On Wednesday, Secureworks published a set of findings based on the group’s internal chat logs, leaked earlier this month and poured over by cybersecurity researchers ever since. The internal messaging records were leaked online after Conti, tracked as Gold Ulrick by Secureworks, declared its public support for Russia’s invasion of Ukraine, an ongoing conflict. Conti is a prolific ransomware group suspected to be of Russian origin that has claimed hundreds of victim organizations worldwide. The group will infiltrate a network – whether independently or through the purchase of initial access through underground forums – steal data, encrypt networks, and will then demand a ransom. Victims who refuse to pay up may find their information leaked online. Conti’s average ransomware demand is roughly $750,000, but depending on the size and annual revenue of a victim, blackmail payments can be set far higher, sometimes reaching millions of dollars. Check Point researchers have previously scoured the Conti chat logs and exposed a rather “mundane” operation, the type you’d expect a typical software development business to run. This included a business infrastructure offering office, hybrid, or remote work options, performance reviews, bonuses, and a hiring process for coders, testers, system administrators, and HR. While new members are interviewed, not everyone is told they are applying to work with a criminal outfit, as some ’employee’ messages have revealed. However, they may be offered salaries far higher than the local average to stay when the truth comes out. According to Secureworks’ analysis of the logs, containing 160,000 messages exchanged between almost 500 individuals between January 2020 and March 2022, there were 81 people involved in payroll, with an average salary of $1,800 per month. While core operators likely take a far larger slice of the pie, it is estimated that the average Russian household brings in $540 per month – and so the ‘salary’ offered by cybercriminal groups could be a strong lure. Furthermore, with the value of the Ruble tumbling due to international sanctions, this may entice more to enter this market. In addition, Secureworks has found leaks between the “designated leader” of Conti, dubbed “Stern,” and other cybercriminal groups. Stern is a figure described as someone who makes “key organizational decisions, distributes payroll, manages crises, and interacts with other threat groups.” The team suspects that they also hold a leadership position in Gold Ulrick (Trickbot/BazarLoader). Secureworks also found connections to the cybercriminal groups Gold Crestwood (Emotet), Gold Mystic (LockBit), and Gold Swathmore (IcedID), although this may just be for communication and/or collaborative purposes. “The chats reveal a mature cybercrime ecosystem across multiple threat groups with frequent collaboration and support,” the researchers say. “Members of groups previously believed to be distinct collaborated and frequently communicated with members of other threat groups. This interconnectivity shows these groups’ motivations and relationships. It highlights their resourcefulness and ability to leverage subject matter expertise within the groups.” On March 20, an unnamed researcher – believed to come from Ukraine – also published a recent version of the Conti ransomware source code. The package was uploaded to VirusTotal for the benefit of cybersecurity defense teams but may also be adapted for use by threat actors. See also
New Conti ransomware source code leakedCISA releases advisory on Conti ransomware, notes increase in attacks after more than 400 incidentsWorking for a ransomware gang is surprisingly mundane, according to these leaks
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0