Putting Conti in context
Ransomware groups are changing up their game. To see where things are heading, look no further than the Conti group, says Yelisey Boguslavskiy, a Security Studies Expert at the firm AdvIntel. He joined ConversingLabs host Paul Roberts for this latest episode of the podcast to dig into Conti Ransomware Group’s recent activity. They also discuss what lessons Conti holds for organizations who want to defend against evolving ransomware threats.
EPISODE TRANSCRIPT
PAUL ROBERTS
This is ReversingLabs' new podcast where we talk to threat researchers, threat intelligence experts, and folks who are expert in malware and threat hunting and kind of go do deep dives with them to help you in your work within organizations. Really excited this week with our guest. With us today we have Yelisey Boguslavskiy from Advanced Intel. He is a top threat researcher and expert, and we're going to be talking about the news of the week. To start off, I thought I would just introduce myself. My name is Paul Roberts. I am the Cyber Content Lead here at ReversingLabs. And longtime cybersecurity journalist and analyst, have been covering this space for a while. Really excited to be doing this podcast and talking to these folks. Joining me from ReversingLabs, we've got Carolynn van Arsdale. Hi, Carolynn. Who's going to help us do the Q&A. Yeli, tell the audience a little bit about yourself.
YELISEY BOGUSLAVSKIY
Hi. My name is Yelisey Boguslavskiy. I'm the head of research at Advanced Intelligence LLC. I have been tracking ransomware groups and malware groups for the last six years. Previously, I worked in sanctions and regulatory compliance. I have a security status degree from George Washington University, and I'm an author of a book called Security Pragmatism the Peripheral Alliance, which is devoted to the intelligence cooperation between Turkey, Israel, Iran, Ethiopia and Sudan. Back in the 50s and the 60s.
PAUL ROBERTS
What's really great about you, Yeli is you've got expertise in both malware and threats and then also just a lot of the geopolitical context. And we're going to be talking about that today. Okay, so our agenda for the show, we're going to be spending the first part of the show just talking about some of the big news of the week, in particular the ongoing warfare, and including cyber warfare in Ukraine, as well as the exploits of the Lapsus$ group. And then we're going to go to our main topic for the show, which is the Conti malware ransomware. It's been around for a while, but it is something that is increasingly generating warnings and concerns. There's new activity, and we're going to talk about why Conti, which has been around for a while, is suddenly at the top of everybody's list of things they're worried about. Yeli, just tell us a little bit about AdvIntel and the work that you guys do just so our audience kind of understands what the company is.
YELISEY BOGUSLAVSKIY
We're a threat prevention company. We're specifically focused in on preventing attacks, on identifying the precursors, on identifying the anatomy of previous attacks in order to predict and prevent and disrupt the future attacks. That's the main reason why we're putting such a strong emphasis on ransomware. Or another obvious reason, of course, because ransomware is so prolific now. And our model is essentially based on tracking down the ransomware precursors from botnets to specific selections of targeted endpoint to specific selections of vulnerabilities that are adversarily targeted by relative ransomware groups. And by this, we are essentially able to disrupt the attack on the stage when it's still possible to remediate to a point when there is no damage, when the payload is not deployed, when the data is not denied, and most importantly, when data is not exfiltrated or exposed in any sense.
PAUL ROBERTS
Yeah, earlier is better, definitely, with spotting these attacks and preventing them. Right? So, yeah, that's what makes certain intelligence so important. So let's talk just a little bit about some of the big news that's been happening this week. Like cybersecurity, it's never dull. There's always a lot going on. First off, the war in Ukraine started more than a month ago and as we've reported and others, coincident with the start of that war, there was a lot of cyber activity. We saw some new wiper malware that were deployed within Ukraine's cyberspace and we saw an attack on satellite modems as well at the onset of that conflict. Yeli, what can you tell us about the state of play right now in Ukraine and whether that initial kind of flurry of attacks, whether we've seen that keep up over the last month?
YELISEY BOGUSLAVSKIY
I think there is a major confusion, if not, say shock, with what we see on the cyberspace because the natural expectations was that the war will definitely be guided in parallel with massive spikes of cyber warfare activities, which is not seen at this point. And this confusion is even way beyond the American or Western cyber community. As a person myself of Ukraine and Russian origin, I've been a participant of the Yoga Maidan revolution back in 2014. I'm looking at this space from within as well, and I see this confusion across the Ukrainian cyber community and the Russian cyber community regarding the lack of massive attacks or just constant attacks. And the delightful reason for that is that most of the cyber threat for this region, the actual cyber threat, not the one that was politicized through the media, came from the for profit groups and the for profit groups. And we will talk more about that in the Conti example, for profit groups decided to stay with their craft rather than engage in political or warfare related operations. And then at the same time, the state affiliated groups. First of all, I believe their capabilities, especially on the Russian side, were highly overestimated, partly because of the political context related to those groups and bipartisan contexts here in the west, in the United States. But also they were always seen strategically as an auxiliary substitute for the gray zone between warranties, specifically in Ukraine after the Euromaidan riots in 2015, groups like Gammaradon who were essentially targeting military infrastructure through cyber means because there is no opportunity to target military infrastructure with kinetic means as a substitute to kinetic warfare. Cyber espionage was to some point practice by Russians especially, but also by Ukrainians. But now with the kinetic warfare being waged, there is just no need for this supplementary power. And as a result of that. We just don't see it because it's unnecessary. Like you don't need to have a grid if you can shoot a missile into the grid.
