Tag Archive for: Cyber

A Closer Look at the LAPSUS$ Data Extortion Group

Microsoft and identity management platform Okta both this week disclosed breaches involving LAPSUS$, a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish it unless a ransom demand is paid. Here’s a closer look at LAPSUS$, and some of the low-tech but high-impact methods the group uses to gain access to targeted organizations.

First surfacing in December 2021 with an extortion demand on Brazil’s Ministry of Health, LAPSUS$ made headlines more recently for posting screenshots of internal tools tied to a number of major corporations, including NVIDIA, Samsung, and Vodafone.

On Tuesday, LAPSUS$ announced via its Telegram channel it was releasing source code stolen from Microsoft. In a blog post published Mar. 22, Microsoft said it interrupted the LAPSUS$ group’s source code download before it could finish, and that it was able to do so because LAPSUS$ publicly discussed their illicit access on their Telegram channel before the download could complete.

One of the LAPSUS$ group members admitted on their Telegram channel that the Microsoft source code download had been interrupted.

“This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact,” Microsoft wrote. “No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”

While it may be tempting to dismiss LAPSUS$ as an immature and fame-seeking group, their tactics should make anyone in charge of corporate security sit up and take notice. Microsoft says LAPSUS$ — which it boringly calls “DEV-0537” — mostly gains illicit access to targets via “social engineering.” This involves bribing or tricking employees at the target organization or at its myriad partners, such as customer support call centers and help desks.

“Microsoft found instances where the group successfully gained access to target organizations through recruited employees (or employees of their suppliers or business partners),” Microsoft wrote. The post continues:

“DEV-0537 advertised that they wanted to buy credentials for their targets to entice employees or contractors to take part in its operation. For a fee, the willing accomplice must provide their credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation allowing the actor to take control of an authenticated system. Such a tactic was just one of the ways DEV-0537 took advantage of the security access and business relationships their target organizations have with their service providers and supply chains.”

The LAPSUS$ Telegram channel has grown to more than 45,000 subscribers, and Microsoft points to an ad LAPSUS$ posted there offering to recruit insiders at major mobile phone providers, large software and gaming companies, hosting firms and call centers.

Sources tell KrebsOnSecurity that LAPSUS$ has been recruiting insiders via multiple social media platforms since at least November 2021. One of the core LAPSUS$ members who used the nicknames “Oklaqq” and “WhiteDoxbin” posted recruitment messages to Reddit last year, offering employees at AT&T, T-Mobile and Verizon up to $20,000 a week to perform “inside jobs.”

LAPSUS$ leader Oklaqq a.k.a. “WhiteDoxbin” offering to pay $20,000 a week to corrupt employees at major mobile providers.

Many of LAPSUS$’s recruitment ads are written in both English and Portuguese. According to cyber intelligence firm Flashpoint, the bulk of the group’s victims (15 of them) have been in Latin America and Portugal.

“LAPSUS$ currently does not operate a clearnet or darknet leak site or traditional social media accounts—it operates solely via Telegram and email,” Flashpoint wrote in an analysis of the group. “LAPSUS$ appears to be highly sophisticated, carrying out increasingly high-profile data breaches. The group has claimed it is not state-sponsored. The individuals behind the group are likely experienced and have demonstrated in-depth technical knowledge and abilities.”

Microsoft said LAPSUS$ has been known to target the personal email accounts of employees at organizations they wish to hack, knowing that most employees these days use some sort of VPN to remotely access their employer’s network.

“In some cases, [LAPSUS$] first targeted and compromised an individual’s personal or private (non-work-related) accounts giving them access to then look for additional credentials that could be used to gain access to corporate systems,” Microsoft wrote. “Given that employees typically use these personal accounts or numbers as their second-factor authentication or password recovery, the group would often use this access to reset passwords and complete account recovery actions.”

In other cases, Microsoft said, LAPSUS$ has been seen calling a target organization’s help desk and attempting to convince support personnel to reset a privileged account’s credentials.

“The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure,” Microsoft explained. “Observed actions have included DEV-0537 answering common recovery prompts such as “first street you lived on” or “mother’s maiden name” to convince help desk personnel of authenticity. Since many organizations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organizations give their help desk personnel the ability to elevate privileges.”

LAPSUS$ recruiting insiders via its Telegram channel.

SIM-SWAPPING PAST SECURITY

Microsoft said LAPSUS$ also has used “SIM swapping” to gain access to key accounts at target organizations. In a fraudulent SIM swap, the attackers bribe or trick mobile company employees into transferring a target’s mobile phone number to their device. From there, the attackers can intercept any one-time passwords sent to the victim via SMS or phone call. They can also then reset the password for any online account that allows password resets via a link sent over SMS.

“Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft wrote.

Allison Nixon is chief research officer at Unit 221B, a cybersecurity consultancy based in New York that closely tracks cybercriminals involved in SIM-swapping. Working with researchers at security firm Palo Alto Networks, Nixon has been tracking individual members of LAPSUS$ prior to their forming the group, and says the social engineering techniques adopted by the group have long been abused to target employees and contractors working for the major mobile phone companies.

“LAPSUS$ may be the first to make it extremely obvious to the rest of the world that there are a lot of soft targets that are not telcos,” Nixon said. “The world is full of targets that are not used to being targeted this way.”

Microsoft says LAPSUS$ also has been known to gain access to victim organizations by deploying the “Redline” password-stealing malware, searching public code repositories for exposed passwords, and purchasing credentials and session tokens from criminal forums.

That last bit is interesting because Nixon said it appears at least one member of LAPSUS$ also was involved in the intrusion at game maker Electronic Arts (EA) last year, in which extortionists demanded payment in exchange for a promise not to publish 780 GB worth of source code. In an interview with Motherboard, the hackers claimed to have gained access to EA’s data after purchasing authentication cookies for an EA Slack channel from a dark web marketplace called Genesis.

“The hackers said they used the authentication cookies to mimic an already-logged-in EA employee’s account and access EA’s Slack channel and then trick an EA IT support staffer into granting them access to the company’s internal network,” wrote Catalin Cimpanu for The Record.

Why is Nixon convinced LAPSUS$ was behind the EA attack? The “WhiteDoxbin/Oklaqq” identity referenced in the first insider recruitment screenshot above appears to be the group’s leader, and it has used multiple nicknames across many Telegram channels. However, Telegram lumps all aliases for an account into the same Telegram ID number.

Back in May 2021, WhiteDoxbin’s Telegram ID was used to create an account on a Telegram-based service for launching distributed denial-of-service (DDoS) attacks, where they introduced themself as “@breachbase.” News of EA’s hack last year was first posted to the cybercriminal underground by the user “Breachbase” on the English-language hacker community RaidForums, which was recently seized by the FBI.

WHO IS LAPSUS$?

Nixon said WhiteDoxbin — LAPSUS$’s apparent ringleader — is the same individual who last year purchased the Doxbin, a long-running, text-based website where anyone can post the personal information of a target, or find personal data on hundreds of thousands who have already been “doxed.”

Apparently, Doxbin’s new owner failed to keep the site functioning smoothly, because top Doxbin members had no problems telling WhiteDoxbin how unhappy they were with his stewardship.

“He wasn’t a good administrator, and couldn’t keep the website running properly,” Nixon said. “The Doxbin community was pretty upset, so they started targeting him and harassing him.”

Nixon said that in January 2022, WhiteDoxbin reluctantly agreed to relinquish control over Doxbin, selling the forum back to its previous owner at a considerable loss. However, just before giving up the forum, WhiteDoxbin leaked the entire Doxbin data set (including private doxes that had remained unpublished on the site as drafts) to the public via Telegram.

The Doxbin community responded ferociously, posting on WhiteDoxbin perhaps the most thorough dox the community had ever produced, including videos supposedly shot at night outside his home in the United Kingdom.

