US SMB owners expand fleets with electric vehicles despite security misgivings

Read More

Earlier this week, a Ukrainian security researcher leaked almost two years’ worth of internal chat logs from Conti, one of the more rapacious and ruthless ransomware gangs in operation today. Tuesday’s story examined how Conti dealt with its own internal breaches and attacks from private security firms and governments. In Part II of this series we’ll explore what it’s like to work for Conti, as described by the Conti employees themselves.

The Conti group’s chats reveal a great deal about the internal structure and hierarchy of the ransomware organization. Conti maintains many of the same business units as a legitimate, small- to medium-sized enterprise, including a Human Resources department that is in charge of constantly interviewing potential new hires.

Other Conti departments with their own distinct budgets, staff schedules, and senior leadership include:

–Coders: Programmers hired to write malicious code, integrate disparate technologies
–Testers: Workers in charge of testing Conti malware against security tools and obfuscating it
–Administrators: Workers tasked with setting up, tearing down servers, other attack infrastructure
–Reverse Engineers: Those who can disassemble computer code, study it, find vulnerabilities or weaknesses
–Penetration Testers/Hackers: Those on the front lines battling against corporate security teams to steal data, and plant ransomware.

Conti appears to have contracted out much of its spamming operations, or at least there was no mention of “Spammers” as direct employees. Conti’s leaders seem to have set strict budgets for each of its organizational units, although it occasionally borrowed funds allocated for one department to address the pressing cashflow needs of another.

A great many of the more revealing chats concerning Conti’s structure are between “Mango” — a mid-level Conti manager to whom many other Conti employees report each day — and “Stern,” a sort of cantankerous taskmaster who can be seen constantly needling the staff for reports on their work.

In July 2021, Mango told Stern that the group was placing ads on several Russian-language cybercrime forums to hire more workers. “The salary is $2k in the announcement, but there are a lot of comments that we are recruiting galley slaves,” Mango wrote. “Of course, we dispute that and say those who work and bring results can earn more, but there are examples of coders who work normally and earn $5-$10k salary.”

The Conti chats show the gang primarily kept tabs on the victim bots infected with their malware via both the Trickbot and Emotet crimeware-as-a-service platforms, and that it employed dozens of people to continuously test, maintain and expand this infrastructure 24 hours a day, 7 days a week.

Conti members referred to Emotet as “Booz” or “Buza,” and it is evident from reading these chat logs that Buza had its own stable of more than 50 coders, and likely much of the same organizational structure as Conti.

According to Mango, as of July 18, 2021 the Conti gang employed 62 people, mostly low-level malware coders and software testers. However, Conti’s employee roster appears to have fluctuated wildly from one month to the next. For example, on multiple occasions the organization was forced to fire many employees as a security precaution in the wake of its own internal security breaches.

In May 2021, Stern told Mango he wanted his underlings to hire 100 more “encoders” to work with the group’s malware before the bulk of the gang returns from their summer vacations in Crimea. Most of these new hires, Stern says, will join the penetration testing/hacking teams headed by Conti leaders “Hof” and “Reverse.” Both Hof and Reverse appear to have direct access to the Emotet crimeware platform.

Trying to accurately gauge the size of the Conti organization is problematic, in part because cybersecurity experts have long held that Conti is merely a rebrand of another ransomware strain and affiliate program known as Ryuk. First spotted in 2018, Ryuk was just as ruthless and mercenary as Conti, and the FBI says that in first year of its operation Ryuk earned more than $61 million in ransom payouts.

“Conti is a Targeted version of Ryuk, which comes from Trickbot and Emotet which we’ve been monitoring for some time,” researchers at Palo Alto Networks wrote about Ryuk last year. “A heavy focus was put on hospital systems, likely due to the necessity for uptime, as these systems were overwhelmed with handling the ongoing COVID-19 pandemic. We observed initial Ryuk ransom requests ranging from US$600,000 to $10 million across multiple industries.”

On May 14, 2021, Ireland’s Health Service Executive (HSE) suffered a major ransomware attack at the hands of Conti. The attack would disrupt services at several Irish hospitals, and resulted in the near complete shutdown of the HSE’s national and local networks, forcing the cancellation of many outpatient clinics and healthcare services. It took the HSE until Sept. 21, 2021 to fully restore all of its systems from the attack, at at estimated cost of more than $600 million.

