BreachQuest Dissects and Releases Pro-Russia Ransomware Group’s Internal Chat Logs

Recently leaked internal documents from a member of the Conti ransomware group reveal the gang’s status as a multi-level business organization.

Researchers from BreachQuest, a Dallas-based cybersecurity and incident response firm, released their analysis Wednesday of chat logs that a disgruntled member of the group first posted to private channels and then to Twitter several years ago. weeks. The leaks followed an aggressive pro-Russian post on the notorious ransomware group’s website.

The release is intended to help organizations understand the inner workings of Conti’s organizational infrastructure, according to Marco Figueroa, product manager at BreachQuest and former senior threat researcher at SentinelOne.

These chat logs feature a deep dive into the revenue figures, executives, recruiting practices and operations, and victims of the ransomware gang.

One of the most surprising revelations is that the leader of the group is investing heavily in bitcoin and creating his own blockchain network to support the Conti group. Another key revealed by chat conversations is that almost all of the group’s members reside in Russia, Figueroa confirmed.

“It’s a well-oiled machine that’s been running for a while. They made $50 million in September,” he told TechNewsWorld.

Chat Logs Overview

The Conti Group previously announced that it would execute cyberattack campaigns supporting Russia’s ongoing invasion of Ukraine.

According to BreachQuest, the infosec community then began circulating leaks provided by a Ukrainian security researcher that detailed several years of internal chat logs revealing Conti’s operations.

Leaked logs show that Conti is not limiting attacks to large companies or targets. They also go after small businesses.

One of Conti’s main goals is to maximize cooperation from victims by paying to decrypt their data through price negotiations, Figueroa said. The strategy includes a series of progressively larger data releases until victims agree to pay. Until they do, every new release of compromised information comes at a higher price.

“One of the things the blog reveals is that they want to honor their work,” he said.

Not included in BreachQuest’s blog post on the journal content was a discussion of how a victimized business made a special request in exchange for payment. The company wanted to download all of its files and then delete Conti’s copies, according to Figueroa.

Chat logs revealed back-and-forth discussions and Conti’s agreement to comply as an indication that victims can be trusted with Conti’s promises.

Well organised

Conti is organized in an efficient hierarchy that isolates its workers within skilled groups. The main leaders are identified by indistinct names and titles.

The work of new employees is kept vague to prevent them from understanding the organization too much. This may be a contributing factor to the organization’s high turnover rate as well as the criminal nature of the work, the BreachQuest report notes.

Conti divides teams into groups with a designated team leader. Multiple leaders may work within large groups to maintain work assignments and training.

Workers are explicitly required to “listen, do, learn and ask questions, follow guides and instructions, complete assigned tasks”.

Conti’s leaks and the ongoing war in Ukraine could push Conti’s leaders to step up recruiting efforts. The devalued ruble and international sanctions against Russia are pushing Russians towards bitcoin. So, Conti is paying via bitcoin as requested by the workers, according to the leaked logs.

Recruitment process

Conti recruits workers using several strategies. The main method is the recommendations of current trusted workers. Another method uses recruitment services to find candidates with the necessary skills.

One such service is a Russia-based website that allows Conti’s human resources department to access the CV database for qualified potential candidates. A conversation analyzed between Conti staff members involves a significant price change by the website which is discounted for Conti.

Interviews at Conti are problematic. Respondents wait in a chat room and questions are answered via chat exchanges rather than video, as video could compromise the operational security of its members. Many candidates leave chat rooms before the interview begins.

Candidates who pass the interview negotiate their salary conditions and their role in the organization. The people hired follow an “initiation training for beginners”.

Operational factors

Much of the work behind the scenes involves hiring talent as full-stack, crypto, C++, and PHP developers. They create different tools like lockers, spam, backdoor tools and/or admin panels.

Since many web applications were written in PHP, the released software lacked code and was nearly impossible to run. The programmers had to fix all that.

Reverse engineers analyze Microsoft updates to find out what changes occur after system updates. They also reverse engineer endpoint protection products to circumvent protection that may alter or impede their success in any way.

Special teams search for targets by collecting information from freely available sources online with various techniques. Administrators help manage compromised corporate networks and collect critical victim information for their business to extract the maximum amount of payout.

Testers help by evaluating and verifying that Conti tooling does what it is supposed to do in specific environments. Chat logs reveal Windows Defender’s daily signature test to ensure Conti’s tools would not be detected.

Conti follows specific proven processes to secure a foothold in a compromised network. The group of hackers is looking for potentially interesting people such as an administrator, an engineer or a computer scientist.

Primary Backup Targets

Ransomware teams search for backup servers to encrypt victimized company data. Researchers also use techniques to bypass backup storage providers to ensure backups are encrypted.

Log leaks show that Conti is looking for financial documents, accounting files, customers, projects and more. The strategy pushes Conti workers to understand that their success depends on obtaining useful information from the target organization to convince victims to pay.

Relying on backup files in the cloud or elsewhere will not protect a targeted business or organization from compromise, Figueroa noted.

“They attack your backups. They won’t do anything (to tell a company about the successful compromise) until they know they’ve put you in a bind where you can’t get out,” Figueroa said.

The leaked chat logs and full analysis are available on the BreachQuest website.


Source link

Comments are closed.