According to the denizens of Doxbin, WhiteDoxbin started out in the business of buying and selling zero-day vulnerabilities, security flaws in popular software and hardware that even the makers of those products don’t yet know about.

“[He] slowly began making money to further expand his exploit collection,” reads his Doxbin entry. “After a few years his net worth accumulated to well over 300BTC (close to $14 mil).”

WhiteDoxbin’s Breachbase identity on RaidForums at one point in 2020 said they had a budget of $100,000 in bitcoin with which to buy zero-day flaws in Github, Gitlab, Twitter, Snapchat, Cisco VPN, Pulse VPN and other remote access or collaboration tools.

“My budget is $100000 in BTC,” Breachbase told Raidforums in October 2020. “Person who directs me to someone will get $10000 BTC. Reply to thread if you know anyone or anywhere selling this stuff. NOTE: The 0day must have high/critical impact.”

KrebsOnSecurity is not publishing WhiteDoxbin’s alleged real name because he is a minor (currently aged 17), and because this person has not officially been accused of a crime. Also, the Doxbin entry for this individual includes personal information on his family members.

Nixon said that prior to launching LAPSUS$, WhiteDoxbin was a founding member of a cybercriminal group calling itself the “Recursion Team.” According to the group’s now-defunct website, they mostly specialized in SIM swapping targets of interest and participating in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.

“The team is made up of Cyber-enthusiasts who major in skills including security penetration, software development, and botting,” reads the now-defunct Recursion Team website. “We plan to have a bright future, and we hope you do too!”

‘Spam Nation’ Villain Vrublevsky Charged With Fraud

Pavel Vrublevsky, founder of the Russian payment technology firm ChronoPay and the antagonist in my 2014 book “Spam Nation,” was arrested in Moscow this month and charged with fraud. Russian authorities allege Vrublevsky operated several fraudulent SMS-based payment schemes, and facilitated money laundering for Hydra, the largest Russian darknet market. But according to information obtained by KrebsOnSecurity, it is equally likely Vrublevsky was arrested thanks to his propensity for carefully documenting the links between Russia’s state security services and the cybercriminal underground.

An undated photo of Vrublevsky at his ChronoPay office in Moscow.

ChronoPay specializes in providing access to the global credit card networks for “high risk” merchants — businesses involved in selling services online that tend to generate an unusually large number of chargebacks and reports of fraud, and hence have a higher risk of failure.

When I first began writing about Vrublevsky in 2009 as a reporter for The Washington Post, ChronoPay and its sister firm Red & Partners (RNP) were earning millions setting up payment infrastructure for fake antivirus peddlers and spammers pimping male enhancement drugs.

Using the hacker alias “RedEye,” the ChronoPay CEO oversaw a burgeoning pharmacy spam affiliate program called Rx-Promotion, which paid some of Russia’s most talented spammers and virus writers to bombard the world with junk email promoting Rx-Promotion’s pill shops. RedEye also was the administrator of Crutop, a Russian language forum and affiliate program that catered to thousands of adult webmasters.

In 2013, Vrublevsky was sentenced to 2.5 years in a Russian penal colony for convincing one of his top affiliates to launch a distributed denial-of-service (DDoS) attack against a competitor that shut down the ticketing system for the state-owned Aeroflot airline.

Following his release from jail, Vrublevsky began working on a new digital payments platform based in Hong Kong called HPay Ltd (a.k.a. Hong Kong Processing Corporation). HPay appears to have had a great number of clients that were running schemes which bamboozled people with fake lotteries and prize contests.

According to Russian prosecutors, the scam went like this: Consumers would receive an SMS with links to sites that falsely claimed a number of well-known companies were sponsoring drawings and lotteries for people who enrolled or agreed to answer surveys. All who responded were told they were winners, but also that they had to pay a commission to pick up the prize. That scheme allegedly stole 500 million rubles (~ USD $4.5 million) from over 100,000 consumers.

There are scant public records that show a connection between ChronoPay and HPay, apart from the fact that the latter’s website — hpay[.]io — was originally hosted on the same server (185.180.196.74) along with a handful of other domains, including Vrublevsky’s personal website rnp[.]com.

But then earlier this month, KrebsOnSecurity received a large amount of information that was stolen from ChronoPay recently when hackers managed to compromise the company’s Confluence server. Confluence is a web-based corporate wiki platform, and ChronoPay used their Confluence installation to document in exquisite detail how it creatively distributes the risk associated with high-risk processing by routing transactions through a myriad of shell companies and third-party processors.

A Google-translated snippet of the hacked ChronoPay Confluence installation. Click to enlarge.

Incredibly, Vrublevsky himself appears to have used ChronoPay’s Confluence wiki to document his entire 20+ years of personal and professional history in the high-risk payments space, including the company’s most recent forays with HPay. The latest document in the hacked archive is dated April 2021.

These diary entries, interspersed between highly technical how-tos, are all written in Russian and in the third person. But they are unmistakably Vrublevsky’s words: Some of the elaborate stories in the wiki were identical to theories that Vrublevsky himself espoused to me throughout hundreds of hours of phone interviews. Also, in some of the entries the narrator switches from “he” to “I” when describing the actions of Vrublevsky.

Vrublevsky’s memoire/wiki invokes the nicknames and real names of Russian hackers who worked with the protection of corrupt officials in the Russian Federal Security Service (FSB), the successor agency to the Soviet KGB. In several diary entries, Vrublevsky writes about various cybercriminals and Russian law enforcement officials involved in processing credit card payments tied to online gambling sites.

Russian banks are prohibited from processing payments for online gambling, and as a result many online gaming sites catering to Russian speakers have chosen to process credit card payments through Ukrainian financial institutions.

That’s according to Vladislav “BadB” Horohorin, the convicted cybercriminal who shared the ChronoPay Confluence data with KrebsOnSecurity. In February 2017, Horohorin was released after serving four years in a U.S. prison for his role in the 2009 theft of more than $9 million from RBS Worldpay.

Horohorin said Vrublevsky has been using his knowledge of the card processing networks to extort people in the online gambling industry who may run afoul of Russian laws.

“Russia has strict regulations against processing for the gambling business,” Horohorin said. “While Russian banks can’t do it, Ukrainian ones can, so we have Ukrainian banks processing gambling and casinos, which mostly Russian gamblers use. What Pavel does is he blackmails those Ukrainian banks using his connections and knowledge. Some pay, some don’t. But some people are not very tolerant of that kind of abuse.”

A native of Donetsk, Ukraine, Horohorin told KrebsOnSecurity he hacked and shared the ChronoPay Confluence installation because Vrublevsky had threatened a family member. Horohorin believes Vrublevsky secretly operated the “bad bank” channel on Telegram, which calls attention to online gambling operations that are violating Visa and MasterCard regulations (violations that can bring the violator hundreds of thousands of dollars in fines).

“Pavel scrupulously wrote his diary for a long time, and there is a lot of information on the people he knows,” Horohorin told KrebsOnSecurity. “My understanding is he wrote this in order to blackmail people later. There is a lot of interesting stuff, a lot of names and a lot of very intimate info about Russian card processing market, as well as Pavel’s own escapades.”

ChronoPay’s hacked Confluence server contains many diary entries about major players in the Russian online gambling and bookmaking industries.

Among the escapades recounted in the ChronoPay founder’s diaries are multiple stories involving the self-proclaimed “King of Fraud!” Aleksandr “Nastra” Zhukov, a Russian national who ran an advertising fraud network dubbed “Methbot” that stole $7 million from publishers through bots made to look like humans watching videos online.

The journal explains that Zhukov lived with a ChronoPay employee and had a great deal of interaction with ChronoPay’s high-risk department, so much so that Zhukov at one point gave Vrublevsky a $100,000 jeweled watch as a gift. Zukhov was arrested in Bulgaria in 2018 and extradited to the United States. Following a jury trial in New York that ended last year, Zhukov was sentenced to 10 years in prison.

