The leak of information about the Russian hacking group “Conti” by a Ukrainian hacker reveals some interesting information on how they operate. This is likely to be common across a number of organisations and although sometimes 17 year old kids in Oxford are responsible for hacks the majority is led by organised gangs.
These cyber criminals often work just like regular small businesses (except they are much more profitable). The Conti gang look like they employ 62-87 salaried people working a 5 day week – they even have a HR person!
Here is a brief synopsis of how they work:
- Conti ransomware has made at least $2.7 billion since they started in 2017 according to analysis of leaked bitcoin addresses. Other gangs are reported to make tens of millions of dollars per annum.
- They follow the standard technique of “double extortion” – Ransomware is deployed but if the organisation recovers they have a “Pay up or we release data” policy.
- Disloyalty and distrust is high due to boring, repetitive work and poor management, especially among the lowest paid members. This leads to competition to retain staff and a lack of basic skilled workers having an impact on a number of organised gangs (sound familiar?) so training and recruitment is increasing.
- Evidence exists of direct involvement by the Russian Security Services (FSB) with a clear level of protection – to the extent that other gangs are sacrificed to divert attention.
- An unnamed journalist offered to help Conti extort companies (most likely by threatening to cover the company's breach), in return for a 5% commission.
- Lawyers are on the payroll to feedback information on cases against members.
- Many gangs use stolen scripts or tools from “cybercrime as a service” (CaaS) providers (yes, really).
- Other gangs such as LAPSUS$ specialise in SIM swapping, unpatched server flaws, dark web reconnaissance, and phone-based phishing tactics. Others use brute force and DDOS attacks.
- Microsoft defender updates every 4 hours and the criminals test the code they are writing against the latest version to ensure it isn’t instantly discoverable.
- They appear to be relatively disorganised despite the success. However, in one chat a “manager” writes: “We have all the opportunities and conditions, we just need to be more professional,”. They know where the weaknesses are and they are driven to become more productive and efficient at what they do.
The two takeaways:
- Criminals are actively trying to bypass security and no one is immune, as such constant vigilance is needed.
- They are becoming smarter and more organised which means we have to be as well.
It may seem like there is no way to stop hackers based on the information on this post but rest assured there are options that can certainly put up a good fight against them - simple things such as third-party anti-virus software, firewalls, backup software and of course user training as well.
Please feel free to get in touch with us and we would be more than happy to discuss what options are available for your business.