It remains unclear from reading these chats how many of Conti’s staff understood how much of the organization’s operations overlapped with that of Ryuk. Lawrence Abrams at Bleeping Computer pointed to an October 2020 Conti chat in which the Emotet representative “Buza” posts a link to a security firm’s analysis of Ryuk’s return.

“Professor,” the nickname chosen by one of Conti’s most senior generals, replies that indeed Ryuk’s tools, techniques and procedures are nearly identical to Conti’s.

“adf.bat — this is my fucking batch file,” Professor writes, evidently surprised at having read the analysis and spotting his own code being re-used in high-profile ransomware attacks by Ryuk.

“Feels like [the] same managers were running both Ryuk and Conti, with a slow migration to Conti in June 2020,” Abrams wrote on Twitter. “However, based on chats, some affiliates didn’t know that Ryuk and Conti were run by the same people.”

ATTRITION

Each Conti employee was assigned a specific 5-day workweek, and employee schedules were staggered so that some number of staff was always on hand 24/7 to address technical problems with the botnet, or to respond to ransom negotiations initiated by a victim organization.

Like countless other organizations, Conti made its payroll on the 1st and 15th of each month, albeit in the form of Bitcoin deposits. Most employees were paid $1,000 to $2,000 monthly.

However, many employees used the Conti chat room to vent about working days on end without sleep or breaks, while upper managers ignored their repeated requests for time off.

Indeed, the logs indicate that Conti struggled to maintain a steady number of programmers, testers and administrators in the face of mostly grueling and repetitive work that didn’t pay very well (particularly in relation to the earnings of the group’s top leadership). What’s more, some of the group’s top members were openly being approached to work for competing ransomware organizations, and the overall morale of the group seemed to fluctuate between paydays.

Perhaps unsurprisingly, the turnover, attrition and burnout rate was quite high for low-level Conti employees, meaning the group was forced to constantly recruit new talent.

“Our work is generally not difficult, but monotonous, doing the same thing every day,” wrote “Bentley,” the nickname chosen by the key Conti employee apparently in charge of “crypting” the group’s malware — ensuring that it goes undetected by all or at least most antivirus products on the market.

Bentley was addressing a new Conti hire — “Idgo” — telling him about his daily duties.

“Basically, this involves launching files and checking them according to the algorithm,” Bentley explains to Idgo. “Poll communication with the encoder to receive files and send reports to him. Also communication with the cryptor to send the tested assembly to the crypt. Then testing the crypt. If jambs appear at this stage , then sending reports to the cryptor and working with him. And as a result – the issuance of the finished crypt to the partner.”

Bentley cautioned that this testing of their malware had to be repeated approximately every four hours to ensure that any new malware detection capability added to Windows Defender — the built-in antivirus and security service in Windows — won’t interfere with their code.

“Approximately every 4 hours, a new update of Defender databases is released,” Bentley told Idgo. “You need to work for 8 hours before 20-21 Moscow time. And career advancement is possible.” Idgo agrees, noting that he’d started working for Conti a year earlier, as a code tester.

OBSERVATIONS

The logs show the Conti gang is exceedingly good at quickly finding many potential new ransomware victims, and the records include many internal debates within Conti leadership over how much certain victim companies should be forced to pay. They also show with terrifying precision how adeptly a large, organized cybercrime group can pivot from a single compromised PC to completely owning a Fortune 500 company.

As a well-staffed “big game” killing machine, Conti is perhaps unparalleled among ransomware groups. But the internal chat logs show this group is in serious need of some workflow management and tracking tools. That’s because time and time again, the Conti gang lost control over countless bots — all potential sources of ransom revenue that will help pay employee salaries for months — because of a simple oversight or mistake.

Peppered throughout the leaked Conti chats — roughly several times each week — are pleadings from various personnel in charge of maintaining the sprawling and constantly changing digital assets that support the group’s ransomware operation. These messages invariably relate to past-due invoices for multiple virtual servers, domain registrations and other cloud-based resources.

On Mar. 1, 2021, a low-level Conti employee named “Carter” says the bitcoin fund used to pay for VPN subscriptions, antivirus product licenses, new servers and domain registrations is short $1,240 in Bitcoin.

“Hello, we’re out of bitcoins, four new servers, three vpn subscriptions and 22 renewals are out,” Carter wrote on Nov. 24, 2021. “Two weeks ahead of renewals for $960 in bitcoin 0.017. Please send some bitcoins to this wallet, thanks.”