PAUL ROBERTS
Right. Yeah, that's right. And I think initially there were expectations that Russia was basically going to shut off the Internet within Ukraine, kind of deny them any ability to connect with the outside world and so on. We didn't see that whether because the defenses were better than people expected or maybe because the Russian military needed to rely on an infrastructure just like the Ukrainian military did. But yeah, it seems like once the bombs started dropping and the tanks started rolling, cyber ops were kind of a sideshow in this whole thing. And certainly that's been my impression just covering the news in the last few weeks. I think what's interesting, we definitely have seen some novel malware that was clearly used and we wrote about this and talked about this in our last ConversingLabs, clearly prepared in advance of this operation by, we can assume, the Russians and Russian affiliated groups. So like, you know, malware was part of the arsenal that Russia had prepared for this operation.
YELISEY BOGUSLAVSKIY
Yes, this is true. And I think in any major military operation, the level of preparation was not really relatable to the level of the actual warfare. So yes, they tried to engage in different ways of preparing for the operation and malware was a part of it. But when the actual warfare began, it all shrinks to extremely conventional means, which I think reminds us in general that the war definitely reminds us that the wars are still possible. Some kind of notion I think we start to drop here a bit in the west and it also reminds us that the conventional wars are fought pretty much the same as they used to be fought 50 years ago. There is not that much of a change. And I think it also relates to the question of what is cyber warfare? Well, in an actual war, probably there is just no cyber warfare. And that's it.
PAUL ROBERTS
Right. There might be cyber operations right, as part of your kinetic attack, but again, kind of a sideshow. Okay, so the other big story of the last week or two weeks really has been Lapsus$, which is this group, malicious actor group, not brand new, it's been around for a while, but really has attracted a lot of attention with some very high profile attacks going back a few weeks. Nvidia and then more recently a Okta, LG, Microsoft and on and on. Yeli, what can you tell us about Lapsus$?
YELISEY BOGUSLAVSKIY
So Lapsus$ is an interesting game changer in general. I think one thought I will be reiterating through the entire podcast today is that 2022 is a turning point for ransomware. And ransomware is evolving in very different ways through the last half year and we will see more and more of this evolution in changes and redesigning of patterns in 2022. And I think Lapsus$ is a great example of those changes for the three years we were so used that ransomware is traditionally Russian speaking and it's based around attacks that are conducted by organized groups with many individuals who have professional careers, so to speak, in cybercrime for years and years. And then we see these teenagers in the UK who are not a part of any crime groups, who are not even Russians or Russian speakers and who are not really motivated for any ideological or for profit reasons. And this is definitely something that I don't think anybody expected because of how straight and reaches the pattern of ransomware developments are, but also because it's just something like very counterintuitive. And this is a very interesting precedent and it would be really interesting to see if we'll see similar precedents like that popping up all around the world, not only in UK.
PAUL ROBERTS
Yeah, I mean one byproduct of these high profile attacks is they got a lot of attention both from other from threat researchers like yourself as well as just within the underground hacking community. And it was revealed the leader of this group, a 16 year old from Oxford in the United Kingdom, there were arrests of seven people in the UK, possibly including that individual, all between the ages of 16 and 21. And then there's maybe some other members of this group who are located elsewhere in the world. I think that really surprised people, especially given the targets like Okta, not an incredibly valuable company, but not one that you would think teenagers would be particularly interested in going after, as well as Microsoft and so on. It's a little bit frightening, I think that firms that are that sophisticated, that have the resources and technical expertise, could still fall victim to a bunch of teenagers. What do we know about their methodology and why they have been able to compromise those environments? Again, not easy targets.