According to the Russian news outlet Kommersant, Vrublevsky and company operated “Inferno Pay,” a payments portal that worked with Hydra, the largest Russian darknet market for illicit goods, including drug trafficking, malware, and counterfeit money and documents.

Inferno Pay, a cryptocurrency and payment API allegedly operated by the ChronoPay CEO.

“The services of Inferno Pay, whose commission came to 30% of the transaction, were actively used by online casinos,” Kommersant wrote on Mar. 12.

The drama surrounding Vrublevsky’s most recent arrest is reminiscent of events leading up to his imprisonment nearly a decade ago, when several years’ worth of ChronoPay internal emails were leaked online.

Kommersant said Russian authorities also searched the dwelling of Dmitry Artimovich, a former ChronoPay director who along with his brother Igor was responsible for running the Festi botnet, the same spam botnet that was used for years to pump out junk emails promoting Vrublevsky’s pharmacy affiliate websites. Festi also was the botnet used in the DDoS attack that sent Vrubelvsky to prison for two years in 2013.

Artimovich says he had a falling out with Vrublevsky roughly five years ago, and he’s been suing the company ever since. In a message to KrebsOnSecurity, Artimovich said while Vrublevsky was involved in a lot of shady activities, he doubts Vrublevksy’s arrest was really about SMS payment scams as the government claims.

“I do not think that it was a reason for his arrest,” Artimovich said. “Our law enforcement usually don’t give a shit about sites like this. And I don’t think that Vrublevsky made much money there. I believe he angered some high-ranking person. Because the scale of the case is much larger than Aeroflot. Police made search of 22 people. Illegal seizure of money, computers.”

The Hydra darknet market. Image: bitcoin.com

Pro-Ukraine ‘Protestware’ Pushes Antiwar Ads, Geo-Targeted Malware

Researchers are tracking a number of open-source “protestware” projects on GitHub that have recently altered their code to display “Stand with Ukraine” messages for users, or basic facts about the carnage in Ukraine. The group also is tracking several code packages that were recently modified to erase files on computers that appear to be coming from Russian or Belarusian Internet addresses.

The upstart tracking effort is being crowdsourced via Telegram, but the output of the Russian research group is centralized in a Google Spreadsheet that is open to the public. Most of the GitHub code repositories tracked by this group include relatively harmless components that will either display a simple message in support of Ukraine, or show statistics about the war in Ukraine — such as casualty numbers — and links to more information on the Deep Web.

For example, the popular library ES5-ext hadn’t updated its code in nearly two years. But on March 7, the code project added a component “postinstall.js,” which checks to see if the user’s computer is tied to a Russian Internet address. If so, the code broadcasts a “Call for peace:”

A message that appears for Russian users of the popular es5-ext code library on GitHub. The message has been Google-Translated from Russian to English.

A more concerning example can be found at the GitHub page for “vue-cli,” a popular Javascript framework for building web-based user interfaces. On March 15, users discovered a new component had been added that was designed to wipe all files from any systems visiting from a Russian or Belarusian Internet address (the malicious code has since been removed):

Readers complaining that an update to the popular Vue-Cli package sought to wipe files if the user was coming from a Russian IP address.

“Man, I love politics in my APIs,” GitHub user “MSchleckser” commented wryly on Mar. 15.

The crowdsourced effort also blacklisted a code library called “PeaceNotWar” maintained by GitHub user RIAEvangelist.

“This code serves as a non-destructive example of why controlling your node modules is important,” RIAEvangelist wrote. “It also serves as a non-violent protest against Russia’s aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite. To include this module in your code, just run npm i peacenotwar in your code’s directory or module root.”

Alex Holden is a native Ukrainian who runs the Milwaukee-based cyber intelligence firm Hold Security. Holden said the real trouble starts when protestware is included in code packages that get automatically fetched by a myriad of third-party software products. Holden said some of the code projects tracked by the Russian research group are maintained by Ukrainian software developers.

“Ukrainian and non-Ukrainian developers are modifying their public software to trigger malware or pro-Ukraine ads when deployed on Russian computers,” Holden said. “And we see this effort, which is the Russians trying to defend against that.”

Commenting on the malicious code added to the “Vue-cli” application, GitHub user “nm17” said a continued expansion of protestware would erode public trust in open-source software.

“The Pandora’s box is now opened, and from this point on, people who use opensource will experience xenophobia more than ever before, EVERYONE included,” NM17 wrote. “The trust factor of open source, which was based on good will of the developers is now practically gone, and now, more and more people are realizing that one day, their library/application can possibly be exploited to do/say whatever some random dev on the internet thought ‘was the right thing they to do.’ Not a single good came out of this ‘protest.’”

Lawmakers Probe Early Release of Top RU Cybercrook

Aleksei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Image: Andrei Shirokov / Tass via Getty Images.

Aleksei Burkov, a cybercriminal who long operated two of Russia’s most exclusive underground hacking forums, was arrested in 2015 by Israeli authorities. The Russian government fought Burkov’s extradition to the U.S. for four years — even arresting and jailing an Israeli woman to force a prisoner swap. That effort failed: Burkov was sent to America, pleaded guilty, and was sentenced to nine years in prison. But a little more than a year later, he was quietly released and deported back to Russia. Now some Republican lawmakers are asking why a Russian hacker once described as “an asset of supreme importance” was allowed to shorten his stay.

A native of St. Petersburg, Russia, Burkov admitted to running CardPlanet, a site that sold more than 150,000 stolen credit card accounts, and to being a founder of DirectConnection — a closely guarded online community that attracted some of the world’s most-wanted Russian hackers.

But Burkov’s cybercriminal activities spanned far beyond mere credit card fraud. A 2019 deep dive into Burkov’s hacker alias “K0pa” revealed he also was co-administrator of the secretive Russian cybercrime forum “Mazafaka.” Like DirectConnection, Mazafaka’s member roster was a veritable “Who’s Who?” of the Russian hacker underground, and K0pa played a key role in vetting new members and settling disputes for both communities.

K0pa’s elevated status in the Russian cybercrime community made him one of the most connected malicious hackers ever apprehended by U.S. authorities. As I wrote at the time of Burkov’s extradition, the Kremlin was probably concerned that he simply knew too much about Russia’s propensity to outsource certain activities to its criminal hacker community.

“To my knowledge, no one has accused Burkov of being some kind of cybercrime fixer or virtual badguy Rolodex for the Russian government,” KrebsOnSecurity wrote in 2019. “On the other hand, from his onetime lofty perch atop some of the most exclusive Russian cybercrime forums, K0pa certainly would have fit that role nicely.”

Burkov was arrested in December 2015 on an international warrant while visiting Israel, and over the ensuing four years the Russian government aggressively sought to keep him from being extradited to the United States.

When Israeli authorities turned down requests to send him back to Russia — supposedly to face separate hacking charges there — the Russians imprisoned Israeli citizen Naama Issachar on trumped-up drug charges in a bid to trade prisoners. Nevertheless, Burkov was extradited to the United States in November 2019.

And if there were any doubts Issachar was jailed for use as a political pawn, Russian President Vladimir Putin erased those by pardoning her in January 2020, just hours after Burkov pleaded guilty in the United States.

In June 2020, Burkov was sentenced to nine years in prison. But a little more than a year later — Aug. 25, 2021 — Burkov was released and deported back to Russia. According to a letter (PDF) sent Monday by four Republican House lawmakers to White House National Security Advisor Jake Sullivan, U.S. Immigration and Customs Enforcement (ICE) officials escorted Burkov onto a plane destined for Moscow shortly after his release.

“An ICE spokesperson stated that Burkov is wanted by Russian authorities, and a DOJ spokesperson denied that a prisoner exchange took place,” the letter reads. “The decision to prematurely release Burkov is curious given the lengths to which the U.S. government went to secure Burkov’s arrest.”

