bolster your process in place for investigation

Observation Investigation & Analysis Understand

No content

https://www.microsoft.com/security/blog/2022/06/01/using-python-to-unearth-a-goldmine-of-threat- intelligence-from-leaked-chat-logs/ https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime- gig-economy-and-how-to-protect-yourself/ https://jupyter.securitybreak.io/Conti_Leaks_Analysis/Conti_Leaks_Notebook_TR.html https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start- up-sort-of/ https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html https://www.trellix.com/en-au/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of- ransomware.html https://twitter.com/seadev3/status/1498783071969099777?s=20&t=Z2KJgYrjiUMCQ5Phif3ZbA https://msticpy.readthedocs.io/en/latest/getting_started/Introduction.html https://twitter.com/fbi/status/1522939345711288320 https://www.vx-underground.org/