YELISEY BOGUSLAVSKIY
Well, the main reason for that is yes, those firms are large and they can defend themselves, invest in a lot of defenses, but exactly because they're a scale, the attack surface is just enormous and this is exactly what Lapsus$ has been weaponizing. We couldn't say it was some kind of common, selective APT style, big game hunting ransomware attack. It was rather feeling this huge scale of attack surface to a point where they were able to find the vulnerability and then develop this vulnerability. So in this sense it doesn't really matter how much for the company like Microsoft, it doesn't really matter how much you invest in defenses, just the scale of the environment and how ubiquitous digital technology is. It means that attack surface is so large, that something will break somewhere, there would be a hole somewhere, maybe even a primitive one. And after a while. After a certain time span on trial and error like Lapsus$ did you'll find this thing and then definitely after that it all depends on skill and understand like people who were arrested, we could say they're really talented because after finding this hole in the wall and then going further and actually exploiting it, this requires some skill.
PAUL ROBERTS
You need to be able to avoid detection once you're in the environment. They clearly were able to do that. They were able to take and leak data and so on. One thing I think Dan Goodin over at Ars Technica was writing about this one technique we know they used was basically multi factor authentication prompt bombing, whether it's, I don't know, duo or some other multi factor authentication app, just sending prompt after prompt login prompt to individuals where they had their credentials in the hope that they would just wear them down. Eventually they just approve the MFA prompt and let them in. And apparently that's been successful in some of these instances. Dan Goodin pointed out that Cozy Bear, the SolarWinds hackers did a pretty similar thing in their operation. So it's like we're seeing this confluences coming together of high end attack techniques used both by nation state apt groups where you'd expect it, but also just kind of run of the mill teenagers out having lulls. And that must be concerning. I think if you're here in an organization.
YELISEY BOGUSLAVSKIY
That's true, that's really true, we can revert this thing to some extent and actually question ourselves, maybe those who are considered state hackers from the GRU were also some kind of teenagers who were naturally affiliated with...
PAUL ROBERTS
That's true, we actually don't know.
YELISEY BOGUSLAVSKIY
I need to say though, we're definitely at AdvIntel, we have tracked cases originating from Iran and most likely hackers were affiliated with Iran and State just based on the targeting on the target selection that they had specifically related to some information related to military blueprints, to navy blueprints and they were applying a very similar methodology of bypassing to overloading the user MFA, so to speak. I completely agree with you. This is very concerning and I think that was something that has been silently going for years with the ransomware epidemic because initially ransomware was this low end, especially across the Russian-speaking cybercrime community, ransomware was considered something despicable because it's an intellectual shortcut. And then ransomware groups essentially turned to APTs from anything, any standpoint methodologies, but most importantly goals. They stay there like, let's say Conti, which we'll be talking in a minute. Conti has around three weeks of persistency. That's usually how long they spend in the target environment. Quite often it's like less, it's like one week or two weeks. But in specific important cases for them they can stay as long as three, four weeks. And this is exactly the persistency that defines APT. We call them persistent threat for a reason that's in their literal name. And this is definitely a big trend going on for years, that the high profile, high end methodologies are becoming day to day arsenals of this larger, smaller or individual for profit groups. Whereas Lapsus$'s case is not even for profit, it's for attention.
PAUL ROBERTS
So we've seen some recent ops from Lapsus$. Final question. They claimed responsibility for hacking this firm, Globant as well. Is this group gone? Not gone. What is their status? And I know it's really hard to determine that when you have these kind of loose global affiliations of people, but seven people arrested in the UK, but they do still seem to be active.
YELISEY BOGUSLAVSKIY
They create a very noisy public campaign right now through the Dark Web community. Pretty much everybody on the Dark Web now claims that they're part of Lapsus$.
PAUL ROBERTS
I'm part of Lapsus$, actually.
YELISEY BOGUSLAVSKIY
It's so hard. They're pretty much doing the same, what they did with the two phase. But on the information front, they're just overload. And it was noise to a point. When Signal starts losing, and it's really hard to say if, well, some percentage of the group is definitely still active. The challenge for any group like Lapsus$ or like Conti or like any other group like this that relies on persistency, is you can lose two, three talented pen testers and you're essentially done because the main operations will center around these couple of individuals who have this extended skill. We should wait, we should see if they're making any more hits like this. And if they're not, then we can probably judge out that the talented ones, they were either caught or realized that they can be caught. And...
PAUL ROBERTS
It highlights, I think, one of the things that you're very familiar with, which is kind of getting situational awareness with groups that operate online can be very difficult, right? Knowing what to believe, who's for real, who's just a poser, what's noise, what signal. It's a challenge. Okay, so main topic today I think we brought you in to talk about was Conti, a ransomware group that has been around for a number of years, also known as Wizard Spider, Ryuk. They go by a bunch of different names, maybe as far back as 2016, and pretty well known, done some pretty big operations, and yet we're hearing a lot more about them, including a recent alert from CISA, the Cybersecurity and Infrastructure Security Agency here in the US. Why, Yeli, are we hearing so much about Conti right now? What's going on and what's prompting this?
