Friday, March 15, 2024

An EXIF Analysis on Conti Ransomware Gang's Publicly Accessible Internally Leaked Marketing and Advertising Creative - An Analysis

In my most recent analysis on the Conti Ransomware Gang I established a direct connection between a Russia based rap and hip hop recording studio and members of the Conti Ransomware Gang.

The following attribution analysis aims to provide an in-depth including an additional set of related comments and elaboration including never-discussed or published before personally identifiable technical information confirming my original methodology results where I offered practical and relevant OSINT research and analysis on cyber threat actors which are directly related to the Conti Ransomware Gang in the context of having a Conti Ransomware Gang team member that’s involved in producing the gang’s marketing and advertising creative who is also involved in producing related marketing and advertising creative for other clients companies and organizations.

In this analysis I’ll take an in-depth look inside the primary sources which I used to obtain the leaked internal Conti Ransomware Gang internal communication and the process which based on my methodology that I used for data mining their internal leaked and publicly accessible internal communication produced successful and remarkable and never-discussed and published before personally identifiable information on some of the key activities of the Conti Ransomware Gang in the spirit of some of their “upcoming” brands and advertising and marketing creative activities.

I will also go in-depth and further elaborate and verify some of the previous research which I presented in terms of elaborating in-depth on some of the EXIF file analysis based on some of the internal leaked screenshots and related marketing and advertising creative of the gang which I obtained by first obtaining access to their publicly accessible internal leaked communication and their using my methodology to data mine process and enrich their internal leaked communication with a lot of success and a lot of positive results in terms of offering the big picture and an additional set of personally identifiable information on some of their “upcoming”brands including related activities that they’re involved in such as for instance several Russia based rap and hip hop recording studios a children’s online store including several Russia based fashion brands including a charity foundation where I did my best to collect the necessary details behind these individuals using my methodology including based on my research and analysis.

Key summary points:

  • Based on my analysis I obtained all the key screenshots and images courtesy of the Conti Ransomware Gang which I sent from a single Yandex.ru based online file sharing location URL which is - hxxp://disk.yandex.ru/d/7ZiMW2kg3UWYk3
  • In this analysis besides elaborating in a more in-depth fashion in terms of my methodology and the personally identifiable information which I provided based on my research in my previous analysis I also did an EXIF analysis on the obtained screenshots and images and I can easily say that with a lot of success that there’s a “connect the dots” moment which I will do my best to elaborate on and offer the in-depth analysis in terms of attributing these screenshots to the same rap and hip hop recording studio which I previously elaborated on in terms of connecting the dots and offering in-depth personally identifiable information on the individuals behind it which I believe are directly involved and connected with the Conti Ransomware Gang in terms of having a Conti Ransomware Gang team member that’s producing the gang’s marketing and advertising creative and I will also confirm and offer the technical details in terms of elaborating more on how we have members of the Russia based rap and hip hop recording studio that are actually producing the Conti Ransomware Gang’s marketing and advertising creative

Key summary points examples using EXIF analysis indicating that we have the exact same individual that’s hosting the entire Conti Ransomware Gang’s marketing and advertising compilation on Yandex Disk is indeed doing so and that we also have members of the Russia based Plastika rap and hip hop recording studio producing the Conti Ransomware Gang’s marketing and advertising creative including members of their own marketing and advertising creative team namely W8D8DIGITAL who are also busy producing marketing and advertising creative for the Conti Ransomware Gang:

  • 111.avi - ae_project_link_full_path - X:\YandexDisk\DESIGN\баннеры-новые-234\Untitled Project.aep - here we have an indication that based on the EXIF analysis of this video the user is actually using Yandex Disk for producing it where we also have the original marketing and advertising compilation which I obtained using their internal and publicly accessible internal leaked communication
  • ebases.mp4 - ae_project_link_full_path - X:\W8D8\VIDEOproj\email-bases1.aep - here we have a second indication that the individual behind the Russia based Plastika rap and hip hop recording studio W8D8DIGITAL is also responsible for producing marketing and advertising creative for members of the Conti Ransomware gang