The letter, signed by the ranking members of the House Judiciary, Homeland Security, Intelligence and Foreign Affairs committees, demanded to know why Burkov was released prematurely, and whether the U.S. received anything in return. The lawmakers also asked for a list of all Russian nationals convicted of crimes in the U.S. who were released early since President Biden took office.

Records show Burkov was in the custody of either Israeli or U.S. authorities for almost five years prior to his sentencing in 2020. At the time of his release, Burkov had already been incarcerated for nearly six years. So where did the other years of his sentence go?

That remains unclear, but it is possible he cut some sort of deal to lessen his sentence. On June 16, 2021, a “sealed pleading” was added to Burkov’s court record, followed by a sealed document entered on Aug. 18 — a week before Burkov’s deportation.

The motion to seal these and other documents related to the pleading was made by U.S. federal prosecutors, and those documents remain hidden from public viewing.

Report: Recent 10x Increase in Cyberattacks on Ukraine

As their cities suffered more intense bombardment by Russian military forces this week, Ukrainian Internet users came under renewed cyberattacks, with one Internet company providing service there saying they blocked ten times the normal number of phishing and malware attacks targeting Ukrainians.

John Todd is general manager of Quad9, a free “anycast” DNS platform. DNS stands for Domain Name System, which is like a globally distributed phone book for the Internet that maps human-friendly website names (example.com) to numeric Internet addresses (8.8.4.4.) that are easier for computers to manage. Your computer or mobile device generates DNS lookups each time you send or receive an email, or browse to a webpage.

With anycast, one Internet address can apply to many servers, meaning that any one of a number of DNS servers can respond to DNS queries, and usually the one that is geographically closest to the customer making the request will provide the response.

Quad9 insulates its users from a range of cyberattacks by blocking DNS requests for known-bad domain names, i.e., those confirmed to be hosting malicious software, phishing websites, stalkerware and other threats. And normally, the ratio of DNS queries coming from Ukraine that are allowed versus blocked by Quad9 is fairly constant.

But Todd says that on March 9, Quad9’s systems blocked 10 times the normal number of DNS requests coming from Ukraine, and to a lesser extent Poland.

Todd said Quad9 saw a significant drop in traffic reaching its Kyiv POP [point of presence] during the hostilities, presumably due to fiber cuts or power outages. Some of that traffic then shifted to Warsaw, which for much of Ukraine’s networking is the next closest significant interconnect site.

Quad9’s view of a spike in malicious traffic targeting Ukrainian users this week. Click to enlarge.

“While our overall traffic dropped in Kyiv — and slightly increased in Warsaw due to infrastructure outages inside of .ua — the ratio of (good queries):(blocked queries) has spiked in both cities,” he continued. “The spike in that blocking ratio [Wednesday] afternoon in Kyiv was around 10x the normal level when comparing against other cities in Europe (Amsterdam, Frankfurt.) While Ukraine always is slightly higher (20%-ish) than Western Europe, this order-of-magnitude jump is unprecedented.”

Quad9 declined to further quantify the data that informed the Y axis in the chart above, but said there are some numbers the company is prepared to share as absolutes.

“Looking three weeks ago on the same day of the week as yesterday, we had 118 million total block events, and of that 1.4 million were in Ukraine and Poland,” Todd said. “Our entire network saw yesterday on March 9th 121 million blocking events, worldwide. Of those 121 million events, 4.6 million were in Ukraine and Poland.”

Bill Woodcock is executive director at Packet Clearing House, a nonprofit based in San Francisco that is one of several sponsors of Quad9. Woodcock said the spike in blocked DNS queries coming out of Ukraine clearly shows an increase in phishing and malware attacks against Ukrainians.

“They’re being targeted by a huge amount of phishing, and a lot of malware that is getting onto machines is trying to contact malicious command-and-control infrastructure,” Woodcock said.

Both Todd and Woodcock said the smaller spike in blocked DNS requests originating from Poland is likely the result of so many Ukrainians fleeing their country: Of the two million people who have fled Ukraine since the beginning of the Russian invasion, more than 1.4 million have made their way to Poland, according to the latest figures from the United Nations.

The increase in malicious activity detected by Quad9 is the latest chapter in an ongoing series of cyberattacks against Ukrainian government and civilian systems since the outset of the war in the last week of February.

As Russian military tanks and personnel began crossing the border into Ukraine last month, security experts tracked a series of destructive data “wiper” attacks aimed at Ukrainian government agencies and contractor networks. Security firms also attributed to Russia’s intelligence services a volley of distributed denial-of-service (DDoS) attacks against Ukrainian banks just prior to the invasion.

Thus far, the much-feared large scale cyberattacks and retaliation from Russia haven’t materialized (for a counterpoint here, see this piece from The Guardian). But the data collected by Quad9 suggest that a great deal of low-level cyberattacks targeting Ukrainians remain ongoing.

It is unclear to what extent — if any — Russia’s vaunted cyber prowess may be stymied by mounting economic sanctions enacted by both private companies and governments. In the past week, two major backbone Internet providers said they would stop routing traffic for Russia.

Earlier today, the London Internet Exchange (LINX), one of the largest peering points where networks around the world exchange traffic, said it would stop routing for Russian Internet service providers Rostelecom and MegaFon. Rostelecom is Russia’s largest ISP, while MegaFon is Russia’s second-largest mobile phone operator and third largest ISP.

Doug Madory, director of research for Internet infrastructure monitoring firm Kentik, said LINX’s actions will further erode the connectivity of these large Russia providers to the larger Internet.

“If the other major European exchanges followed suit, it could be really problematic for Russian connectivity,” Madory said.

Microsoft Patch Tuesday, March 2022 Edition

Microsoft on Tuesday released software updates to plug at least 70 security holes in its Windows operating systems and related software. For the second month running, there are no scary zero-day threats looming for Windows users, and relatively few “critical” fixes. And yet we know from experience that attackers are already trying to work out how to turn these patches into a roadmap for exploiting the flaws they fix. Here’s a look at the security weaknesses Microsoft says are most likely to be targeted first.

Greg Wiseman, product manager at Rapid7, notes that three vulnerabilities fixed this month have been previously disclosed, potentially giving attackers a head start in working out how to exploit them. Those include remote code execution bugs CVE-2022-24512, affecting .NET and Visual Studio, and CVE-2022-21990, affecting Remote Desktop Client. CVE-2022-24459 is a vulnerability in the Windows Fax and Scan service. All three publicly disclosed vulnerabilities are rated “Important” by Microsoft.

Just three of the fixes this month earned Microsoft’s most-dire “Critical” rating, which Redmond assigns to bugs that can be exploited to remotely compromise a Windows PC with little to no help from users. Two of those critical flaws involve Windows video codecs. Perhaps the most concerning critical bug quashed this month is CVE-2022-23277, a  remote code execution flaw affecting Microsoft Exchange Server.

“Thankfully, this is a post-authentication vulnerability, meaning attackers need credentials to exploit it,” Wiseman said. “Although passwords can be obtained via phishing and other means, this one shouldn’t be as rampantly exploited as the deluge of Exchange vulnerabilities we saw throughout 2021. Exchange administrators should still patch as soon as reasonably possible.”

CVE-2022-24508 is a remote code execution bug affecting Windows SMBv3, the technology that handles file sharing in Windows environments.

“This has potential for widespread exploitation, assuming an attacker can put together a suitable exploit,” Wiseman said. “Luckily, like this month’s Exchange vulnerabilities, this, too, requires authentication.”

Kevin Breen, director of cyber threat research at Immersive Labs, called attention to a trio of bugs fixed this month in the Windows Remote Desktop Protocol (RDP), which is a favorite target of ransomware groups.

CVE-2022-23285, CVE-2022-21990 and CVE-2022-24503 are a potential concern especially as this infection vector is commonly used by ransomware actors,” Breen said. “While exploitation is not trivial, requiring an attacker to set up bespoke infrastructure, it still presents enough of a risk to be a priority.”

