The infamous Conti and REvil/Sodinokibi ransomware gangs appear to have shrugged off the impact of internal infighting and government-led actions against their nefarious activities, if intelligence now emerging from the security community is anything to go by.
As regular followers of the soap opera drama of ransomware gangs will know by now, Conti, which is famous for stealing data then leaking it, was itself hit by a series of leaks at the end of February 2022, after it declared its support for Russia’s war on Ukraine.
This action likely alienated several group members in Ukraine and resulted in a deluge of new intelligence for analysts to digest.
REvil, meanwhile, appeared to have been taken out by coordinated law enforcement actions during a brief window of time when the US and Russia were aligned on anti-ransomware action, following meetings between Joe Biden and Vladimir Putin during 2021.
But as we shall see, Conti remains highly active and REvil appears to be back in business.
So what’s new, and what do security professionals need to do about it?
According to Secureworks, which tracks Conti as Gold Ulrick in its threat actor matrix, the gang has been keeping busy, has rapidly adapted in response to the public disclosure of its communications and operational details, and its activity is currently close to peak levels seen in 2021.
Secureworks’ Counter Threat Unit (CTU) analysts recently revealed that the Conti leak site listed an average of 43 victims every month in 2021, with a peak of 95 in November, before dropping off over the Christmas period. It then picked back up again through to 27 February 2022, when the @ContiLeaks Twitter handle began leaking data. Despite this, the number of posted victims in March surged to more than 70.
“Although these types of leaks could have prompted some threat groups to modify their communication methods or tooling, Gold Ulrick appears to have continued and even increased the tempo of its operations without disruption,” the CTU team said in a newly updated blog post.
“Gold Ulrick member ‘Jordan Conti’ confirmed this continuation and the minimal impact of the disclosures in a 31 March 2022 post on the RAMP underground forum.
“CTU researchers previously observed this persona advertising Conti, providing updates on takedown efforts and recruiting affiliates,” they said.
The post claims the site only lists victims that have not paid – standard procedure for a double exploitation name-and-shame site – and implies Conti has a 50% payment success rate, so twice that number of victims may exist, although the CTU team has not yet verified these claims.
The ‘Jordan Conti’ character also indicated the gang plans to evolve its ransomware, intrusion methods and approaches to working with data. This has been borne out by researchers Marc Elias, Jambul Tologonov and Alexandre Mundo of Trellix (née McAfee Enterprise), which also recently published new intelligence on Conti’s targeting of VMware ESXi hypervisors with a Linux variant of its ransomware. The Trellix team detected Conti for Linux uploaded in the wild on 4 April and claims this is the first publicly known sample.
The existence of Conti for Linux is nothing new – the first mention of a Linux variant dates back to May 2021 – but leaked conversations between gang members suggest it had multiple bugs and went through a lengthy development process, including live trials on real-world victims, many of whom apparently complained that when they paid the ransom, the decryptor did not work properly.
In one instance, the gang demanded a ransom of $20m, but was forced to settle for $1m because something went wrong – this particular victim also declined the decryptor despite paying.
Trellix said its intelligence reinforces that despite the leaks and reputational damage suffered, the gang is not going anywhere, and has found the time to keep working on its “product”.
“Analysis of Conti leaks revealed that the threat actors are continuously adjusting and improving their Linux variant of ransomware, and it is likely in the future we will see more of its actions against Western organisations,” they said.
“Since the sample of the Conti ransomware we analysed was recently uploaded to VirusTotal, we presume that the ransomware group is still performing their campaigns and operations encrypting data from companies all around the world and extorting them for a ransom payment for their own personal gain.”
REvil: Not all it may seem
Meanwhile, REvil, or perhaps more accurately somebody claiming to be REvil, popped up again on 20 April and was swiftly spotted by the community.
Researchers reported that REvil’s servers on the Tor network were directing to an apparently new operation, hence the lack of clarity at present as to what is really going on – there may be connections to still at-large members of the REvil gang, or even other ransomware gangs, hints at the presence of which have been inferred.
According to Bleeping Computer, the revived ‘Happy Blog’ leak site listed 26 victims (at the time of writing), although some of those appeared to be older victims.
Many questions remain to be asked over REvil’s supposed reappearance, but one theory that has gained traction holds that following the closure of communication channels between the US and Russia on security issues was closed a fortnight ago, Moscow may have given tacit permission to REvil to resume targeting organisations in the West.
Digital Shadows senior cyber threat analyst Chris Morgan said: “The potential return of REvil coincides with the closure of channels for discussing cyber security issues between the United States and Russia. This decision was likely taken due to US and Russian relations breaking down as a result of the ongoing Russia and Ukraine war.
“As a result, it is realistically possible that Russian authorities have dropped their investigation into the group, or otherwise indicated that REvil could restart their operations.
Morgan added: “It is currently unclear whether the restart of infrastructure associated with REvil represents a genuine return to activity for the group, a scam, or a potential honeypot operation by law enforcement.”
Although recent activity from Conti and, supposedly, REvil, has caught the attention of the security community, the resilience of cyber criminal gangs in the wake of actions taken against them is par for the course, as has been shown time and time again. This was, to some degree, to be expected.
The one factor that has changed in the past few weeks is, of course, Russia’s illegal war on Ukraine, resulting in Russia’s isolation and expulsion from many international systems.
This is important because although ransomware operators have historically been financially motivated criminals, rather than state-backed advanced persistent threat groups, many if not most ransomware gangs do operate out of Russia, and it has long been suspected they do so with the approval of, or at least a blind eye from, the Russian government.
Although there is little evidence that Russia is orchestrating a major cyber war against the West – the NCSC continues to advise organisations to take reasonable precautions – it is certainly possible that Russia could press more ransomware operators into service as an element of cyber warfare, or that ransomware operators might take action to support Moscow of their own accord.
In terms of immediate response from organisations, there is little to do but reinforce existing defences against ransomware attacks or implement them should you not yet have done so.
Further information on action to take to defend against ransomware attacks is available from the UK’s National Cyber Security Centre, and as always, the top line advice is to focus first on properly protected backups of important data, and never to pay a ransom, as it is no guarantee that your impacted data will be restored.