Akamai analyzes data from the Conti ransomware gang

the gang of Conti ransomware shortly after the Russian invasion of Ukraine, it declared its support for the Kremlin. And after that statement, on February 27 the Twitter profile @contileaks started posting internal documents and group chats. Akamai Security examined the gang’s documentation of the Conti ransomwareanalyzing the group’s tools and techniques.

Akamai analyzes data from the Conti ransomware gang

Considered the successor of the Ryuk group, the Conti ransomware gang has a turnover of nearly 200 million dollars, obtained by hitting high-profile multinational companies. And according to Akamai’s analysis, Conti operates just as if it were a company. It has a CEO who hires new operators, who then follow a series of very precise manuals. Which gave Akamai the ability to analyze hackers’ modus operandi.

Conti often operates using double extortion attacks. This means ransomware not only encrypts data but steals it: in this way, even if the company has backups to restart, the hackers they threaten to sell private information to the highest bidders.

Akamai could see in the data published on Conti that hackers follow a precise timeline, publishing information based on how long the company takes to pay the ransom. Unfortunately for they did not find documentation or manuals relating to the initial access procedures. In fact, the guidelines explain how to extort, not how to enter.

Once defenses are breached, hackers reach tomorrow’s controller by stealing user credentials and information. They use encrypt, trojan e injector proprietari, while using external tools such as Cobalt Strike, Mimikatz e PSExec and others for lateral movement in the system. And to increase permissions by collecting credentials with an arsenal of tools developed by others.

Security experts can learn more about the tools used by the Conti ransomware gang directly on Akamai’s website.