Conti – which uses malware to block access to computer data until a “ransom” is paid – acts like a regular tech company, cybersecurity experts have analyzed. analysis of leaked documents of the group said.
eclipse_images
A group of Russians identified by the FBI as one of the most prolific ransomware groups of 2021 can understand what it feels like to be the victim of cyber espionage.
A series of document leaks reveal details about the size, leadership and business of the consortium known as Conti, as well as what it considers its most valuable possession: the source code. ransomware.
The group emerged in 2020 and grew into one of the largest ransomware organizations in the world, said Shmuel Gihon, a security researcher at threat intelligence firm Cyberint. He estimates the group has around 350 members, who have made around $2.7 billion in crypto in just two years.
In it”Internet Crime Report 2021The FBI warned that Conti’s ransomware was among the “top three variants” targeting critical infrastructure in the United States last year. Conti is “frequently a victim of the Critical Manufacturing, Commercial and Food and Agriculture sectors”, the office said.
“They are the most successful team to date,” said Gihon.
Revenge action?
In an online post analyzing the leaks, Cyberint said the leak appeared to be an act of revenge, motivated by a post has been modified by Conti published in the context of Russia’s invasion of Ukraine. The group could stay silent, but “as we suspected, Conti chose to side with Russia, and this is where things went south,” Cyberint said.
The leaks began on February 28, four days after Russia invaded Ukraine.
Immediately after the post, someone opened a Twitter account called “ContiLeaks” and started leaking thousands of internal messages from the group along with pro-Ukrainian statements.
The Twitter account has direct messaging turned off, so CNBC can’t reach its owner.
Lotem Finkelstein, head of threat intelligence at Check Point Software Technologies, said the account owner claims to be a “security researcher”.
The leaker seems to have stepped back from Twitter, writing on March 30: “My last words… See you all after our victory! Glory to Ukraine!”
Gihon said the impact of the leak on the cybersecurity community was huge.
American cybersecurity company Trellix called the leak “The Panama Papers on Ransomware“and” one of the largest ‘crowd-sourced cyber investigations’ ever seen. “
Classic Organizational Hierarchy
Conti is completely underground and does not comment on the news media the way Anonymous sometimes would. But Cyberint, Test Score and other network experts who analyzed the messages said they show Conti operates and is organized like a regular tech company.
After translating multiple messages written in Russian, Finkelstein said his company’s intelligence arm, Check Point Research, determined Conti had clear management, financial and human resources functions, along with systems Classic organizational hierarchy with team leaders reporting to upper management. .
There is also evidence of research and development (“RND” below) and business development units, as found by Cyberint.
The messages show that Conti has a physical office in Russia, Finkelstein said, adding that the group may have ties to the Russian government.
“Our assumption… was that such a huge organization, with its physical offices and huge turnover, would not be able to operate in Russia without full or even approval,” he said. some cooperate with Russian intelligence agencies”.
The Russian Embassy in London did not respond to CNBC’s request for comment. Moscow has previously denied it participated in the cyberattacks.
‘Employee of the month’
Checkpoint study is also found Conti has:
- Salaried employees – some paid in bitcoin – plus training and performance review opportunities
- Negotiators receive a commission from 0.5% to 1% of the ransom paid
- An employee referral program, with rewards given to employees who have employed others who have worked for at least a month, and
- An “employee of the month” earns a bonus of half their salary
Unlike the companies above, Conti penalizes underperformers, according to Check Point Research.
The identities of workers are also masked by the handle, such as Stern (“big boss”), Buza (“engineer director”) and Target (“Stern’s partner and head of efficient office operations). results”), said Check Point Research.
Translated messages show possible violations at Conti.
Source: Test Score Research
“When communicating with employees, higher management often thinks that working for Conti is the job of a lifetime – high salary, interesting tasks, career development (!)”, According to Check Point Research.
However, some messages paint a different picture, with threats of termination for not responding to messages quickly enough – within three hours – and business hours on weekends and holidays, Check Point Research said.
The recruitment process
Conti hires from both legitimate sources, such as Russian headhunting services and underground criminals, Finkelstein said.
Alarmingly, we have evidence that not all employees are fully aware that they are part of a cybercrime group.
Lotem Finkelstein
Check Point software technology
Hiring is important because “perhaps it’s not surprising that turnover, attrition, and burnout rates are quite high for entry-level Conti employees,” said Brian Krebs, a former Washington reporter. Post, write on his network security website. KrebsOnSecurity.
According to Check Point Research, some of the people hired weren’t even computer experts. Conti has hired people to work in call centers, it said. According to the FBI“Tech support fraud” is on the rise, in which scammers impersonate well-known companies, offering to fix computer problems or cancel subscription fees.
Staff in the dark
“Alarmingly, we have evidence that not all employees are fully aware that they are part of a cybercrime group,” Finkelstein said. “These employees think they are working for an advertising agency, when in fact they are working for a notorious ransomware corporation.”
The messages show that managers lied to job candidates about the organization, with one telling a potential employer: “Everything is anonymous here, the main direction of the company is the part software for scammers” – refers to penetration testers, legitimate cybersecurity experts who simulate cyberattacks against their own corporate computer networks.
In a series of announcements, Stern explained that the team kept developers in the dark by letting them work on a module or piece of software rather than the entire program, Check Point Research said. .
If employees finally figure things out, Stern said, they will be offered a pay raise to stay, according to the translated messages.
Down but not out?
According to Check Point Research, even before the leak, Conti showed signs of pain.
Stern went silent around mid-January, and salary payments also stopped, according to the messages.
A few days before the leak, an internal message read: “There have been a lot of leaks, there have been … arrests … no boss, no clarity … also no money… I have to ask you all to take 2. -3 months of leave.”
According to Check Point Research, although the group has struggled, it is likely to rise again. Unlike old rival REvil – which members of Russia said they arrested in January – Conti is still operating “in part,” the company said.
The team overcame other setbacks, including temporarily disabling Trickbot – a malware program used by Conti – and arrest some suspected Trickbot associates in 2021.
Despite ongoing efforts to combat ransomware groups, the FBI expects attacks on critical infrastructure to increase by 2022.
