The leaked internal chat threads of ransomware group Conti’s members have allowed researchers to map the criminal organization’s profile – and they say it doesn’t look much different from a legitimate multinational.
“With the Conti leaks, the information security community now has the best look it's ever gotten at what makes these criminal groups tick,” said infosecurity analyst Intel 471.
“There are divisions dedicated to examining every facet of a potential target – no matter the size – in the hopes that the information can help them extract more money post-attack.
“The stereotype of young men in a basement coding their way into international crime sprees is woefully inaccurate. Ransomware groups operate like corporate entities, with payroll, revenue goals and salary bonuses worked into their operations.”
The leaked data – thought to have been released by a former gang member upset by Conti’s support for the invasion of Ukraine – revealed that one of these divisions was responsible for collecting data on potential target companies.
Its duties included “drafting phishing scripts that were used over the phone and sent via email, and applying multiple forms of pressure in ransomware negotiations.”
Known as the “Fire Team,” the sub-group had ten people to its name by the end of last year, tasked with preparing “operational and revenue reports on potential targets.”
Team members were salaried at a rate of $2,000 per month – in addition to a one percent “commission” on any ransom they helped to negotiate. Payouts were made using cryptocurrency and prepaid bank cards.
Yet not all “employees” of Conti got deals they were happy with, and the leaked webchats revealed many dissatisfied workers.
“Even criminal syndicates can’t avoid office politics,” said Intel 471. “Despite the structure set up by Conti, team members still complained to their bosses and one another about time spent working and the amount of money each member made.”
Reports on potential victims or “targets” were required to include the phone numbers, email addresses, and social media accounts of company bosses, mid-level employees, and IT staff. In a further sign of a sales target culture being adopted by Conti, each report was required to have these details on at least twenty workers at a targeted company.
Curiously, the gang members were told to focus on female employees – possibly an indication that corporate sexism is also being emulated by the cybercriminal outfit.
Other Conti divisions were tasked with obtaining specific technical information, such as internet domain names, IP addresses, names of purchasers, and SSL certificates – digital documents authenticating a website’s identity that permit encrypted connections.
“Remember, any information about the company may be useful for its competitor (our client),” posted one team leader in one Russian-language chat scrutinized by Intel 471. “We need EVERYTHING!”
Tools and subscription services used by the Conti “team” to gather such data included the SignalHire contact details platform, SpiderFoot open-source intelligence tool, and Shodan search engine.
Initially the Conti sub-group aimed its research efforts at major multinationals such as Apple, Citibank, General Electric, Goldman Sachs, Hewlett Packard, IBM, Microsoft, Pfizer, Walmart, and Wells Fargo.
“However, a month later, the team changed direction, focusing on organizations in the aerospace, chemical, defense, energy, hospitality and medical equipment industries,” said Intel 471.
“As affiliates launched attacks, reconnaissance assignments changed,” it added, saying that the team was redirected to: “find information on dental clinics and online stores, as they were considered to be the ‘best’ targets. Preference also was given to insurance, law and logistics companies.”
And in a final twist, it appears Conti even has a legal team – of sorts.
“An alleged ‘lawyer’ familiar with US and European legislation sought additional ways to pressure hacked companies with threats of litigation from customers or employees, or official complaints that would be sent to government authorities,” said Intel 471.
“This set of actors would also have side conversations about ransomware victims, primarily focused on data that would be posted on the Conti name-and-shame blog from time to time.”
More from Cybernews:
Subscribe to our newsletter