March’s Patch Tuesday also brings an unusual update (CVE-2022-21967) that might just be the first security patch involving Microsoft’s Xbox device.

“This appears to be the first security patch impacting Xbox specifically,” said Dustin Childs from Trend Micro’s Zero Day Initiative. “There was an advisory for an inadvertently disclosed Xbox Live certificate back in 2015, but this seems to be the first security-specific update for the device itself.”

Also on Tuesday, Adobe released updates addressing six vulnerabilities in Adobe Photoshop, Illustrator and After Effects.

For a complete rundown of all patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.

Internet Backbone Giant Lumen Shuns .RU

Lumen Technologies, an American company that operates one of the largest Internet backbones and carries a significant percentage of the world’s Internet traffic, said today it will stop routing traffic for organizations based in Russia. Lumen’s decision comes just days after a similar exit by backbone provider Cogent, and amid a news media crackdown in Russia that has already left millions of Russians in the dark about what is really going on with their president’s war in Ukraine.

Monroe, La. based Lumen [NYSE: LUMN] (formerly CenturyLink) initially said it would halt all new business with organizations based in Russia, leaving open the possibility of continuing to serve existing clients there. But on Tuesday the company said it could no longer justify that stance.

“Life has taken a turn in Russia and Lumen is unable to continue to operate in this market,” Lumen said in a published statement. “The business services we provide are extremely small and very limited as is our physical presence. However, we are taking steps to immediately stop business in the region.”

“We decided to disconnect the network due to increased security risk inside Russia,” the statement continues. “We have not yet experienced network disruptions but given the increasingly uncertain environment and the heightened risk of state action, we took this move to ensure the security of our and our customers’ networks, as well as the ongoing integrity of the global Internet.”

According to Internet infrastructure monitoring firm Kentik, Lumen is the top international transit provider to Russia, with customers including Russian telecom giants Rostelecom and TTK, as well as all three major mobile operators (MTS, Megafon and VEON).

“A backbone carrier disconnecting its customers in a country the size of Russia is without precedent in the history of the internet and reflects the intense global reaction that the world has had over the invasion of Ukraine,” wrote Doug Madory, Kentik’s director of Internet analysis.

It’s not clear whether any other Internet backbone providers — some of which are based outside of the United States — will follow the lead of Lumen and Cogent. But Madory notes that as economic sanctions continue to exact a toll on Russia’s economy, its own telecommunications firms may have difficulty paying foreign transit providers for service.

Ukrainian leaders petitioned the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit organization charged with overseeing the global domain name system — to disconnect Russia’s top-level domain (.ru) from the Internet. ICANN respectfully declined that request, but many technology giants, including Amazon, Apple and Microsoft, have moved on their own to suspend new business in the country.

Meanwhile, Russia recently cracked down on the last remaining vestiges of a free press within its borders, passing a new law that threatens up to 15 years in jail for anyone who publishes content that refers to the conflict in Ukraine as a “war” or “invasion.”

As Neil MacFarquhar writes for The New York Times, what little coverage there is on Russian television networks about the invasion does not include any footage of the devastation wrought by Russian troops on the Ukrainian citizenry. At the same time, the Russian government has blocked Facebook and partly blocked Twitter, while other platforms like TikTok have suspended services in the country.

“To spend several days watching news broadcasts on the main state channels, as well as surveying state-controlled newspapers, is to witness the extent of the Kremlin’s efforts to sanitize its war with the Orwellian term ‘special military operation’ — and to make all news coverage align with that message,” MacFarquhar wrote.

The Washington Post, which was the first to report on Cogent’s decision last week, wrote that these independent actions by private tech companies collectively “will leave Russians more dependent than ever on government propaganda that already dominates the nation’s newspapers and broadcast stations, leaving few ways to access independent sources of news at a time when the country has entered a severe political crisis.”

In a blog post titled “Why the World Must Resist Calls to Undermine the Internet,” Internet Society President Andrew Sullivan said cutting a whole population off the Internet will stop disinformation coming from that population — but it also stops the flow of truth.

“Without the Internet, the rest of the world would not know of atrocities happening in other places,” Sullivan wrote. “And without the Internet, ordinary citizens of many countries wouldn’t know what was being carried out in their name. Our best hope, however dim, is that those supporting an aggressive regime will change their support. More information can help, even as disinformation circulates. We need a better understanding of what is and is not disinformation.”

There is another — perhaps less popular — camp, which holds that isolating Russia from the rest of the Internet might be THE thing that encourages more Russians to protest the war in Ukraine, and ultimately to take back control of their own country from its autocratic and kleptocratic leaders.

Not long after Russia invaded Ukraine, I heard from an old pen-pal in Ukraine: Sergey Vovnenko, a.k.a. “Flycracker,” a.k.a the convicted Ukrainian cybercriminal who once executed a plot to have me framed for heroin possession. Vovnenko did his time in a U.S. prison, left Fly behind, and we have since buried the hatchet. He’s now hunkered down in Lviv, Ukraine, which is serving as a major artery for refugees seeking shelter outside Ukraine’s borders.

These days, Vovnenko says he is working with many sympathetic hackers to fight the Russians online. Asked what he thought about the idea of Russia being isolated from the rest of the Internet, Vovnenko said it couldn’t happen soon enough given the Russian government’s new media blitz to cast the war in a patriotic light.

“I think they should be disconnected, maybe Russian people will rebel against Putin after that,” he said.

Conti Ransomware Group Diaries, Part IV: Cryptocrime

Three stories here last week pored over several years’ worth of internal chat records stolen from the Conti ransomware group, the most profitable ransomware gang in operation today. The candid messages revealed how Conti evaded law enforcement and intelligence agencies, what it was like on a typical day at the Conti office, and how Conti secured the digital weaponry used in their attacks. This final post on the Conti conversations explores different schemes that Conti pursued to invest in and steal cryptocurrencies.

When you’re perhaps the most successful ransomware group around — Conti made $180 million last year in extortion payments, well more than any other crime group, according to Chainalysis — you tend to have a lot digital currency like Bitcoin.

This wealth allowed Conti to do things that regular investors couldn’t — such as moving the price of cryptocurrencies in one direction or the other. Or building a cryptocurrency platform and seeding it with loads of ill-gotten crypto from phantom investors.

One Conti top manager — aptly-named “Stern” because he incessantly needled Conti underlings to complete their assigned tasks — was obsessed with the idea of creating his own crypto scheme for cross-platform blockchain applications.

“I’m addicted right now, I’m interested in trading, defi, blockchain, new projects,” Stern told “Bloodrush” on Nov. 3, 2021. “Big companies have too many secrets that they hold on to, thinking that this is their main value, these patents and data.”

In a discussion thread that spanned many months in Conti’s internal chat room, Stern said the plan was to create their own crypto universe.

“Like Netherium, Polkadot and Binance smart chain, etc.,” Stern wrote. “Does anyone know more about this? Study the above systems, code, principles of work. To build our own, where it will already be possible to plug in NFT, DEFI, DEX and all the new trends that are and will be. For others to create their own coins, exchanges and projects on our system.”

It appears that Stern has been paying multiple developers to pursue the notion of building a peer-to-peer (P2P) based system for “smart contracts” — programs stored on a blockchain that run whenever predetermined conditions are met.

It’s unclear under what context the Conti gang was interested in smart contracts, but the idea of a ransomware group insisting on payments via smart contracts is not entirely new. In 2020, researchers from Athens University School of Information Sciences and Technology in Greece showed (PDF) how ransomware-as-a-service offerings might one day be executed through smart contracts.

Before that, Jeffrey Ladish, an information security consultant based in Oakland, Calif., penned a two-part analysis on why smart contracts will make ransomware more profitable.