YELISEY BOGUSLAVSKIY
So this is the final results of a way longer trend that has been going on with both county and with the rest of the ransomware world. So to answer shortly to your question, Conti was always very visible, but now everyone else died. So Conti is establishing this dominance by not only being powerful itself, but also by just consuming the vacuum that has been left after so many other groups dying out. And the question here, the other question here is why did they die out? What happened? And as the name of the podcast says, that putting Conti into Context. So the context is that for several years, ransomware was grounded on this ransomware-as-a-service operation. When you have essentially an arched decentralized group of people who just run the same payload and then everything else they do, they do it themselves, they get access to themselves, they deliver the payload themselves, they negotiate the data exfiltration thing themselves. Because we were not prepared just in general at the very beginning, back in 2019, going back to the question of large attack surfaces, we're not prepared for this. They were utilizing the scale impact. They were targeting the ransomware-as-a-service, they were targeting as many vulnerable endpoints as possible. And when you have a large attack surface, you try to hit 1000 RDPs, you get ten and you walk ten companies, that's enough for you. Conti never really followed up this path from the very beginning when they were still Ryuk. First of all, there are two main things about them in this sense it's organization and it's methodology. On organizational side, they were always very corporate, they were very highly organized, hierarchical group in which people were working and are working in teams with specialization, with different divisions. And then on the methodological level, they've never relied on this decentralized way of attack. Instead they formed alliances with larger groups such as Trickbot and Emotet and Cobalt and many many others. But the important ones of course are Trickbot and Emotet and we'll be talking more about them today. So they were forming alliances with those groups and they ended up with a very short supply chain. When you have essentially three elements: Emotet was dropping Trickbot, Trickbot was dropping Ryuk. Now it's Conti, it used to be Ryuk, then 2021 happened and in 2021 we were already pretty much prepared for dealing with ransomware. As a result of that, there was very new approach to security protocols, specifically security compliance and outlets. That has certainly started to shrink because companies on a massive level started to implement proper protection and because ransomware was honestly on the intrusion side, very primitive for most of the groups, even applying basic protection, even by smaller firms, that tremendously shrink that attack surface. And then the new legislation came in, the new support from the government started to come in. The political aspects of ransomware started to come in as well. And firms stopped paying for data as well when this data was not exfiltrated properly, when they just download a bunch of stuff and they're like hey, we have 200GB of your data, pay us. LockBit keeps doing that and they're just not paid, they're going bankrupt. So Conti, because of that, all those ransomware-as-a-service, REvil, Avadon, Darkside, is endless. They just died out in one year and some of them died out through a political impact. Primarily Russians start taking them down, but by the time when they start to have problems with the Russians, those groups were already in a pretty bad condition. And to this point, except for REvil, which were publicly arrested, we actually don't know what happened to those groups. There are a lot of rumors that they were taken down by the Russians, but across the Dark Web there are more realistic rumors saying that they all commuted access scams, which honestly, I think it's way more realistic considering who those people are.
PAUL ROBERTS
That's where you sort of take the money and don't pay your affiliates basically?
YELISEY BOGUSLAVSKIY
Exactly, you just take all the money and you just disappear. And most likely the original are REvil. That's what they did. And Darkside did the same and Blackmatter did the same and Amadon did the same. They just stole the money and disappeared because they realized they cannot conduct business anymore. So Conti was different.
PAUL ROBERTS
And again, you think that's because combination of factors, better defense, more support from governments like the CISA in the US?
YELISEY BOGUSLAVSKIY
I would say two main things, better defenses and very extended, very long supply chain line is decentralized also very low level of sophistication. And you have a bunch of people not working together with different skills, doing different stuff, pretty low level of sophistication. At the end of the day, the army moves with the speed of the slowest element. This is the same here. Those groups operated on the quality of their weakest element. So Conti, going back to them, they were different from the very beginning. And in 2021, they took a very opposite path to all that. They started to be even more centralized. They kicked a lot of people out and those people were something closer to affiliates. And in this sense, the first leaks, especially back in summer, it actually ironically helped them because they just kicked all the affiliates and the affiliates were those who were damping the manuals and everything else and they became even more hierarchical and more highly organized. The second thing is through this hierarchization and centralisation, they simply started to consume other groups. And most importantly, they first consumed TrickBot and recently they just shut it down. And you can imagine how much power once you should have to just shut down one of the most dangerous financial botnets that were there since, I believe 2016 or 2015. And then on the opposite side, they resurrected Emotet, which was down after the law enforcement operations.
PAUL ROBERTS
That's right, yeah, we've seen reporting on that, yeah.
