Information security, nation-state hacking, ransomware and malware have been front and center of the Russia-Ukraine conflict, with hackers on each side allegedly launching large-scale attacks against the infrastructure of their opponent.
Although Russia is infamous for its hacking activities and ransomware groups long believed to be protected by the country’s government, threat actors in other countries in eastern Europe are also involved in the ransomware-as-a-service industry. That apparently includes Ukraine, as a purportedly Ukrainian affiliate leaked multiple years of chat logs and files from the Conti ransomware group.
The Conti group is one of the most notorious ransomware actors in recent history, so the massive amount of data contained in the leaks gives us an unprecedented look into how the ransomware-as-a-service industry operates.
We spoke with Chester Wisniewski, a principal research scientist at Sophos, for more context on what we can learn from the Conti ransomware leaks.
Ransomware is very lucrative
The Conti ransomware leaks included information about just how lucrative ransomware can be, as the group’s primary Bitcoin wallet has had upwards of $2 billion deposited in the last two years.
The group is apparently so flush with cash that it was able to purchase a Zero Day exploit in Internet Explorer 11 to use as an attack vector in late 2020. This is relevant because Zero Day exploits are very expensive, with many going for several million dollars.
According to Wisniewski, this was always suspected, but there has never been confirmation that a ransomware group purchased zero day exploits.
“’These groups are really rich, so I wonder if they’re buying zero days, was always the narrative before this,” Wisniewski says. “We’ve never had confirmation of a zero day sale with a ransomware group, to my knowledge, so this was kind of interesting.”
Conti, Ryuk and Trickbot
It has long been thought that Conti was somehow affiliated with the Ryuk ransomware and the Trickbot malware operators, but there was never any proof.
The Conti ransomware leaks were being released via a Twitter account called @ContiLeaks, and a new account called @TrickbotLeaks also emerged last week, which appears to stem from the Conti leaks, that has been leaking information about Trickbot, Conti, Mazo, Diavol, Ryuk and Wizard Spiders groups.
“There was some confirmation in their relationship with Trickbot and Ryuk, which all previously had been hearsay,” Wisniewski says. “This confirmed a whole bunch of assumptions that many of us had accurately put together.”
Conti’s Cooperation with the Russian government
Conti, like other ransomware groups believed to be operating out of Russia and other former Soviet states, has long been though to be untouchable when it comes to law enforcement action in Russia.
It is believed that the Ukrainian member of the group began leaking the information after the group posted a message to its dark web site declaring its “full support of the Russian government” and vowing to retaliate in the event of a cyberattack against Russia. Although, the group later deleted that statement in favor of a slightly more neutral stance.
“Another very interesting thing in the leaks was sort of tacit confirmation of cooperation with the FSB, in previous operations,” Wisniewski says.
Ransomware groups pass on well-secured targets
According to Wisniewski, another Conti ransomware affiliate last year produced leaks of internal training manuals and guides on how to compromise victims, what files to encrypt and threaten to leak and more.
“When you combine the two leaks, it does suggest that it’s pretty much a walk in the park for (Conti) in many of these cases,” he says.
However, the leaks also suggest that they move on to less secure organizations when they run into resistance when the would-be victim is well secured.
“If they’re doing hand-to-hand battle with a reasonably well-secured victim, they just don’t bother because there’s another 500 victims in the queue that have nothing,” Wisniewski says.
Ransomware hackers use Active Directory to move laterally
While the Conti ransomware leaks have produced a lot of chatter amongst cybersecurity professionals about the importance of patching VPNs and using multi-factor authentication, Wisniewski says securing Active Directory is far more important.
“There has been a lot of talk about how easy it is for [Conti and other ransomware groups] to pivot and move laterally using Active Directory and how poorly secured it is,” he says.
The tool is widely used by administrators to manage computers, which gives ransomware attackers the ability to infect entire organizations if they can compromise an admin account.
According to Wisniewski, simply following best practices in Active Directory deployment would throw a major hurdle at ransomware operators.
“They’re using Group Policy Objects in Active Directory to deploy ransomware [and] Microsoft tools like PsExec to remotely run the ransomware on computers. They’re [also] using PowerShell. All of these things can be carefully managed and maintained, and that would throw their playbook out the window,” Wisniewski says. “I mean, we all know how important it is to secure Active Directory. But to me, I would put more emphasis on it now because it just hadn’t really clicked in my head, how dependent they were on AD to do so much and what they do.”
Purchasing and testing of cybersecurity tools
The Conti ransomware leaks also contained evidence that the group was actively seeking trial copies of cybersecurity software to test against and find ways around firewalls and anti-malware tools.
Some of the chat logs indicated that products from Sophos and other leading security vendors proved too difficult to get around, which suggests that cybersecurity software is keeping up with attackers.
“It suggested that have been raising [ransomware groups’] cost of doing business,” Wisniewski says. “It’s good to know because it suggests that the direction the industry has been going is increasing the pain over there.”
Leave a Reply