“By using a smart contract, an operator can trustlessly sell their victims a decryption key for money,” Ladish wrote. “That is, a victim can send some money to a smart contract with a guarantee that they will either receive the decryption key to their data or get their money back. The victim does not have to trust the person who hacked their computer because they can verify that the smart contract will fairly handle the exchange.”

The Conti employee “Van” appears to have taken the lead on the P2P crypto platform, which he said was being developed using the Rust programming language.

“I am trying to make a p2p network in Rust,” Van told a co-worker “Demon” on Feb. 19, 2022. “I’m sorting it out and have already started writing code.”

“It’s cool you like Rust,” Demon replied. “I think it will help us with smart contracts.”

Stern apparently believed in his crypto dreams so much that he sponsored a $100,000 article writing contest on the Russian language cybercrime forum Exploit, asking interested applicants to put forth various ideas for crypto platforms. Such contests are an easy way to buy intellectual property for ongoing projects, and they’re also effective recruiting tools for cybercriminal organizations.

“Cryptocurrency article contest! [100.000$],” wrote mid-level Conti manager “Mango,” to boss Stern, copying the title of the post on the Exploit forum. “What the hell are you doing there…”

A few days later Mango reports to Stern that he has “prepared everything for both the social network and articles for crypto contests.”

DISTRIBUTED DENIAL OF DISCORD?

On June 6, 2021, Conti underling “Begemot” pitched Stern on a scheme to rip off a bunch of people mining virtual currencies, by launching distributed denial-of-service (DDoS) attacks against a cryptocurrency mining pool.

“We find young forks on exchanges (those that can be mined), analyze their infrastructure,” Begemot wrote.

Begemot continues:

“Where are the servers, nodes, capitalization, etc. Find a place where crypto holders communicate (discord, etc. ). Let’s find out the IP of the node. Most likely it will be IPv6. We start ddosing. We fly into the chat that we found earlier and write that there are problems, the crypt is not displayed, operations are not carried out (because the crypt depends on mining, there will really be problems ). Holders start to get nervous and withdraw the main balance. Crypto falls in price. We buy at a low price. We release ddos. Crypto grows again. We gain. Or a variant of a letter to the creators about the possibility of a ransom if they want the ddos ​​to end. From the main problem points, this is the implementation of Ipv6 DDoS.”

Stern replies that this is an excellent idea, and asks Begemet to explain how to identify the IP address of the target.

SQUID GAMES

It appears Conti was involved in “SQUID,” a new cryptocurrency which turned out to be a giant social media scam that netted the fraudsters millions of dollars. On Oct. 31, 2021, Conti member “Ghost” sent a message to his colleagues that a big “pump” moneymaking scheme would be kicking off in 24 hours. In crypto-based pump-and-dump scams, the conspirators use misleading information to inflate the price of a currency, after which they sell it at a profit.

“The big day has arrived,” Ghost wrote. “24 hours remaining until the biggest pump signal of all time! The target this time will be around 400% gains possibly even more. We will be targeting 100 million $ volume. With the bull market being in full effect and volumes being high, the odds of reaching 400% profit will be very high once again. We will do everything in our power to make sure we reach this target, if you have missed our previous big successful pumps, this is also the one you will not want to miss. A massive pump is about to begin in only 24 hours, be prepared.”

Ghost’s message doesn’t mention which crypto platform would be targeted by the scam. But the timing aligns with a pump-and-dump executed against the SQUID cryptocurrency (supposedly inspired by the popular South Korean Netflix series). SQUID was first offered to investors on Oct. 20, 2021.

The now-defunct website for the cryptocurrency scam SQUID.

As Gizmodo first reported on Nov. 1, 2021, just prior to the scam SQUID was trading at just one cent, but in less than a week its price had jumped to over $2,856.

Gizmodo referred to the scam as a “rug pull,” which happens when the promoter of a digital token draws in buyers, stops trading activity and makes off with the money raised from sales. SQUID’s developers made off with an estimated $3.38 million (£2.48m).

“The SQUID crypto coin was launched just last week and included plenty of red flags, including a three-week old website filled with bizarre spelling and grammatical errors,” Gizmodo’s Matt Novak wrote. “The website, hosted at SquidGame.cash, has disappeared, along with every other social media presence set up by the scammers.”

Conti Ransomware Group Diaries, Part III: Weaponry

Part I of this series examined newly-leaked internal chats from the Conti ransomware group, and how the crime gang dealt with its own internal breaches. Part II explored what it’s like to be an employee of Conti’s sprawling organization. Today’s Part III looks at how Conti abused popular commercial security services to undermine the security of their targets, as well as how the team’s leaders strategized for the upper hand in ransom negotiations with victims.

Conti is by far the most aggressive and profitable ransomware group in operation today. Image: Chainalysis

Conti is by far the most successful ransomware group in operation today, routinely pulling in multi-million dollar payments from victim organizations. That’s because more than perhaps any other ransomware outfit, Conti has chosen to focus its considerable staff and talents on targeting companies with more than $100 million in annual revenues.

As it happens, Conti itself recently joined the $100 million club. According to the latest Crypto Crime Report (PDF) published by virtual currency tracking firm Chainalysis, Conti generated at least $180 million in revenue last year.

On Feb. 27, a Ukrainian cybersecurity researcher who is currently in Ukraine leaked almost two years’ worth of internal chat records from Conti, which had just posted a press release to its victim shaming blog saying it fully supported Russia’s invasion of his country. Conti warned it would use its cyber prowess to strike back at anyone who interfered in the conflict.

The leaked chats show that the Conti group — which fluctuated in size from 65 to more than 100 employees — budgeted several thousand dollars each month to pay for a slew of security and antivirus tools. Conti sought out these tools both for continuous testing (to see how many products detected their malware as bad), but also for their own internal security.

A chat between Conti upper manager “Reshaev” and subordinate “Pin” on Aug. 8, 2021 shows Reshaev ordering Pin to quietly check on the activity of the Conti network administrators once a week — to ensure they’re not doing anything to undermine the integrity or security of the group’s operation. Reshaev tells Pin to install endpoint detection and response (EDR) tools on every administrator’s computer.

“Check admins’ activity on servers each week,” Reshaev said. “Install EDR on every computer (for example, Sentinel, Cylance, CrowdStrike); set up more complex storage system; protect LSAS dump on all computers; have only 1 active accounts; install latest security updates; install firewall on all network.”

Conti managers were hyper aware that their employees handled incredibly sensitive and invaluable data stolen from companies, information that would sell like hotcakes on the underground cybercrime forums. But in a company run by crooks, trust doesn’t come easily.

“You check on me all the time, don’t you trust me?,” asked mid-level Conti member “Bio” of “Tramp” (a.k.a. “Trump“), a top Conti overlord. Bio was handling a large bitcoin transfer from a victim ransom payment, and Bio detected that Trump was monitoring him.

“When that kind of money and people from the street come in who have never seen that kind of money, how can you trust them 1,000%?” Trump replied. “I’ve been working here for more than 15 years and haven’t seen anything else.”

OSINT

Conti also budgeted heavily for what it called “OSINT,” or open-source intelligence tools. For example, it subscribed to numerous services that can help determine who or what is behind a specific Internet Protocol (IP) address, or whether a given IP is tied to a known virtual private networking (VPN) service. On an average day, Conti had access to tens of thousands of hacked PCs, and these services helped the gang focus solely on infected systems thought to be situated within large corporate networks.

Conti’s OSINT activities also involved abusing commercial services that could help the group gain the upper hand in ransom negotiations with victims. Conti often set its ransom demands as a percentage of a victim’s annual revenues, and the gang was known to harass board members of and investors in companies that refused to engage or negotiate.

In October 2021, Conti underling “Bloodrush” told his manager “Bentley” that the group urgently needed to purchase subscriptions to Crunchbase Pro and Zoominfo, noting that the services provide detailed information on millions of companies, such as how much insurance a company maintains; their latest earnings estimates; and contact information of executive officers and board members.