YELISEY BOGUSLAVSKIY
So both Emotet was massive, CISA considered it one of the most dangerous malware strains ever created and the law enforcement operation was also a massive, I believe it was around seven states, seven different nations involved to take immediate down and Emotet was dead for a year. And then suddenly in November, Conti makes an executive decision to resurrect it. And somehow we actually see that they have the organizational power and capacity to resurrect it. And now Emotet is again getting very high percentage in the overall infection statistics of botnets rad ecosystem. But now it's not just a loader that serves for different purposes, it's already all its capabilities are focused on this one spot of deploying the payloads needed for Conti. At this point, it's mostly Cobalt Strike. So to just sum up my thought with this organizational approach, they were able to not only survive, but also thrive. And then on the operational side, when everyone else was just doing random things on the ransomware-as-a-service, I feel it based a pattern when you just find accesses yourselves and whatever you do, you can connect with brokers, the brokers connect to it goes to eternity. Conti instead of that just created an RND division which is currently working on many different projects and they were also the ones who were responsible for reweaponizing Emotet or shutting down TrickBot. Because when you shut down something as big as TrickBot, you suddenly get a lot of free resources and they only start, I feel from our sensitive source, intel, we can say they only start understanding the strategic power and this absolutely unique strategic role that they now have in the threat landscape. And they are aiming to turn to an actual syndicate in a sense that it's not a gang, it's hierarchical business uniting people with the same craft in an organization of highly corporate order. And then the second definition first indicate that it aims for the monopoly and Conti is clearly aiming for the monopoly and the entire ransomware market.
PAUL ROBERTS
You said they're doing research and development right now on what? New malware, new exploits and what should our listeners know about the research that they're doing and how they might prepare for what's coming.
YELISEY BOGUSLAVSKIY
So there are two stories here. One is more like practical mitigation related, and the other one is more like threat landscape related. I will start with the first one. So their current developments are obviously delegated to Emotet a lot. So for mitigation side, any IoCs related to Emotet that should be on high alert since they're putting a lot of emphasis into that. At this point, they are primarily experimenting with just different infection patterns on the spamming side. So Emotet yields them more US based jurisdictions were like English speaking jurisdictions because traditionally Emotet works better in Europe than in North America.
PAUL ROBERTS
And Conti itself has been very mostly focused in North America and Western Europe in terms of its targets.
YELISEY BOGUSLAVSKIY
And they're getting even more focused because since summer they've created an intelligence/contrast espionage division which is very similar to traditional corporate intelligence. So they're reviewing legal frameworks. They are reviewing, we're seeing clear indications that your negotiations, they're now putting a lot of emphasis on legal and regulatory frameworks related to privacy laws in the jurisdiction at which their target is as...
PAUL ROBERTS
As a way to leverage their way.
YELISEY BOGUSLAVSKIY
Exactly.
PAUL ROBERTS
It's not just that we have your data, we also have evidence and now you're in violation of this law.
YELISEY BOGUSLAVSKIY
Yes, exactly. Almost verbatim to what you said. They say check this legal framework because you seem to be violating it and we're here to help you. They're being a really, they tried to sell what they do as a form of product of compliance and data protection.
PAUL ROBERTS
Yes, GDP arm twisting, we can call it.
YELISEY BOGUSLAVSKIY
And they seem to be just feeling more comfortable for just working with the legal jurisdictions within the English speaking world. And obviously for a group that is entirely Russian speaking, of course, for them, working with an English speaking environment is always better. The way you read documents, the way you read network shares, the way you just negotiate with targets, it's definitely more comfortable environment for them. So, redirection of Emotet is one thing, but our call, this is their new initiative, and this is essentially a combination of advanced engineering, advanced social engineering and malicious technologies. This is the reverse of the initiative that had been practiced back by Ryuk back in 2020. So this is a reset of that, it seems. And the current observation is that this is somehow related to extensive use of calls and specifically luring targets into opening malicious attachments with the extensive use of calls.
PAUL ROBERTS
Phone calls we mean.
YELISEY BOGUSLAVSKIY
Phone calls, yes. So anything related to phone calls, which we don't really associate that much with ransomware groups.
PAUL ROBERTS
No, yeah.
