ContFRaversy in Ransomland: Tor-based site emerges for new French-speaking RaaS operation “ContFR” 

Following the emergence of data-leak sites (DLSs) for extortion groups Kairos, Chort, and Termite, Cyjax has observed the emergence of a Tor-based site belonging to a new French-speaking Ransomware-as-a-Service (RaaS) operation called ’ContFR’. ContFR is potentially referencing well-known ransomware group Conti, whilst incorporating a reference to France.  At the time of writing, the site does not list any victims, though it appears possible to view a table of listings if visiting as a subscriber to the operation. 

Read on to find out what Cyjax knows so far about this new RaaS operation. 

Figure 1 – ContFR Tor site landing page. 

Context 

Ransomware-as-a-service operations commonly use DLS to further extort victims, typically proceeding in multiple stages. The first threat is that the victim’s name and news of a successful attack against it will be published on the extortion group’s website. Should this fail to motivate a victim to pay a ransom, the group’s next step is typically to provide proof of the successful theft of its data. This proof may include screenshots of internal file trees, samples of employee or customer PII, or other sensitive documents. The group may add a countdown at this stage, noting that should the victim fail to pay by the conclusion, it will make all stolen data available to DLS visitors, either for free or at cost.  

Alternatively, a Tor-based site can be used to advertise a RaaS to potential affiliates. This provides a centralised way for affiliates to access new binaries and manage victims, whilst operators can facilitate ransom negotiations and profit distribution. 

History and Victimology 

The ContFR Tor site was created on or around 25 September 2024. Unlike what would be typical for ransomware pages, it does not currently host a list of victims which the group has claimed to have successfully attacked It is realistically possible that ContFR and its affiliates have successfully attacked organisations that are not known to the public. However, Cyjax cannot confirm this. 

Little is known about the group, its affiliates, or its ransomware binary, though the landing page provides insight regarding how the ransomware is distributed. This is covered in the TTPs section of this report. 

It is notable that the site is written in French. Ransomware DLSs and similar sites are often in English or Russian, due to the popularity of both languages in cybercrime The French language appears natural, with no mistakes and gives the appearance of a native speaker, rather than something machine translated (MTL). Whilst this may give indication to the geographical origin of the RaaS operators, it is realistically possible that this is an attempt of obfuscation to prevent correct attribution to a country or language. 

The ContFR site 

The group’s TOR-hosted site consists of one main page and five others that are accessible without being a subscriber:  

Landing page 

The site’s landing page contains a brief description of the RaaS operation and binary, which is approximately translated to the following: 

“RAAS – Ransomware embedded in a PDF file, to be opened by your victims or inserted yourself, Windows and Mac, does not work on Linux. 

Table of victims and data recovery possible from your subscriber area. 

Configuration of your ransomware is possible when you first log in, you can then modify it according to your own design.”  

This is followed by links to each subscription ContFR offers. Firstly, a “TEST” purchase which lasts for 30 days costs €400 but only allows online infections and the option to modify the ransomware once. The “BASIC” order lasts six months, allows offline infections, and allegedly provides 10 modification opportunities. Finally, the “ELITE” order gives access to unlimited ransomware variant creation, as well as a support chat.  

Beneath this content is a public PGP key. This is often provided to prove the identity of the operator, and to further prove that the site is real and attributed to the RaaS. It can also be used to facilitate secure and legitimate communication channels between operators and subscribers. 

Figure 2 – ContFR Tor site landing page, displaying information regarding the ransomware binary and available subscriptions. 

Login portal page 

The site hosts a login portal for subscribers, which likely leads to a control panel for affiliates that can manage and operate active versions of the ransomware, configure new builds, and facilitate ransom negotiation. However, Cyjax is unable to identify content past this portal without valid credentials to the operation. 

Figure 3 – Login portal page on ContFR Tor site. 

Order pages 

The final three available pages are used to facilitate access to the operation. This access is achieved from each of the order options provided in the landing pages. They list the total cost of the order and request an email address to which order confirmation and credentials are allegedly sent. 

Figure 4 – “TEST” order page on ContFR Tor site. 

Payment page 

When an order is placed, visitors can input an email address to proceed with it. This leads to a page containing cryptocurrency addresses which change depending on which order was chosen and reveals three wallet addresses on the site. Analysis of the wallets confirms that no transactions have been made to or from the addresses, though it is possible that the group rotates wallets to prevent tracking. 

Figure 5 – Payment page for the “TEST” order. 

Single extortion? 

With the little available information surrounding the group, as well as the lack of a public victim list, it is realistically possible that the RaaS binary may not be able to conduct data exfiltration. The group may only use single extortion, only using the threat of encrypted files, rather than such impact alongside the threat of leaked files, as seen in the recently emerged Chort ransomware group. Ultimately, as a RaaS, affiliates may vary in their approach. As such it is unknown whether the group conducts double or only single extortion, other than the fact that there is no public DLS. 

Tactics, techniques, and procedures (TTPs)  

Due to the recent emergence of the group, no publicly available information exists surrounding its TTPs. Additionally, affiliates may have varied TTPs when conducting their own attacks. However, the landing page lends some insight into how initial access to organisation may be gained. The description of the ransomware states “ransomware embedded in a PDF file”. This promotes social engineering as an initial access vector, urging victims to open the infected PDF to deploy the ransomware binary. This is a notable exception to the varied approach many ransomware groups tend to take, as they gain initial access through commonly used techniques including vulnerability exploitation or even purchasing access from initial access brokers (IABs) on cybercriminal forums. 

Associations  

At the time of writing, ContFR is not known to be associated with any other known threat groups. Cyjax not observed any indication of activity on cybercriminal forums related to the operation.  

Threat assessment 

ContFR has no public attack announcements, though it appears to operate a functional Tor-based site to centralise its ransomware operation. There are no known concrete TTPs associated with the group or its affiliates, other than the high likelihood of social engineering suggested on the Tor site. As a result, the technical capability of the operator and its ransomware remains unclear. 

To access our full intelligence repository containing detailed profiles like this one, covering extortion groups, advanced persistence threat groups (APTs), data brokers, hacktivists, initial access brokers, and more, click here to take a test drive of Cymon.