Cybercrime: Conti Ransomware Retools After Backing Moscow
Also: Paying Ransomware Actors; Impact of Talent Shortage on Fraud Teams Anna Delaney (annamadeline) • June 23, 2022 11 MinutesThe latest edition of the ISMG Security Report investigates the reboot of ransomware group Conti, which supports Russia's invasion of Ukraine. It also discusses why paying ransomware actors is a "business decision" and how to respond to the talent shortage in the financial sector.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Mathew Schwartz describe how ransomware group Conti's support of Russia drives the group's reboot;
- ISMG's Jeremy Kirk discuss the business decision to pay ransomware actors;
- Julie Conroy of Aite-Novarica Group explain how the Great Resignation is affecting fraud teams.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the June 2 and June 16 editions, which respectively discuss the problem of unsecured data bases in the wake of the Elasticsearch attack and highlights of RSA Conference 2022.
Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.
Anna Delaney: After backing Russia's war, Conti ransomware retools and why paying ransomware actors is a business decision. These stories and more on this week's ISMG Security Report.
(Theme music)
Hi, I'm Anna Delaney. In our first story of this week, ISMG Executive Editor Mathew Schwartz examines how the Conti ransomware group is rebranding as multiple other ransomware groups. So what does this mean for the group's future?
Mathew Schwartz: Good news on the ransomware front. The notorious Conti group — tied to millions of dollars in extortion — appears to be running scared. Unfortunately, that doesn't mean the 200 odd criminals in the group based in the Russian Federation appear likely to disappear anytime soon.
Vitali Kremez: Conti was by far one of the most complicated and the most successful ransomware and cybercrime enterprise, basically consisting of lots of DAP developers, ransomware coders, and penetration testing teams.
Schwartz: That's Vitali Kremez, CEO and chairman of the threat intelligence firm AdvIntel, based in New York City.
Kremez: What's happened with them is, they got too big for themselves. They got very political with their statements. They not only became a ransomware kind of business, they all started to lead exfiltration and extortion, and also started posting lots of publicity stunts. One of them was evolving around Ukraine-Russia conflict, which brought a lot of peak to them, where they publicly stated that they support Russia and they will retaliate against anyone who targets Russian Federation.
Schwartz: Conti publicly stating its support for Russia's invasion of Ukraine had some unforeseen consequences for the group. For starters, the PR stunt drove a Ukrainian security researcher to leak a huge amount of Conti's internal chats and source code. Researchers continue to pour over the chats, which have revealed or verified numerous facts. For example, the head of Conti, codenamed Stern, in the chats, appears to have close ties to Russia's principal security agency, the Federal Security Service, also known as the FSB. Kremez says that connection led to a massive fall off in Conti's ransomware proceeds. That's because many victims did not want to fall afoul of the U.S. Treasury Department's OFAC sanctions by giving money to an entity that appeared to be affiliated with the Russian state. Once Conti's leadership figured out why ransomware wasn't so profitable anymore, Kremez says the accelerated plans to create numerous spin off brands not least to ditch the Conti brand name.
Kremez: Now they move to different other groups. They formed their own operations, including Quantum, Hive, ALPHV, Blackcat ransomware groups. They are very active.
Schwartz: Some of the Conti's spin off groups appear to have been changing their approach further. In some cases, for example, they aren't even using cryptolocking malware anymore, but rather focusing on stealing data and extorting victims, Kremez says, noting that this approach has proven to be more successful — at least for some of the attack groups — in part because such attacks can be quicker and easier.
Kremez: I think it's the two reasons it's more successful because deploying the ransomware as a locker is very expensive. You need to spend days and nights finding domain admin privileges, you need to deploy to a neural network wide, you need to find backups, and you need to get access to the centers and all of that. It's a complex operation and takes a lot of time. But exfiltration is easier and quite honestly more successful for them.
Schwartz: As that highlights, cybercrime remains about profit. And if the ransomware profits have been declining for the likes of Conti, they're not afraid to seek out new ways to turn a new type of profit from victims, or at least until they've earned enough money. But do they ever earn enough?