YELISEY BOGUSLAVSKIY
That should be also an indicator of high alert. And then on their specific research side, there are four main avenues that are taken. It's Sonic wall phone exploitation. It's petite exploitation different CVEs related to privilege escalation, and then most importantly, Log4j/Log4Shell, with which they're experimenting since December 2021, at least. Pretty much the vulnerability it was discovered. It doesn't seem that they're too successful in any of those experiments at this point, which is good. But the research itself, I think, is very concerning. And then the other story I wanted to tell related to that, related to the Conti RND side, they seem to be understanding that this traditional approach practiced by ransomware groups for the last three years is not leading anywhere. And they're trying to escape this, being locked in a toolbox of traditional methodologies. And keep in mind, Russian speaking actors or Russian speaking ransomware actors are extremely conservative. It would be the same playbook with Cobalt Strike and specific methods of deployment. It will be the same arc loan for data exploitation, would be the same beacons for same playbook for Cobalt Strike, beacons for ransomware deployment, et cetera, et cetera. So they seem to be really tired of this pattern in which you religiously just repeat the same and the same in the same thing. And obviously, for a landscape that is developing so rapidly, ransomware at its current shape, it is only for like three years, essentially, let's say four years. For such a dynamically woven world, you just cannot afford doing this repetitivity. So what Concierge is strategically looking for is to dive into something new, ideally something set from scratch. And it looks like what they're doing more on the personal initiatives of some of their members. They're engaging other groups with supporting them with their initial accesses. At AdvIntel, we constantly see cases in which you have a precursor that is exclusive to Conti and then suddenly that act starts to develop somewhere at a different spot in a ransomware group, like Caracort or BlackBite or BlackCat. They all have the same interest in black pattern, by the way, because even Caracort, that in Kazakh means caracort is the spider from the step, I know that Cara means black and Turkish, Turkish related languages. So they have the same pattern. And we believe it's...
PAUL ROBERTS
Like a branding thing almost, yeah.
YELISEY BOGUSLAVSKIY
But it may be a branding thing. So with BlackCat specifically, they started to engage with them, giving them offering them initial accesses initials. And it looks like what they're doing. So they're looking at BlackCat and BlackCat, also known as alphabee, their main model is centered all around, being operating from scratch like no previous methodologies. They wrote their locker on Rust rather than C. They only use self scripted, self written, customized offensive tool, no litre tool, pen tester tools like Cobalt Strike.
PAUL ROBERTS
Right. We would call Bespoke. It's all created just on its own.
YELISEY BOGUSLAVSKIY
Yeah, exactly. And it looks like Conti is looking at it and they're like, oh, that's exactly the tool set that we need and someone already developed it for us. And it feels at this point, just like, judging by the intel we have, it seems at this point that they're trying to give them accesses on a personal level in order to get better visibility into their tool set into their arsenal and use it for their own purposes. So basically what the story means is by 2022, and I think this is really illustrated for how fundamental this year will become for us. Ransomware already became so sophisticated and corporate that they're conducting literal industrial espionage against other ransomware groups. And this is not something like we have not seen it ever. This is something like so new. And this is especially fascinating. And actually there are a lot of things that can be said in this context about BlackCat dependent on our time frame. I can have more stories on that.
PAUL ROBERTS
When we talk about Conti, you know, taking on BlackCat or Emotet or TrickBot, these are other, in theory, independent malware groups or botnet groups. So they're development organizations, right. What's going on behind the scenes when you see again, a group like Conti all of a sudden throw in big time behind a piece of malware like Emotet? Is that mostly about directing development resources towards basically an open source project? Or is it about kind of an aqua-hire where they'll go out and say, listen, we'll pay you to keep doing what you're doing, but we've got our own kind of product development map here and we want you to follow that, or is it more hostile? We're literally taking over the code base and turning it to our own ends.
YELISEY BOGUSLAVSKIY
I think it's both. A lot of this depends on, again, organization here is everything. A lot of this depends on personal connections. So with TrickBot, Conti had since it was still Ryuk, they all knew each other in real life. Those groups were again, because they were so highly organized, they were able to afford essentially some offline activity, pretty extensive offline activity as we have seen judging by the recent Conti leaks. So there was not much hostility at all with the TrickBot. With Emotet it was more complicated because it was also offline background there as well. But that background came through TrickBot and here from what we can judge at this point, it was more unilateral. It was like you're dead in any case we're your last chance. Okay, you don't really have a choice here...
PAUL ROBERTS
Right, kind of like throwing them a lifeline, which means funding and money, right? Yeah. Okay. So you mentioned a couple of times the leaks. There have been a string of leaks. With Conti they had an affiliate that spilled some internal documentation, quite detailed documentation on how affiliates should be operating. There were definitely some security teams that were like damn, I'd like that guys to get documentation acted. There were some internal chats leaked and then more recently in the wake of the Russia invasion of Ukraine, there was a whole lot of chats leaked apparently by a Ukrainian subsidiary within Conti who was unhappy that the group had kind of signaled support for the Russian invasion. What did we learn from those leaks? And given that there was so much information about the group's operations that spilled into the public domain, why haven't we arrested them or shut down this group more effectively with so much known about it?
YELISEY BOGUSLAVSKIY
Well, as with any major cyber takedown, to take someone down you need to imply physical force and that's only possible when you have the jurisdiction that allows you to do that.
PAUL ROBERTS
Right.
YELISEY BOGUSLAVSKIY
And Conti is now, is not basing themselves in any of those jurisdictions, even though probably around 50% of the group are Ukrainians ethnically. Interesting enough, we have secondary intelligence suggestion that one of the leaders who was behind the statement that provoked everything that Conti supports Russia. They are likely from eastern Ukraine. There are three sides in this Conti conflict...
