Black Hat USA 2024: structure of ransomware gangs is more science than art


Natural Language Processing (NLP), Machine Translation (MT), and native language knowledge helped these researchers uncover the mystery of the Conti ransomware gang – it appears that hackers are just like us, after all.

Although communication between hackers and cybercriminals may seem inane and trivial, researchers at Indiana University and Loyola Marymount University have identified various factors that impact cybercriminals' communication.

“Online crime has evolved from attention-seeking individuals to organized criminal enterprises,” the researchers say.

ADVERTISEMENT

During the study, eCrime groups, like Wizard Spider, responsible for the Conti ransomware, now known as “the Conti ransomware gang,” are regarded as organizations with different nuances in communication that help us understand the relationships, hierarchies, and organization of eCrime groups.

Using a combination of network science and organizational theory, the researchers conclude that “the current approach to eCrime as a craft or art can be moved to a more systemic basis with the application of organizational science.”

To understand how eCrime groups are structured, the researchers analyzed the communication of the Russian ransomware gang Conti, which used advanced encryption to target corporations, government institutions, and healthcare facilities.

The gang typically demanded huge ransoms to restore the data that was encrypted in a ransomware attack.

Communication between hackers is usually kept private. However, due to the cybercrime gang’s outright support of Russia during the invasion of Ukraine in 2022, an anonymous hacker released what the researchers call “internal operation data” as an “act of resistance to the gang.”

This revelation demonstrated the organizational structures, operational methods, and strategies of the ransomware gang, revealing that the eCrime organization almost functions as a company.

Roles and communication

The researchers detailed the different types of members present within the ransomware gang. “The group has at least three tiers of membership: leaders and management, hired members, and contractors or short-term members,” demonstrating somewhat of a hierarchy.

ADVERTISEMENT

But with hierarchy comes varying relationships that all impact the way ransomware gangs communicate – with four relationship types being the most influential.

Relationship types

Researchers found that authority, mentorship, work routines, and friendship all play a role in the way hackers and cybercriminals communicate. Some will communicate in an authoritative way, expressed through tone of voice or lack of or slow responses, while others will share unique and personal information about themselves in a friendly manner.

The researchers hypothesized that these relationship styles and the hierarchical nature of ransomware gangs may influence communication, and that’s exactly what Conti’s communication showed.

Conti’s communication

Researchers examined chat logs that included general information “common to a typical business environment,” such as operator interviews, service payments, out-of-office messages, gossip, and product discussions.

According to researchers, at times, members shared information that hinted at their political orientation and their relationship with the state.

“They talked about potential involvement in the Russian Federal Security Service (FSB) operation related to the Belling-cat journalist, seemingly alluding to the poisoning of Alexi Navalny, the opposition leader in Russia who at the time was already imprisoned.”

Alongside political conversations between the mostly Russian-speaking group (although some members are said to be from Belarus and Ukraine), there were other elements of communication that are interesting to note.

Hackers can be “funny” too

ADVERTISEMENT

One was the jokey nature of these chats, which were mainly pro-Soviet and pro-Russian. However, racist, misogynistic, and homophobic jokes were also present, alongside pro-Russian memes related to the invasion of Ukraine.

One user was seen congratulating the members on the Defender of the Fatherland Day, a national holiday in Russia, which was translated by DeepL translator, a neural machine translation program. The message read, “Happy Holidays, cybertroops! Let’s beat the amers.”

The group also opposes America in their communication as they celebrate the beginning of the war in Ukraine. The members call to “break or bend the Americans and employ a violent homophobic slur.”

But it wasn’t all fun and games for these researchers as they had to employ particular techniques to uncover how ransomware gangs communicate and why.

Methods for extracting insights into Conti

Due to the language barrier, analyzing these messages posed some issues. The researchers acknowledged that members often write inconsistent and jargon-heavy messages, which can be difficult to uncover using natural language processing (NLP) alone.

“Some of the most fundamental NLP methods, such as Bag-of-Words, Term Frequency Inverse Document Frequency, and Latent Dirichlet Allocation, are effective for specific tasks (e.g., searching, keyword finding) but struggle with semantics and grammar.”

Although machine translation (MT) has come a long way, researchers said that jargon-heavy text is often mistranslated, and semantics are lost, which “hinders the efficacy of cyber threat identification.”

The researchers appreciate the importance of deploying NLP and MT but don’t negate the need for native speakers when translating non-English messages, as inaccurate translations can fuel false or incomplete analyses.

Making it important for the researchers to take a multidisciplinary approach to Conti and other ransomware gangs’ communication.

ADVERTISEMENT

Learning from criminals' communication

By examining the way an organization is structured, how this impacts communication, and the content of these messages, cybersecurity experts can learn more about how cybercrime groups operate, the researchers said.

Demystifying cybercrime organizations is arguably the first step in understanding and then dismantling them.

The focus on non-English-speaking groups might seem strange, as it poses various issues when understanding these groups. However, the researchers had a valid argument for why it's a fundamental practice to examine cybercrime groups like Conti.

“Focusing on non-English-speaking eCrime environments, such as those in Eastern Europe and post-Soviet countries, can enhance our ability to predict and respond to global cyber threats.”

Although academics often overlook these areas, the researchers concluded that they “contribute significantly to the landscape of cybercrime, and their unique socio-political dynamics and geographical locations can influence the structure and operations of eCrime groups, which have complex interrelations.”

The researchers will be revealing their research at Black Hat, a hacker conference in Las Vegas, Nevada.