As evidenced during AccesSecurity, an event that took place earlier this week, cybersecurity often resembles aiming at moving targets. This time, the latest story is worth the best spy novels!

The war in Ukraine is not only made with tanks and bombs, it is a cyberwar at the same time. Conti, a well-known hacker group previously known as Wizard Spider, made itself notorious for developing the Conti ransomware that was used against medical facilities and law enforcement agencies. The Conti ransomware targets Windows systems taking advantage of known vulnerabilities in Microsoft Exchange. As of summer 2021, Conti was said to have successfully attacked over 400 organizations worldwide. Many ransomware attackers target healthcare organizations and local governments as they are considered to be able to pay ransoms while not having the most efficient cyberprotection policies. Conti generated US$ 180 million (EUR 164 million) in revenue in 2021 according to a Chainalysis report, making it the most active ransomware group for the year.

Ireland’s Health Service Executive (HSE), which operates the country’s public health system, got hit with Conti ransomware on May 14, 2021, says Brian Krebs, an expert on cybercrime and the author of the KrebsOnSecurity blog. In a few days, the attack disrupted services at several Irish hospitals and resulted in the near complete shutdown of the HSE’s national and local networks. Conti initially demanded US$ 20 million (EUR 18 million) worth of virtual currency in exchange for a digital key to unlock HSE servers compromised by the group. But later, Conti reversed course and gave the HSE the decryption keys without requiring payment. However, restoration and reconstruction of IT systems has proven to be extremely long and complex. In June 2021, the HSE’s director general said the recovery costs for the May ransomware attack were likely to exceed US$ 600 million (EUR 545 million).

On February 25, 2022, Conti group expressed its support to the Russian government in the wake of Ukraine invasion. “If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy,” they said in a public statement. CPO magazine raises the question of whether ties [between Conti and the Russian government] are closer than previously thought, or if the group is simply engaging in some sort of self-promotion.

But not everyone was happy with this declaration! Many of Conti business partners are based in Ukraine or show some support to Ukraine in the current war. Consequently, they are now attacking Conti itself! A group retaliated by leaking source code and internal chat logs, accessible through a new Twitter account @Contileaks. These data should help law enforcement agencies and researchers trace those affiliates. According to Brian Krebs, the leaker is not a former Conti affiliate, but a Ukrainian security researcher who has chosen to stay in his country and fight. Brian Krebs uses these logs to demonstrate to which extent the Conti Group was structured, with at least 87 employees, paid between US$ 1000 and 2000 (EUR 910 to 1820) monthly, in the form of a Bitcoin deposit. Brian Krebs adds: Conti was an early adopter of the ransomware best practice of “double extortion,” which involves charging the victim two separate ransom demands: one in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed.

Final step in the story is that the Conti group quickly dismantled back-end and command-and-control infrastructure on March 2, 2022. However, the ransomware source code had already been leaked and probably copied by other groups that will not hesitate to use it. One may also anticipate that even if Conti no longer appears, its staff is ready to set up a new organization, or just to rebrand the gang one under a new name. "The leak is devastating for them and, potentially, for anybody connected to them. Affiliates will be wondering how long the operation was compromised for and whether any information was obtained that points to them," says Brett Callow, a threat analyst in BankInfo Security.