PAUL ROBERTS
Really complicated.
YELISEY BOGUSLAVSKIY
Very complicated as the actual conflict weighed in on actual life. So they're just not basing themselves in the jurisdictions in which it's possible. Also, we definitely learned a lot about the organization and the structure and the internal process in there. But this kind of knowledge, this kind of intelligence does not always transcends into action. When you know a lot about the enemy, let's say about their armed forces having this specific tanks, you still need to destroy these tanks if you are in act of war with them. That's pretty much same thing.
PAUL ROBERTS
As you were saying, one of the things that Conti and other ransomware groups do, they're attacking layer eight, they're attacking people either via fishing or multi factor authentication bombing or whatever, and it's just very hard to be 100% accurate or 100% effective in keeping your employees from making a small mental error.
YELISEY BOGUSLAVSKIY
Absolutely. And also, I think when we talk about take downs, let's say, with our country, with what our law enforcement can do, and CISA specifically, I believe, has a very clear understanding that Conti is a group of extremely high resilience, and if you try to take them down and you do something wrong, they can actually reappear more dangerous, more evil, and even more damaging to some extent. That was something that happened with TrickBot when there was an attempt to take it down in November 2020. And we could not call it a failure in any sense because there was a massive exposure of TrickBot IoCs. And after this attack, TrickBot never fully recovered. And the fact that it was taken down recently within the Conti leadership was justified exactly by this exposure of biases and high detection, which resulted directly from the law enforcement operation back in November 2020. But at the same time, as a response, first of all, the entire TrickBot section, they were still independent at that point. They went down, they started to be quiet, and they came up with a very nasty, stealthier version of TrickBot, which was Bazaar backdoor and then Bazaar Loader. That kind of serve them also a good service. And I think the law enforcement, the state security agencies here in America, at least, they have enough of deep understanding of how resilient Conti is and that you need to be sure 100% that you kill it with one shot. Otherwise, it will just multiply and become more dangerous than it used to be.
PAUL ROBERTS
Hey, Yeli, do you have time for a few questions from our audience? I know we have a few that have been posed. And, folks, if you're listening, use the Q&A feature if you want to ask questions of your own. We're inviting Carolynn on to help us with the audience questions. Hey, Carolynn.
CAROLYNN VAN ARSDALE
Hi, everybody. My name is Carolynn. I'm a Cyber Content Creator at ReversingLabs. I'm excited to be here today because we do have some questions that we should get started with, if that's all right. So I know that we already talked about Emotet in this conversation, but we do have a question about it. So, pertaining to Emotet, in your opinion, is the botnet back to full strength since the January 2021 disruption? And how does that factor into Conti?
YELISEY BOGUSLAVSKIY
Let's say this, it's not as prolific from a sense of scale as it used to be, so it's not affecting as many organizations as used to. However, because it's so much focused, it's so much geared now, it's more strong. It's the extensiveness versus the intensity. And Emotet became way more intense in a sense that instead of dropping a bunch of different malware strains, a lot of which were not that good when Emotet was very large. Now it's primarily dropping Cobalt Strike. And if previously Emotet attack, Emotet infection can not be noticed simply it because it doesn't lead to anywhere these days. It will most likely lead to direct Conti attack or to an attack of any other group with which Conti shares their initial accesses. There are quite a few. So the scale dropped, but the potential ripple effects of an Emotet infection increased tremendously, specifically because now it's an exclusive Conti tool and not just some neutral loaders of service as it used to be.
CAROLYNN VAN ARSDALE
Right. It's definitely something that they've monopolized, for sure. Thank you. So let's get on to the next question. It's about REvil. So what are your thoughts on the arrest of REvil members on January 14, 2022 by the Russian Federal Security Service, the FSB, as the suspects aren't likely to be extradited by the Russian government. Do you view this as simply done to placate the US government prior to the existing conflict? Is it likely that REvil will return in another form, in your opinion?
YELISEY BOGUSLAVSKIY
I don't believe REvil can return just because their model is not sustainable anymore. They will not be able to handle the competition with someone like Conti, let's say. Also they have a very dark reputation by this point, like a lot of people, especially on the talented affiliate side, a lot of people are confident that REvil are just scammers. As for the arrests, our version at AdvIntel is that this was mostly related to strengthening the grip on cryptocurrency because every major takedown that was very similar with Avadon just disappearing. And we had a lot of evidence from the Dark Web chatter suggesting that Avadon was threatened by the federal security barrier. Each time there is a major arrest or arrest on a group, it somehow correlates with the major legislation strengthening the government grip in Russia on anything related to cryptocurrencies. And most likely this harshening of this grip was related to the government preparing for the war because obviously the war they knew will provoke sanctions. I don't think they estimated the scale of sanctions, but they definitely provoke sanctions. And then sanctions will provoke people withdrawing funds. And cryptocurrency is a very good way of withdrawing funds. So they started to take down those groups who were good at cryptocurrency because they wanted to make the greed harsher before the war. And the timing here, I think, is very illustrative. REvil was taken down months before the war began.