Kremez: It's a good question. I guess this lifestyle that they have affords lots of luxuries, especially specifically, if you live like in Eastern Europe. You can afford Lamborghinis. They're like oligarchs; they live the lifestyle of the richest of the richest. So it's hard to go back to a lifestyle where you have to work hard and just earn the money the right way. Oftentimes, it's like once they get hooked into this business, it's hard to get away. The only ways we've seen them get away from this business is when the Russian intelligence or law enforcement needs to recruit them for their own operations. That's what's happened with the creator of the Zeus malware, Slavik, who we all suspect and we all know works with the Russian intelligence and law enforcement agencies now. So some of the most successful ones became forceful employees for Russian intelligence, and that's the way out.
Schwartz: How many more cybercriminals might graduate into the ranks of Russian intelligence, however, remains unclear. For Information Security Media Group, I'm Mathew Schwartz.
(Transition ad: You are listening to the ISMG Security Report on ISMG Radio. ISMG - Your number one source for information security news.)
Delaney: In this next clip, ISMG's Jeremy Kirk, managing editor of security and technology, considers the dilemma facing businesses when struck with a ransom demand.
Jeremy Kirk: Having to decide whether to pay a ransom to cybercriminals is a decision no one wants to make. But experts say that practitioners should stay objective and lead the decision and the subsequent moral implications to the business. Paul Furtado is the vice president and analyst with Gartner, who spoke earlier this week at a Gartner summit in Sydney. Two to three times a month, he gets called in to help somewhere in the world with an active ransomware incident. He hasn't seen an organization take paying a ransom off the table from the start. Here's Paul:
Paul Furtado: I have yet to see an organization going through that, that says, no, I'm not going to pay. The reality is they're going to do what they need to do and give you that blank cheque to get the business back to a functional level.
Kirk: Ransomware is a nearly perfect crime. Encrypting a company's data and holding it hostage has been an astonishingly effective criminal ploy with low risk and high reward. Governments such as the U.S. and Australia have developed plans to combat transnational ransomware gangs, but their actions will take time. Furtado says up to a third of organizations pay the ransom even though it's advised to try to avoid doing that. The majority of those organizations do get access to their data as a result, as cybercriminals generally hold up their end of the deal. But security practitioners should be aware that they will be asked by the business what to do after an attack and whether to pay. Furtado says businesses have to consider what's the maximum tolerable outage as well as other impacts of the decisions they must make. Daniel Smith is CISO of Hearing Australia, and he echoes Furtado's view. He says it's important that those on security teams realize that the call on whether to pay or not is not theirs. Smith was called on to help another Australian organization in the aged care sector recover from an attack by the REvil gang. He presented his experiences at the Gartner summit as well. The victim organization was not identified by name. But Smith says there was one person at the organization who had a very strong view on whether to pay the ransom. It didn't lead to a great outcome for that person.
Daniel Smith: There was one particular individual involved in this event that worked for the organization, and had very strong personal view on the payment of ransoms. The reputation of those personal views ended up with that person being bundled out of the conversation because they were no longer objective. So even if you do have a strong view on the payment of ransoms or if you're a CIO or a CISO, you're there as a subject matter expert. You will provide advice only, you will not be responsible for making the decision. That will be the board's decision. So leave it to them. Just provide the advice as best you can.
Kirk: For Information Security Media Group, I'm Jeremy Kirk.
Delaney: And finally, how has the Great Resignation impacted financial institutions and more specifically, their fraud teams? But this is a question posed by Tom Field, our senior vice president of editorial, to Julie Conroy, head of risk insights and advisory at Aite-Novarica group, at ISMG's recent Fraud Summit. Here's Conroy:
Julie Conroy: Fifty seven percent of institutions that we recently surveyed on this topic are seeing an increase in voluntary resignation. As a result of this talent gap, as we have migrated back to the new normal post pandemic to use an overused term, we're seeing that a lot of people don't want to go back to the office. And they have choices, because there are so many firms out there that are open to having remote workers, because we've seen that it works. And so this is something, especially in the analytics and the technology competencies, financial institutions are finding themselves competing with a whole new set of players for talent. You're headquartered in Des Moines, Iowa, but you're all of a sudden competing with Silicon Valley and Seattle for your analytics and tech stuff, because you can work from Des Moines just as effectively as you can from those higher price markets. So it's a challenge we see that institutions are competing based on salary. In some cases, they're increasing some of the incentive plan. I think, everybody needs to also be cognizant of and bringing into their talent attraction and retention programs is that flexibility components and realizing that we've got a new breed of workers that doesn't want to go into the office every day and we need to recognize that.
Delaney: That's it from the ISMG Security Report. Theme music is by Ithaca Audio. I'm Anna Delaney. Until next time!