As part of the research for this series, KrebsOnSecurity spent many hours reading each day of Conti’s chat logs going back to September 2020. I wish I could get many of those hours back: Much of the conversations are mind-numbingly boring chit-chat and shop talk. But overall, I came away with the impression that Conti is a highly effective — if also remarkably inefficient — cybercriminal organization.

Some of Conti’s disorganized nature is probably endemic in the cybercrime industry, which is of course made up of criminals who are likely accustomed to a less regimented lifestyle. But make no mistake: As ransomware collectives like Conti continue to increase payouts from victim organizations, there will be increasing pressure on these groups to tighten up their operations and work more efficiently, professionally and profitably.

Stay tuned for Part III in this series, which will look at how Conti secured access to the cyber weaponry needed to subvert the security of their targets, as well as how the team’s leaders approached ransom negotiations with their victims.

Read More

Credit Suisse allegedly attempting to cover up its dealings with sanctioned Russian oligarchs

Read More

Boise State University launches new cyber program to help rural communities

Read More

Milad Aslaner, senior director of cyber defense strategy at SentinelOne, warned that cyber-threats continue to increase

Read More

Effective training and senior leadership buy-in are critical to creating a security-first culture, according to cyber experts

Read More

Fredrik Hult, CISO at PagoNxt, argued that the “mother of all paradigm shifts” is here

Read More

Professor Steven Purnell discusses why organizations should take a completely new approach to staff security training

Read More

TechCrunch is reporting — but not describing in detail — a vulnerability in a series of stalkerware apps that exposes personal information of the victims. The vulnerability isn’t in the apps installed on the victims’ phones, but in the website the stalker goes to view the information the app collects. The article is worth reading, less for the description of the vulnerability and more for the shadowy string of companies behind these stalkerware apps.

Read More

Since Russia launched a full-scale military invasion into Ukraine on February 23, a series of cyberattacks have been detected targeting Ukrainian businesses, websites and government agencies amid the ongoing conflict. Meanwhile, organizations in the cybersecurity sector have begun taking action to provide help and support to those directly and subsequently impacted by cyber incidents relating to the Ukraine-Russia crisis. Here is a list of the cybersecurity vendors currently known to be offering aid.

Vectra AI: Threat detection and response vendor Vectra AI is offering a slate of free cybersecurity tools and services to organizations who believe they may be targeted by cyberattacks in the Ukraine-Russia conflict. For immediate assistance in the current emergency, Vectra AI is offering several services on a complimentary basis. These include scanning of Microsoft Azure Active Directory (AD), Microsoft 365 and AWS environments for signs of attack, surveillance of network infrastructure both in the cloud and on-premises and supporting the retention of historical metadata to aid incident response investigations based on indicators of compromise for specific attack variants. It is also offering technology from Siriux to immediately discover malicious Microsoft Azure AD activity that could lead to the compromise of Exchange Online mailboxes.
SentinelOne: SentinelOne is offering its singularity XDR platform free of charge for 90 days to Ukrainian companies as its teams look to provide support for those in need by sharing research, recommendations, indicators, and tools to stay on top of the evolving threat landscape.
Bitdefender: Global cybersecurity firm Bitdefender has expanded its collaboration with Romania’s National Cyber Security Directorate (DNSC) to provide technical consulting, threat intelligence and, free of charge, cybersecurity technology to any business, government institution, or private citizen of Ukraine for as long as it is necessary. Additionally, the Directorate, in partnership with Bitdefender, will provide free cybersecurity technologies for one year to any company or public entity from NATO or European Union space who seeks to enhance their cybersecurity posture by replacing cybersecurity solutions which present trust concerns from a technical or geopolitical perspective.
CrowdStrike: Endpoint protection, threat intelligence, and response company CrowdStrike has released a new tool to decrypt “PartyTicket” ransomware targeting Ukrainian entities since February 23. The firm stated that the ransomware contains implementation errors, making its encryption breakable and slow.
Microsoft: In a blog post on February 28, Microsoft President Brad Smith outlined steps the company has taken to help protect Ukrainian systems. This includes threat detection and remediation, most notably the discovery of a new wiper malware package, and limiting the success of Russian disinformation campaigns.
Cloudflare: On February 24, Cloudflare announced that it had removed all customer cryptographic data from its servers in Ukraine. The move was intended to protect people and data should those servers fall into Russia’s hands. The company continues to serve traffic via its Keyless SSL service.

More on cyberattacks:

To read this article in full, please click here

Read More