In a months-long project last year, Conti invested $60,000 in acquiring a valid license to Cobalt Strike, a commercial network penetration testing and reconnaissance tool that is sold only to vetted partners. But stolen or ill-gotten “Coba” licenses are frequently abused by cybercriminal gangs to help lay the groundwork for the installation of ransomware on a victim network. It appears $30,000 of that investment went to cover the actual cost of a Cobalt Strike license, while the other half was paid to a legitimate company that secretly purchased the license on Conti’s behalf.

Likewise, Conti’s Human Resources Department budgeted thousands of dollars each month toward employer subscriptions to numerous job-hunting websites, where Conti HR employees would sift through resumes for potential hires. In a note to Conti taskmaster “Stern” explaining the group’s paid access on one employment platform, Conti HR employee “Salamandra” says their workers have already viewed 25-30 percent of all relevant CVs available on the platform.

“About 25% of resumes will be free for you, as they are already opened by other managers of our company some CVs are already open for you, over time their number will be 30-35%,” Salamandra wrote. “Out of 10 CVs, approximately 3 will already be available.”

Another organizational unit within Conti with its own budget allocations — called the “Reversers” — was responsible for finding and exploiting new security vulnerabilities in widely used hardware, software and cloud-based services. On July 7, 2021, Stern ordered reverser “Kaktus” to start focusing the department’s attention on Windows 11, Microsoft’s newest operating system.

“Win11 is coming out soon, we should be ready for this and start studying it,” Stern said. “The beta is already online, you can officially download and work.”

BY HOOK OR BY CROOK

The chats from the Conti organization include numerous internal deliberations over how much different ransomware victims should be made to pay. And on this front, Conti appears to have sought assistance from multiple third parties.

Milwaukee-based cyber intelligence firm Hold Security this week posted a screenshot on Twitter of a conversation in which one Conti member claims to have a journalist on their payroll who can be hired to write articles that put pressure on victim companies to pay a ransom demand.

“There is a journalist who will help intimidate them for 5 percent of the payout,” wrote Conti member “Alarm,” on March 30, 2021.

The Conti team also had decent working relationships with multiple people who worked at companies that helped ransomware victims navigate paying an extortion demand in virtual currency. One friendly negotiator even had his own nickname within the group — “The Spaniard” — who according to Conti mid-level manager Mango is a Romanian man who works for a large ransomware recovery firm in Canada.

“We have a partner here in the same panel who has been working with this negotiator for a long time, like you can quickly negotiate,” Trump says to Bio on Dec. 12, 2021, in regards to their ransomware negotiations with LeMans Corp., a large Wisconsin-based distributor of powersports equipment [LeMans declined to comment for this story].

Trump soon after posts a response from their negotiator friend:

“They are willing to pay $1KK [$1 million] quickly. Need decryptors. The board is willing to go to a maximum of $1KK, which is what I provided to you. Hopefully, they will understand. The company revenue is under $100KK [$100 million]. This is not a large organization. Let me know what you can do. But if you have information about their cyber insurance and maybe they have a lot of money in their account, I need a bank payout, then I can bargain. I’ll be online by 21-00 Moscow time. For now, take a look at the documents and see if there is insurance and bank statements.”

In a different ransom discussion, the negotiator urges Conti to reconsider such a hefty demand.

“My client only has a max of $200,000 to pay and only wants the data,” the negotiator wrote on Oct. 7, 2021. “See what you can do or this deal will not happen.”

Many organizations now hold cyber insurance to cover the losses associated with a ransomware attack. The logs indicate Conti was ambivalent about working with these victims. For one thing, the insurers seemed to limit their ability to demand astronomical ransom amounts. On the other hand, insured victims usually paid out, with a minimum of hassle or protracted back-and-forth negotiations.

“They are insured for cyber risks, so what are we waiting for?” asks Conti upper manager “Revers,” in a conversation on Sept. 14, 2021.

“There will be trades with the insurance company?” asks Conti employee “Grant.”

“That’s not how it works,” Revers replied. “They have a coverage budget. We just take it and that’s it.”

Conti was an early adopter of the ransomware best practice of “double extortion,” which involves charging the victim two separate ransom demands: One in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed. Indeed, some variation of the message “need decryptors, deletion logs” can be seen throughout the chats following the gang’s receipt of payment from a victim.

Conti victims were directed to a page on the dark web that included a countdown timer. Victims who failed to negotiate a payment before the timer expired could expect to see their internal data automatically published on Conti’s victim shaming blog.

The beauty of the double extortion approach is that even when victims refuse to pay for a decryption key — perhaps because they’re confident they can restore systems from backups — they might still pay to keep the breach quiet.

“Hello [victim company redacted],” the gang wrote in January 2022. “We are Conti Group. We want to inform that your company local network have been hacked and encrypted. We downloaded from your network more than 180GB of sensitive data. – Shared HR – Shared_Accounting – Corporate Debt – Departments. You can see your page in the our blog here [dark web link]. Your page is hidden. But it will be published if you do not go to the negotiations.”

“We came to an agreement before the New Year,” Conti member “Skippy” wrote later in a message to the victim company. “You got a lot of time, more than enough to find any sum and fulfill your part of this agreement. However, you now ask for additional time, additional proofs, etc. Seems like you are preparing to break the agreement and flee, or just to decrease the sum. Moreover, it is a very strange request and explanation. A lot of companies pay such amounts without any problems. So, our answer: We are waiting for the above mentioned sum until 5 February. We keep our words. If we see no payment and you continue to add any conditions, we begin to upload data. That is all.”

And a reputation for keeping their word is what makes groups like Conti so feared. But some may come to question the group’s competence, and whether it may now be too risky to work with them.

On Mar. 3, a new Twitter account called “Trickbotleaks” began posting the names, photos and personal information of what the account claimed were top Trickbot administrators, including information on many of the Conti nicknames mentioned throughout this story. The Trickbotleaks Twitter account was suspended less than 24 hours later.

On Mar. 2, the Twitter account that originally leaked the Conti chat (a.k.a. “jabber”) records posted fresh logs from the Conti chat room, proving the infiltrator still had access and that Conti hadn’t figured out how they’d been had.

“Ukraine will rise!,” the account tweeted. “Fresh jabber logs.”

There may yet be at least one more piece in this series. Look here next week for a story about some of Conti’s more interesting extracurricular moneymaking and investment schemes.

Conti Ransomware Group Diaries, Part II: The Office

Earlier this week, a Ukrainian security researcher leaked almost two years’ worth of internal chat logs from Conti, one of the more rapacious and ruthless ransomware gangs in operation today. Tuesday’s story examined how Conti dealt with its own internal breaches and attacks from private security firms and governments. In Part II of this series we’ll explore what it’s like to work for Conti, as described by the Conti employees themselves.

The Conti group’s chats reveal a great deal about its internal structure and hierarchy. Conti maintains many of the same business units as a legitimate, small- to medium-sized enterprise, including a Human Resources department that is in charge of constantly interviewing potential new hires.

Other Conti departments with their own distinct budgets, staff schedules, and senior leadership include:

Coders: Programmers hired to write malicious code, integrate disparate technologies
Testers: Workers in charge of testing Conti malware against security tools and obfuscating it
Administrators: Workers tasked with setting up, tearing down servers, other attack infrastructure
Reverse Engineers: Those who can disassemble computer code, study it, find vulnerabilities or weaknesses
Penetration Testers/Hackers: Those on the front lines battling against corporate security teams to steal data, and plant ransomware.

Conti appears to have contracted out much of its spamming operations, or at least there was no mention of “Spammers” as direct employees. Conti’s leaders seem to have set strict budgets for each of its organizational units, although it occasionally borrowed funds allocated for one department to address the pressing cashflow needs of another.

A great many of the more revealing chats concerning Conti’s structure are between “Mango” — a mid-level Conti manager to whom many other Conti employees report each day — and “Stern,” a sort of cantankerous taskmaster who can be seen constantly needling the staff for reports on their work.

