The choice between face-to-face, hybrid and telecommuting, a human resources team with a strict hiring process, performance reviews, career progression and bonuses… all this sounds like the standard setup of a development company of software.
Yet, this is not about the working conditions of a software development company, but about those of Conti, a major ransomware group responsible for a series of high-profile incidents around the world, including cyberattacks. that have disrupted businesses, hospitals, or even government agencies.
Conti supports Russia
Last month, the Conti Group, which many cybersecurity experts believe operates from Russia, backed the Russian invasion of Ukraine. But that support annoyed one individual, who then leaked months of internal Conti discussions, providing inside information about the day-to-day operations of one of the most prolific ransomware groups on the planet.
And while Conti’s actions – hacking into networks, encrypting files and demanding multimillion-dollar ransoms for a decryption key – could have a dramatic impact on the organizations that fall victim to them, the leaks paint the relatively mundane picture. of an organization made up of coders, testers, system administrators, HR staff and other employees.
Researchers were able to identify a range of different functions within the organization, from the HR team in charge of recruiting new employees, to malware coders, testers, “cryptographers” – who work on protection from the code – to the system administrators who set up the attack infrastructure, to the group’s offensive team, who aim to turn a breach into a complete capture of the targeted network, and the negotiation personnel who try to reach an agreement with the victims.
Some “employees” don’t know they are involved in criminal activity
Many of those involved with Conti become so through advertisements on underground dark web forums. But some are approached through more traditional means, such as Russian recruitment sites, headhunting services and word of mouth. Like any other hiring process, candidates are interviewed to ensure they have the right skills and are a good fit for the group.
According to analysis of the leaks by cybersecurity researchers at Check Point, some people recruited by Conti do not even know that they work for a cybercriminal group, at least at first. The leaks suggest that some of those called in for interviews are being told that they help develop software for penetration testing.
A leaked conversation reveals that a member of Conti’s team, who unlike everyone else in the group mentions his real name, didn’t know what the software he was working on actually did, and why people with which he worked tried as hard to protect their identity.
In this case, his manager tells the employee that he is helping build the back-end of analytics software. And this is not an isolated case, there are many members of the Conti group who do not seem to understand that they are involved in cybercrime.
A daily life similar to that of a traditional employee
“Dozens of employees were hired through legitimate job postings and not through underground forums. It’s hard to say how many of them don’t understand what they’re doing at all, but many of them certainly don’t understand the real scope of the operation and what exactly their employer is doing,” ZDNet tells ZDNet. Sergey Shykevich, head of threat intelligence group at Check Point Software.
Sometimes these unwitting accomplices find out later what they helped build. In these cases, managers try to reassure their employees by offering them a salary increase. Many choose to stay, the lucrative nature of this work being more attractive.
While most of the roles are purely online, Conti’s discussions reveal that it’s not uncommon for band members to work in offices and coworking spaces in different cities across Russia. Once again, the chats reveal some of the day-to-day events and incidents that employees face – for example, someone sent messages asking co-workers to let him in because a door was blocked from the outside.
Valuable insight into how ransomware works
The leaks have provided cybersecurity researchers with valuable insight into how one of the world’s most notorious ransomware works, as well as the tools and techniques it uses to extort ransoms from its victims.
But despite how embarrassing it is for ransomware to leak so much internal data — especially since one of Conti’s main tactics is to threaten to release the stolen data if victims don’t pay the ransom — he This is unlikely to be the end of the group, which continues to post information about new victims.
Some employees might leave, but even for those who joined unwittingly, the lure of a reliable income might be enough to entice them to stay, especially as sanctions against Russia could potentially restrict their job opportunities. .
“I don’t see how they could completely cease their activities,” said Sergey Shykevich. “The availability of potential positions in the Russian tech sector for spyware developers and testers has become much lower, so I think even unwitting employees who now understand what they are doing will turn to cybercrime, because it it will be difficult for them to find legitimate employment. »
Ransomware remains a major threat
Ransomware remains a major cybersecurity threat that can significantly disrupt organizations of all kinds. The best way to defend against ransomware is to ensure that the network is as secure as possible against cyberattacks, with appropriate levels of security, including the use of multi-factor authentication on a network.
It’s also essential that companies apply security updates and patches for known software vulnerabilities as soon as possible, as these, along with weak usernames and passwords, are among the main points of attack. entry exploited to launch ransomware attacks.
Source: ZDNet.com