At the end of February 2022, the Twitter @ContiLeaks account and other online personas started to leak data including thousands of Jabber chat messages about the operations of the ransomware threat actors behind Conti ransomware. The leaks, which included more than 160,000 messages, revealed fascinating details about the ransomware group GOLD ULRICK, also known as GRIM SPIDER or UNC1878.
They included information about organizational structure, personnel, tooling, and cooperation with other cybercriminal groups. A sharp picture emerged of a hierarchical organization with a clear management structure and a defined chain-of-command. The leaks also included source code repositories of malware and associated web panels, and data dumps from loader and ransomware backend panels.
The cybersecurity industry was agog. Yet in the broader media, the ‘ransomware’ news that grabbed the public attention was something entirely different and, I would argue, misleading: the focus was on a newly emerged group calling itself Lapsus$, and more specifically, the age of its members. I place the word ‘ransomware’ in single quotes here deliberately because the Lapsus$ attacks that have been made public all attempted to ransom stolen data rather than deploy ransomware. This group, seemingly comprised of individuals in multiple countries including Brazil, Portugal and the UK, successfully attacked high-profile companies worldwide, including Microsoft. To the popular media’s excitement, at least some of the most prominent Lapsus$ threat actors turned out to be teens.
That played into the popular media image of a ransomware actor, which remains a young man in a hoody, often wearing a Guy Fawkes or horror movie mask. This iconography and its associations likely causes some organizations, especially small-to-medium-sized ones, to underestimate ransomware groups and the risk that ransomware attacks pose to them. For some organizations, ransomware can be an existential threat.
This youthful image often gets reinforced by unmediated observation of arguments on underground forums, where wannabe threat actors jostle and behave obnoxiously like teens to draw attention to themselves. Even the use of the term "script kiddie" as a blanket, derogatory way of describing cyber attackers belittles the amount of damage a skilled attacker can do.
This popular impression of cybercrime is generally wrong. The focus on the youth of some of the Lapsus$ threat actors downplayed how effective they were, even if their operational security was poor.
Undoubtedly there are some relatively anarchic cybercrime groups, for example Babuk, but most effective ransomware groups are highly-sophisticated and professional in their operations, irrespective of the age of individual threat actors. Like other types of organized crime groups, they operate like corporations, with a ruthless focus on optimizing return on investment. Conti, for example, hands over victims who don’t pay the ransom to another closely related group called Karakurt for further extortion attempts. Tracing ransomware group activity over several years almost always shows a focus on product and process improvement with a view to enhancing returns.
These groups are organized like businesses. GOLD ULRICK employs coders, researchers, reverse engineers, OSINT researchers, administrators, project managers, and penetration testers. It has defined processes for conflict resolution within the group, akin to managing staff disputes. It has budgets for each department. It runs payroll. The leak showed that the average salary-per-individual paid by GOLD ULRICK was approximately $1,800 per month, far exceeding the average Russian salary of approximately $540 per month. This differential means that the motivation for highly trained people with the right skillset to work for criminal organizations like GOLD ULRICK is unlikely to go away.
The leaked Conti chats reveal a mature cybercrime ecosystem across multiple, interconnected threat groups with frequent collaboration and support. This interconnectivity shows the motivations and relationships of these groups. It highlights their resourcefulness and ability to leverage subject matter expertise within the groups. It even shows that like in many businesses, more junior team members are not always fully aware of the overall objectives of the group and how their activities contribute.
These threat groups even use business productivity tools. Another group, GOLD NIAGARA, previously focused on card-skimming attacks and now a ransomware group in its own right, uses the Jira ticketing system to manage its activities. It has also used seemingly legitimate cover organizations to recruit on popular job boards for new technical talent, meaning that again some junior recruits may think they are working for genuine businesses.
Overall, these groups are highly professional and extremely resilient. So far, GOLD ULRICK’s Conti attacks have not been impacted by the leaks. If anything, their rate of activity has increased to match peaks from 2021.
Organizations that persist in viewing cybercriminals as teen nightmares on Main Street are putting themselves at risk. Instead, organizations must plan their risk calculations and cyber defenses on the basis that cybercriminal adversaries are as professional and savvy as the biggest corporations. They are just as skilled, resourced, and persistent as many nation-state groups and pose a far greater danger to the majority of organizations.
Jane Adams, information security research consultant, Secureworks