Conti ransomware surfaced as far back as 2020. Believed to have been created by Russia-based cybercriminal group Wizard Spider, it has been involved in a multitude of double extortion campaigns over the years. Just last May, the U.S. government began offering a reward of up to US$15 million for information on the gang’s key members.

Law enforcement agencies have had no such luck catching the bad guys, at least to our knowledge, as Conti ransomware infections continue to make headlines. WhoisXML API threat researcher Dancho Danchev’s recent investigation into the threat revealed:

• Close to 30 known Wizard Spider gang members’ aliases or online handles
• More than 250 email addresses belonging to the gang’s members
• More than 50 domains that served as Conti ransomware hosts
• More than 500 domains that pointed to Conti ransomware command-and-control (C&C) servers, a vast majority of which were registered in the U.S.
• More than 1,400 IP address resolutions of the domains primarily geolocated in the U.S., 19% of which were tagged “malicious” by various malware engines
• More than 70 domains that shared the C&C domains’ IP hosts, 9% of which were dubbed “malicious” by various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What the Public Knows So Far

In the past two years since Conti ransomware came to light, several cybersecurity researchers have found indicators of compromise (IoCs) related to the threat. Danchev’s OSINT analysis findings uncovered:

• 29 online handles or aliases Wizard Spider members used
• 257 email addresses belonging to the gang’s members
• 52 domains that served as Conti ransomware hosts or download pages
• 512 domains that pointed to Conti ransomware C&C servers or stolen data repositories

Our In-Depth Investigation Findings

Given the wealth of publicly available IoCs, we began by subjecting the 564 domains to a bulk WHOIS lookup. That showed that 29% of the domains were registered in the U.S. while the remaining 71% were distributed across at least 18 other registrant countries.

Of these domains, only 45 were likely owned by legitimate businesses at least according to their disclosed registrant organizations.

Next, DNS lookups for the C&C domains uncovered 1,401 IP address resolutions, 261 of which turned out to be malicious based on Threat Intelligence Platform (TIP) malware checks.

A bulk IP geolocation lookup for these IP addresses showed that 650 originated from the U.S. while the remaining 751 were distributed across 42 other countries.

The IP geolocation and WHOIS registrant country data indicates how widespread Wizard Spider’s cybercriminal network could be.

Reverse IP lookups for the C&C IP addresses led to the discovery of an additional 73 possibly connected domains, five of which were also tagged “malicious” by various malware engines.

Screenshot lookups for the five malicious domains showed that only one led to live website hosting what seems to be a mobile advertising webpage.

Another one led to a 404 page, two were parked, and one was unreachable. These statuses, however, could still put users in danger of downloading malicious files onto their computers if the pages were compromised and turned into malware hosts.

Despite the increased lookout for the Conti ransomware perpetrators, Danchev’s deep dive into the Wizard Spider infrastructure showed that it’s still up and running. Individuals and organizations alike would do well to avoid accessing the malicious web properties identified in this post and also monitor possibly connected domains and IP addresses.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.