What we can learn from the leaked Conti ransomware group chats
Article by Varonis APJ vice president, Scott Leach.
In February, Russia-based ransomware group Conti declared it would fully support the Russian Government during its invasion of Ukraine. Leaked messages revealed the group's promise to show full force to any nation that dared to target Russia, whether it be via cyber-attack or other means.
The leaked chats also offer some other insights into the workings of the Conti ransomware group. Firstly, they reveal the group's organisational structure, which closely resembles that of a legitimate organisation, right down to the way individuals are paid. The documents reveal an annual payroll of approximately $US6 million for an estimated 65-100 hackers – an unsurprising figure given the group raised $US180m from extortion and data theft in 2021.
The leaked chats also demonstrate how the group works. Conti buys stolen databases to gather information on potential victims and then creates believable phishing attacks against their employees and business partners. It also uses these databases to estimate how much victims might be willing to pay.
The leaked conversations also reveal that Conti purchases various security products to test out their own malware and determine how easy the software is to bypass. The group even considers buying existing exploits and backdoors from other cybercriminals.
The organisation comes across as a highly disciplined business. For example, it has safety rules requiring good password hygiene from members and the use of best practice guidelines to retain anonymity. It also provides documents and instructions, including video tutorials, to help inexperienced hackers quickly become effective adversaries.
Like many other cybercrime groups, Conti has been impacted by Russia's invasion of Ukraine. The onset of cyberwarfare has driven state actors to become increasingly sophisticated, adopting the latest techniques from the legitimate commercial software industry.
The progress we've seen in general programming with development frameworks, automation and no-code programming is already translating to the cybercrime realm, making it easier for attackers to learn, develop and scale.
Now that Russia has allowed its local businesses to steal patents from anyone deemed to be from an 'unfriendly' nation, there are very few consequences for Russians wanting to take up cybercrime.
To make matters worse, many cyber-savvy Russians are losing their jobs or being sanctioned as American and European tech companies withdraw from doing business in Russia, making cybercrime an increasingly attractive prospect. They have the option of forming their own cybercrime business or providing R&D services to existing groups. In both cases, they represent new threats to global businesses and their data.
Why every company should 'assume breach'
Any system, account, or person can be viewed as a target, and penetration is seemingly inevitable with such a vast attack surface. So, organisations must adopt an "assume breach" mindset" moving forward, focusing on what data an attacker will likely seek to maximise their financial gain after breaching your defences.
Most adversaries will be looking for an organisation's critical data stores. They will try to gain remote access to a network, find and exploit weaknesses, get control of high-level accounts and use these to steal data. Unfortunately, once they're inside the network, hackers don't usually experience much resistance in their endeavours.
Organisations can determine how easy it would be for hackers to access their critical data by examining what files their employees have access to. If a mid-level employee can access critical data, then an attacker could easily exploit this by compromising their account. If the employee doesn't have access to critical data, the attacker would have to do a bit more work.
Unfortunately, in most organisations, employees have unnecessary access to many thousands or even millions of files. Most organisations would not even know a user was accessing an unusually high amount of data.
And not all threats come from the outside either. For example, giving employees unnecessary access to huge amounts of data makes it easier for a rogue employee to do damage. In some cases, cybercriminals will even seek out begrudged employees willing to give them access.
Making an attacker's job as difficult as possible
To make the attacker's job as hard as possible, organisations must limit each employee's 'blast radius' — that is, the data they can access. By only giving employees access to the necessary data to do their jobs, organisations can limit the amount of damage attackers can do if they gain access to the network.
The next thing to do is to get a handle on all your most critical data. Identify intellectual property, source code, customer and employee records and where these are stored. Make sure the only people granted access to these files actually need it.
Furthermore, organisations should put mechanisms in place to detect unusual access attempts (such as an employee accessing thousands of files in one session or accessing files that have nothing to do with their job), which can help identify an attack in progress. Anything an organisation can do to slow an attacker's progress increases its chances of detecting and blocking them.
Remember, data is an organisation's most valuable asset after its employees. With so many different attack vectors available today, it's not a matter of if but when an organisation's defences will be breached. By guarding their critical data closely, organisations can significantly reduce the level of damage done when this occurs.