In February, the Russian-based ransomware group Conti stated that it would fully support the Russian government during its invasion of Ukraine. Leaked reports revealed the group’s pledge to show full force to any country that dared attack Russia through cyber-attack or other means.
The leaked chats also provide some other insights into the workings of the Conti ransomware group. First, they reveal the group’s organizational structure, which is very similar to that of a legitimate organization, down to how individuals are paid. The documents show an annual payroll of about $6 million for an estimated 65-100 hackers — an unsurprising figure considering the group raised $180 million through extortion and data theft in 2021.
The leaked chats also show how the group works. Conti buys stolen databases to gather information about potential victims and then carries out credible phishing attacks against their employees and business partners. It also uses these databases to estimate how much victims may be willing to pay.
The leaked conversations also reveal that Conti is purchasing several security products to test their malware and determine how easy it is to circumvent the software. The group is even considering buying existing exploits and backdoors from other cybercriminals.
The organization comes across as a very disciplined company. For example, it has security rules that require good password hygiene from members and the use of best practice guidelines to maintain anonymity. It also provides documents and instructions, including video tutorials, to help inexperienced hackers quickly become effective adversaries.
Like many other cybercrime groups, Conti has been affected by the Russian invasion of Ukraine. The onset of cyber warfare has prompted state actors to become increasingly sophisticated and adopt the latest techniques from the legitimate commercial software industry.
The advances we’ve seen in general programming with development frameworks, automation, and code-less programming are already translating into the cybercrime domain, making it easier for attackers to learn, develop, and scale.
Now that Russia has allowed its local companies to steal patents from anyone deemed to be from an “unfriendly” nation, there is a little repercussion for Russians looking to tackle cybercrime.
They can set up a cybercrime company or provide R&D services to existing groups. In either case, they pose new threats to global businesses and their data. To make matters worse, many Russians highly knowledgeable about cybercrime are losing their jobs or being sanctioned as US and European tech companies pull out of doing business in Russia, making cybercrime an increasingly attractive prospect.
Any system, account, or person can be considered a target, and penetration is seemingly inevitable with such a massive attack surface. So, in the future, organizations should adopt a “guess a breach” mindset, focusing on what data an attacker is likely to try to maximize their financial gains after breaching your defense.
Most adversaries are looking for an organization’s critical data storage. They will try to access a network remotely, find and exploit weaknesses, take control of high-level accounts, and use them to steal data. Unfortunately, once inside the network, hackers usually don’t experience much resistance to their efforts.
Organizations can determine how easy it is for hackers to access their critical data by examining what files their employees have access to. If a mid-level employee can access essential data, an attacker can easily exploit it by compromising their account. The attacker must do more work if the employee doesn’t have access to critical data.
Unfortunately, employees in most organizations have unnecessary access to many thousands or even millions of files. Most organizations wouldn’t even know a user could access an unusually large amount of data.
And not all threats come from outside, either. For example, giving employees unnecessary access to massive amounts of data makes it easier for a rogue employee to do damage. Cybercriminals sometimes will even look for unwilling employees to provide them with access.
Making an attacker’s job as difficult as possible
Organizations need to limit each employee’s “blast radius”—the data they can access to make the attacker’s job as difficult as possible. By giving employees access only to the data they need to do their jobs, organizations can limit the damage attackers can do if they gain access to the network.
The next thing to do is get a handle on all your most critical data. Identify intellectual property, source code, customer and employee records, and where they are stored. Ensure that only people with access to these files need them.
In addition, organizations should put in place mechanisms to detect unusual access attempts (such as an employee opening thousands of files in a single session or opening files unrelated to their work), which can help identify an ongoing attack. Anything an organization can do to slow down an attacker’s progress will increase their chances of detecting and blocking them.
Remember that data is an organization’s most valuable asset after its employees. With so many different attack vectors available today, the question is not if but when an organization’s defenses will be breached. By properly monitoring their critical data, organizations can significantly reduce the damage.