PAUL ROBERTS
Really interesting. So it was really more about controlling the money supply in some ways. And yeah, interesting.
YELISEY BOGUSLAVSKIY
You could see that actually with REvil, you could see that in the Criminal Code Article at which they were prosecuted. That's related not to cybercrime. That's actually related to how they call it, illicit transfer of funds.
PAUL ROBERTS
Money laundering, we would say here.
YELISEY BOGUSLAVSKIY
Yeah, and money laundering in Russian code of law. That's actually the same article. So they were not arrested for hacking they were arrested for transferring money in not a proper manner.
PAUL ROBERTS
Any more questions? Carolynn?
CAROLYNN VAN ARSDALE
Yes we do have one last question related to the Conti leaks. How did the leaks affect Conti syndicate operations, considering that they continue to publish victims on their leak site? I know we touched on that, just about 20 this week, according to the person who asked this question.
YELISEY BOGUSLAVSKIY
Conti yesterday when I used a representative on one of the ransomware forums and they literally said this, they said that like, hey, we're posting things on the website, why do you think we're down? Unfortunately, one big issue with Conti is that each time they have a leak, they keep going and the leaks are not terminating their operations, if not making them even stronger. And that's really unfortunate because we keep seeing these leaks by this time like each three months, and then the group keeps prospering. I think they even benefited to some extent from the leagues because that way they resolved any potential ramifications over the war for them. What we see at this point with the dark web chatter is that Conti had a very strong cohesion between the Ukrainian, East Ukrainian and Russian members and a lot of groups. They stated internally that we are with each other and we will support each other and we will help each other out, especially those who's family affected by the warfare, and we'll unite and stand stronger to some extent. That was actually the message they tried to say when they tried to revoke the message from one of those leaders who stated the allegiance with Russia. So with leaks, unfortunately, one of the things is that a huge proportion of the leaks were related to the TrickBot operation, which shut down in any case. So unfortunately it was a really good timing for Conti that the segment of the organization that has been most affected, the division that has been most affected, was closed several weeks before the leaks happened and unfortunately we don't see a major damage made for them. That being said, it makes us stronger because knowing the enemy is always a very important benefit you have in building your defense or in building your offense. So that's still good.
PAUL ROBERTS
Final question for our listeners. In terms of defending against groups like Conti, what are your recommendations? What are some things they can do to just improve their security posture?
YELISEY BOGUSLAVSKIY
I'm a proponent of the idea that addressing the basic defenses is most effective against contemporary ransomware groups because at this point they still continue to exploit the large attack surfaces rather than go with targeted hits. So one of the best advices would be check the FBI website. They have amazingly well written recommendations about everything, starting from backups and then with network segmentation. Specifically for Conti, definitely IoCs related to Emotet. Any IoCs related to Cobalt Strike, they will keep repetitively using it for a bit at least. Definitely Log4j patching, Log4Shell patching, maybe preemptive out for Sonic Walls exploit. Anything related to RMM (remote management software). Conti is very focused on trying to weaponize the legitimate tool Atera, remote desktop protocol tools. Anadaska, obviously, Zoho is the new one they start experimenting with. Interesting, RMMnesia was the other tool they were discussing internally. So anything related to the RMM tools at this point, the internal protection with a lot of this legitimate RMM software is pretty good itself. But again, we're talking about a very sophisticated group and then definitely audit related to backups. Conti specifically targets VM for admin account. Admin account backup removal VM has been influenced patching after the contemporary discovery was done. But it's always good to double check. So for Conti specifically, those would be specific recommendations. But in general, everything that addresses your basic defenses, EDR, endpoint protection, just basic security hygiene, this is really effective with these type of groups.
PAUL ROBERTS
Yelisey Boguslavskiy, thank you so much for coming on and speaking to us on ConversingLabs. It's been great to have you in, and we'll definitely do it again.
YELISEY BOGUSLAVSKIY
Thank you so much.
PAUL ROBERTS
It's been great talking to you. Carolynn, thanks so much once again for your help.
CAROLYNN VAN ARSDALE
Of course, and thank you to everybody who asked questions today.
PAUL ROBERTS
Absolutely. We'll be back in a couple of weeks with another episode, so stay tuned. Check your email box. We'll be sending you emails when we're ready to come live again. Thanks so much. Yelisey, thanks, have a good one.