In July 2021, Mango told Stern that the group was placing ads on several Russian-language cybercrime forums to hire more workers. “The salary is $2k in the announcement, but there are a lot of comments that we are recruiting galley slaves,” Mango wrote. “Of course, we dispute that and say those who work and bring results can earn more, but there are examples of coders who work normally and earn $5-$10k salary.”

The Conti chats show the gang primarily kept tabs on the victim bots infected with their malware via both the Trickbot and Emotet crimeware-as-a-service platforms, and that it employed dozens of people to continuously test, maintain and expand this infrastructure 24 hours a day, 7 days a week.

Conti members referred to Emotet as “Booz” or “Buza,” and it is evident from reading these chat logs that Buza had its own stable of more than 50 coders, and likely much of the same organizational structure as Conti.

According to Mango, as of July 18, 2021 the Conti gang employed 62 people, mostly low-level malware coders and software testers. However, Conti’s employee roster appears to have fluctuated wildly from one month to the next. For example, on multiple occasions the organization was forced to fire many employees as a security precaution in the wake of its own internal security breaches.

In May 2021, Stern told Mango he wanted his underlings to hire 100 more “encoders” to work with the group’s malware before the bulk of the gang returns from their summer vacations in Crimea. Most of these new hires, Stern says, will join the penetration testing/hacking teams headed by Conti leaders “Hof” and “Reverse.” Both Hof and Reverse appear to have direct access to the Emotet crimeware platform.

Trying to accurately gauge the size of the Conti organization is problematic, in part because cybersecurity experts have long held that Conti is merely a rebrand of another ransomware strain and affiliate program known as Ryuk. First spotted in 2018, Ryuk was just as ruthless and mercenary as Conti, and the FBI says that in the first year of its operation Ryuk earned more than $61 million in ransom payouts.

“Conti is a Targeted version of Ryuk, which comes from Trickbot and Emotet which we’ve been monitoring for some time,” researchers at Palo Alto Networks wrote about Ryuk last year. “A heavy focus was put on hospital systems, likely due to the necessity for uptime, as these systems were overwhelmed with handling the ongoing COVID-19 pandemic. We observed initial Ryuk ransom requests ranging from US$600,000 to $10 million across multiple industries.”

On May 14, 2021, Ireland’s Health Service Executive (HSE) suffered a major ransomware attack at the hands of Conti. The attack would disrupt services at several Irish hospitals, and resulted in the near complete shutdown of the HSE’s national and local networks, forcing the cancellation of many outpatient clinics and healthcare services. It took the HSE until Sept. 21, 2021 to fully restore all of its systems from the attack, at an estimated cost of more than $600 million.

It remains unclear from reading these chats how many of Conti’s staff understood how much of the organization’s operations overlapped with that of Ryuk. Lawrence Abrams at Bleeping Computer pointed to an October 2020 Conti chat in which the Emotet representative “Buza” posts a link to a security firm’s analysis of Ryuk’s return.

Professor,” the nickname chosen by one of Conti’s most senior generals, replies that indeed Ryuk’s tools, techniques and procedures are nearly identical to Conti’s.

“adf.bat — this is my fucking batch file,” Professor writes, evidently surprised at having read the analysis and spotting his own code being re-used in high-profile ransomware attacks by Ryuk.

“Feels like [the] same managers were running both Ryuk and Conti, with a slow migration to Conti in June 2020,” Abrams wrote on Twitter. “However, based on chats, some affiliates didn’t know that Ryuk and Conti were run by the same people.”

ATTRITION

Each Conti employee was assigned a specific 5-day workweek, and employee schedules were staggered so that some number of staff was always on hand 24/7 to address technical problems with the botnet, or to respond to ransom negotiations initiated by a victim organization.

Like countless other organizations, Conti made its payroll on the 1st and 15th of each month, albeit in the form of Bitcoin deposits. Most employees were paid $1,000 to $2,000 monthly.

However, many employees used the Conti chat room to vent about working days on end without sleep or breaks, while upper managers ignored their repeated requests for time off.

Indeed, the logs indicate that Conti struggled to maintain a steady number of programmers, testers and administrators in the face of mostly grueling and repetitive work that didn’t pay very well (particularly in relation to the earnings of the group’s top leadership). What’s more, some of the group’s top members were openly being approached to work for competing ransomware organizations, and the overall morale of the group seemed to fluctuate between paydays.

Perhaps unsurprisingly, the turnover, attrition and burnout rate was quite high for low-level Conti employees, meaning the group was forced to constantly recruit new talent.

“Our work is generally not difficult, but monotonous, doing the same thing every day,” wrote “Bentley,” the nickname chosen by the key Conti employee apparently in charge of “crypting” the group’s malware — ensuring that it goes undetected by all or at least most antivirus products on the market.

Bentley was addressing a new Conti hire — “Idgo” — telling him about his daily duties.

“Basically, this involves launching files and checking them according to the algorithm,” Bentley explains to Idgo. “Poll communication with the encoder to receive files and send reports to him. Also communication with the cryptor to send the tested assembly to the crypt. Then testing the crypt. If jambs appear at this stage , then sending reports to the cryptor and working with him. And as a result – the issuance of the finished crypt to the partner.”

Bentley cautioned that this testing of their malware had to be repeated approximately every four hours to ensure that any new malware detection capability added to Windows Defender — the built-in antivirus and security service in Windows — won’t interfere with their code.

“Approximately every 4 hours, a new update of Defender databases is released,” Bentley told Idgo. “You need to work for 8 hours before 20-21 Moscow time. And career advancement is possible.” Idgo agrees, noting that he’d started working for Conti a year earlier, as a code tester.

OBSERVATIONS

The logs show the Conti gang is exceedingly good at quickly finding many potential new ransomware victims, and the records include many internal debates within Conti leadership over how much certain victim companies should be forced to pay. They also show with terrifying precision how adeptly a large, organized cybercrime group can pivot from a single compromised PC to completely owning a Fortune 500 company.

As a well-staffed “big game” killing machine, Conti is perhaps unparalleled among ransomware groups. But the internal chat logs show this group is in serious need of some workflow management and tracking tools. That’s because time and time again, the Conti gang lost control over countless bots — all potential sources of ransom revenue that will help pay employee salaries for months — because of a simple oversight or mistake.

Peppered throughout the leaked Conti chats — roughly several times each week — are pleadings from various personnel in charge of maintaining the sprawling and constantly changing digital assets that support the group’s ransomware operation. These messages invariably relate to past-due invoices for multiple virtual servers, domain registrations and other cloud-based resources.

On Mar. 1, 2021, a low-level Conti employee named “Carter” says the bitcoin fund used to pay for VPN subscriptions, antivirus product licenses, new servers and domain registrations is short $1,240 in Bitcoin.

“Hello, we’re out of bitcoins, four new servers, three vpn subscriptions and 22 renewals are out,” Carter wrote on Nov. 24, 2021. “Two weeks ahead of renewals for $960 in bitcoin 0.017. Please send some bitcoins to this wallet, thanks.”

As part of the research for this series, KrebsOnSecurity spent many hours reading each day of Conti’s chat logs going back to September 2020. I wish I could get many of those hours back: Much of the conversations are mind-numbingly boring chit-chat and shop talk. But overall, I came away with the impression that Conti is a highly effective — if also remarkably inefficient — cybercriminal organization.

Some of Conti’s disorganized nature is probably endemic in the cybercrime industry, which is of course made up of criminals who are likely accustomed to a less regimented lifestyle. But make no mistake: As ransomware collectives like Conti continue to increase payouts from victim organizations, there will be increasing pressure on these groups to tighten up their operations and work more efficiently, professionally and profitably.

Stay tuned for Part III in this series, which will look at how Conti secured access to the cyber weaponry needed to subvert the security of their targets, as well as how the team’s leaders approached ransom negotiations with their victims.