  • red2.avi - ae_project_link_full_path - C:\Users\plast\Documents\Adobe\PremierePro\14.0\Без названия.prproj - here we have another indication that based on the EXIF analysis we also have members of the Russian based Plastika rap and hip hop recording studio that are responsible for creating marketing and advertising creative for the Conti Ransomware Gang
Sample screenshot of sample internal leaked URLs of the Conti Ransomware Gang that represent screenshots and images courtesy of the gang which were automatically obtained for the purpose of data mining their internal leaked communication with success

Sample Conti Ransomware Gang Cyber Threat Actor Attribution Analysis Methodology:
  • I picked up that Conti's communication has leaked online and I considered it a treasure trove
  • I quickly used my real-time OSINT methodology to pick up the leak and obtain offline access to it before it goes offline for research purposes
  • I then proceeded and began data mining the leaked communication looking for emails/domains/IPs and URLs with quite a lot of success
  • My primary purpose here was to obtain this information from the leaked information and then work on it and enrich and find out who's behind Conti
  • I picked up and collected the email addresses
  • I picked up and extracted all the IPs
  • I picked up and extracted all the domains
  • I picked up and extracted all the URLs
  • I then enriched the email addresses using my methodology
  • I then enriched the IPs using my methodology
  • I then enriched the domains and actually grabbed all the malware that was still hosted there and online for research purposes
  • I began automatically visiting the extracted URLs looking for clues and I came up with the screenshots collection which I sent you from the leaked information and while data mining and automatically visiting the URLs
  • I came up with the following results - it appears that the person that's doing the gang's advertising and marketing creative is also doing the advertising and marketing for other organizations and clients
  • I then proceeded and began looking for clues and collected all the publicly accessible information on these companies such as for instance several Russia-based fashion brands including a children's clothes online store including a charity foundation
  • I also noticed several screenshots that appeared to be album covers which I also processed and analyzed and came up with some pretty interesting results such as for instance that all the album covers courtesy of the Conti gang member that was producing their advertising and marketing creative were all produced by what appears to be the same individual or someone from Conti that's responsible for their advertising and creative creation
  • There were also screenshots of upcoming ransomware brands and possible phishing template web sites

Sample images and videos involved in the analysis include:

111.avi - ae_project_link_full_path - X:\YandexDisk\DESIGN\баннеры-новые-234\Untitled Project.aep

 
ebases.mp4 - ae_project_link_full_path - X:\W8D8\VIDEOproj\email-bases1.aep

red2.avi - ae_project_link_full_path - C:\Users\plast\Documents\Adobe\Premiere Pro\14.0\Без названия.prproj

www.mp4 - ae_project_link_full_path - X:\W8D8\VIDEOproj\banner-www.aep

banner-glitchFIN.avi - ae_project_link_full_path - C:\Users\AAA\Desktop\проект баннер глитч 2.aep

БАННЕРскруджд.avi - ae_project_link_full_path - C:\Users\AAA\AQ\proj.video\Без имени (видео)\баннер планетка.prpro

 
Sample EXIF related details for this campaign include:




Related image:

EXIF Metadata on one of the images obtained from the leaked Conti Ransomware Gang’s internal leaked communication using public sources indicating that the author of the image is Reformer Graphics

Reformer Graphics (Belarus)

Sovetskaya str., 48/15, Grodno, 230021, Belarus
Phone: +79107337839
E-mail: hello[.]reformermockup.com
Phone: +79107337839
E-mail: hello[.]reformermockup.com
hxxp://graphicriver.net/user/_reformer_
hxxp://packreate.com/vendor/cct/
hxxp://reformermockup.com/
hxxp://dribbble.com/Reformer_graphics
hxxp://www.facebook.com/ReformerMockup
hxxp://www.behance.net/marlot13a49
hxxp://twitter.com/SiarheiTsitou
hxxp://www.facebook.com/iReformer
hxxp://www.instagram.com/reformer_mockup/
hxxp://www.pinterest.com/cct0594/

Sample photos from the obtained compilation:







Sample related photos: