Researchers at BreachQuest, a Dallas-based cybersecurity and incident response company, on Wednesday released their analysis of chat logs that a disgruntled group member posted first on private channels and then on Twitter several weeks. does.
The leaks followed an aggressive pro-Russian message on the website of the well-known ransomware group. The release is intended to help organizations understand the internal workings of Conti’s organizational infrastructure.
According to Marco Figueroa, product manager at BreachQuest and former principal threat investigator at SentinelOne.
These chat logs present an in-depth analysis of revenue numbers, leaders, recruiting practices and operations, and victims of the ransomware gang.
One of the most surprising revelations is that the group’s top leader invests heavily in bitcoin and creates his own blockchain network to support the Conti group. Another key revealed by the chat conversations is that nearly all members of the group reside in Russia, Figueroa confirmed.
“This is a well oiled machine that has been running for a while. They have earned 50 million dollars in September, ”he told the press.
BreachQuest and the chat logs overview
The Conti group had previously announced that it would carry out cyber-attack campaigns in support of the ongoing Russian invasion of Ukraine.
According to BreachQuest, the infosec community then began circulating leaks provided by a Ukrainian security researcher detailing multiple years of internal chat logs. which reveal Conti’s operations.
Leaked logs show that Conti does not limit attacks to large companies or targets. They also chase small businesses.
One of Conti’s primary objectives is to maximize the cooperation of victims in the pay to decrypt their data through price negotiations, Figueroa said.
The strategy includes a series of gradually larger data releases until victims agree to pay. Until they do, each new version of compromised information comes at a higher price.
“One of the things the blog reveals is that they want to honor their work,” he said.
A discussion regarding how a victim company made a special request in exchange for payment was not included on the BreachQuest blog on log content. The company wanted to download all of its files and then delete the copies of Conti, according to Figueroa.
The chat logs revealed the back and forth discussions and Conti’s agreement to abide as an indication that victims can trust Conti’s promises.
All well organized
Conti is organized in an effective hierarchy that isolates its workers within skilled groups. Key leaders are identified with indistinct names and titles.
The work of new hires is kept vague to prevent them from understanding too much about the organization. This can be a contributing factor the high turnover rate of the organizationas well as the criminal nature of the work, notes the BreachQuest report.
Conti divides teams into groups with an assigned team leader. Multiple leaders can work within large groups to keep job assignments and training.
Workers are explicitly required to “Listen, do, learn and ask questions, follow guides and instructions, complete assigned tasks”.
Conti’s leaks and the ongoing war in Ukraine they could prompt Conti leaders to step up recruiting efforts.
The devalued ruble and international sanctions against Russia are shifting Russians to bitcoin. Hence, Conti pays via bitcoin as requested by workers, according to leaked records.
Recruitment process
Accounts recruit workers using different strategies. The main method is the recommendations of current trusted workers. Another method uses recruiting services to find candidates with the necessary skills.
One such service is a website based in Russia which allows Conti’s human resources department to access the resume database for potential qualified candidates.
A chat analyzed between Conti employees results in a significant price change from the discounted website to Conti.
The interview with Conti is problematic. Respondents wait in a chat room and questions are answered via chat exchanges rather than video, because the video could compromise the operational safety of its members. Many of the candidates leave the chat rooms before the interview begins.
Candidates who pass the interview negotiate their salary conditions and their role in the organization. People hired follow the “Introductory training for beginners”.
Operational factors
Much of the behind-the-scenes work involves hiring talent such as full-stack, crypto, C ++, and PHP developers. They create different tools such as lockers, spamming, backdoor tools and / or administration panels.
Since many of the web applications were written in PHP, the software released it lacked code and it was nearly impossible to get it to work. The programmers had to solve all of this.
Reverse engineers analyze Microsoft updates to find out what changes come after system updates.
Additionally, they reverse engineer endpoint protection products to circumvent protection that could tamper with or inhibit their success in any way.
Special teams seek goals by gathering information from sources openly available online using various techniques.
Administrators assist in managing compromised corporate networks and gathering information on victims critical to their business to extract maximum payout amount.
Testers help by evaluating and verifying that Accounts tools do what they are supposed to do in specific environments. Chat logs reveal Windows Defender’s daily signature test to ensure that the instruments of Accounts are not disclosed.
Conti follows specific proven processes to ensure a foothold in a compromised network. The hacker group is looking for potentially interesting people like an administrator, engineer or someone in IT.
Back up primary targets
Ransomware teams look for backup servers to encrypt victim company data. Researchers also use techniques to bypass backup storage providers to make sure backups are encrypted.
Leaked records show that Conti searches for financial records, accounting files, clients, projects, and more. The strategy pushes the workers of Conti to understand that their success depends on obtaining the informationof the target organization, useful for convincing victims to pay.
Relying on backup files in the cloud or elsewhere won’t keep a targeted business or organization safe from compromise, Figueroa noted.
“They chase your backups. They will do nothing (to notify a company of the successful compromise) until they know they have put you in a deadlock that you can’t get out of, ”Figueroa said.
Leaked chat logs and full analysis are available on the website of BreachQuest.
#BreachQuest #Post #internal #chats #ProRussia #Ransomware #group