Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Conti Leaks: Practical walkthrough and what can...

Thomas Roccia
December 12, 2022

Conti Leaks: Practical walkthrough and what can we learn from it

This conference has been presented at Bsides Melbourne and Hack Sydney.

Conti, one of the most prolific ransomware gangs in recent years, conducted multiple targeted attacks against companies with multi-million dollars in revenue. The Conti ransomware gang is a well-organized group, with an affiliate model using Ransomware as Service (RaaS).

On February 28th, a major leak has been published on Twitter about the Conti group. The leaked chat logs revealed private discussions between Conti members and show the size of their network. The data provided a unique insight into the inner workings of the group.

This presentation will provide a practical approach to exploit the chat logs using Python applied for threat intelligence. We will dissect the available information and learn more about their process and operation. Eventually, we will see how we can take advantage of the available information to pivot and hunt for additional context and threat intelligence.

The talk will allow analysts to reuse the code and continue to search for the extracted information on their own. Additionally, it offers an out-of-the-box methodology for analysing chat logs, extracting indicators of compromise, and improving threat intelligence and defence process using Python.

Thomas Roccia

December 12, 2022
Tweet

More Decks by Thomas Roccia

Other Decks in Technology

Transcript

  1. Who is Conti? Why the Conti Leaks are valuable information?

    Practical Python for Threat Intelligence Exploring the Jabber Logs of the Conti Leaks Extracting and analyzing relevant information using MSTICpy
  2. " T h e i n f o r m

    a t i o n a n d k n o w l e d g e a b o u t a n a d v e r s a r y o b t a i n e d t h r o u g h o b s e r v a t i o n , i n v e s t i g a t i o n , a n a l y s i s , o r u n d e r s t a n d i n g , i s t h e p r o d u c t t h a t p r o v i d e s b a t t l e s p a c e a w a r e n e s s " - E d w a r d W a l t z -
  3. Easy to use and to learn Versatile Powerful for both

    big and small apps Work perfectly with a lot of data (pandas) Can be used to create workflow with Jupyter Can be used to automate boring stuff Whatever you need, Python will cover your ass!
  4. Ransomware as a service Model and double extortion The state

    department official says. “They have been involved in malicious cyberactivity against our critical infrastructure. We view them as a national security threat.” Started in December 2019 Believed to be based in Russia, ~$50 Million
  5. Jabber is used as an internal chat tool of the

    Conti organisation The logs are from 2020 to 2022 and written in Russian Multiple affiliate groups and criminal element are connected to it to discuss operation and coordination
  6. Jabber is used as an internal chat tool of the

    Conti organisation The logs are from 2020 to 2022 and written in Russian Multiple affiliate groups and criminal element are connected to it to discuss operation and coordination I don't read nor understand Russian The Size is about 35 MB I want a quick way to analyze them and find relevant information ChAllenge Accepted!
  7. Querying log data from multiple sources Extracting Indicators of Activity

    (IoA) from logs and unpack encoded data Performing analysis such as anomalous session detection and time series decomposition Visualizing data using interactive timelines, process trees and multi-dimensional Morph Charts Enriching the data with TI, geolocations and Azure resource data Machine learning analysis
  8. Multiple services (HR, Coders, RE, Testers...) Defender Stern Mango Bentley

    Veron... Main Accounts: Interconnection with multiple cybercriminal groups that operates as affiliates. Conti deployment via CobaltStrike Trickbot, BazaLoader, Emotet... The chats represent a communication platform for coordination between multiple criminal elements that are in some cases distinct Well organised and Structured like a company 🤯
  9. The cybercriminal economy is a continuously evolving connected ecosystem of

    many players with different techniques, goals, and skillsets. Threat intelligence can be used to proactively get details about a threat actor. Leaked data are valuable information. Python is the perfect companion for threat intelligence analysts MSTICpy can bolster your process in place for investigation