- The Twitter account has disabled direct messages, so CNBC was unable to contact its owner.
- If employees eventually figure things out, Stern said, they’re offered a pay raise to stay, according to the translated messages.
- Even before the leak, Conti was showing signs of distress, according to Check Point Research.
The FBI has identified a Russian group as one of the most active ransomware groups of 2021, and it may now know what it’s like to be a victim of cyber espionage as reported by CNBC.
Business operations
A series of document leaks reveal details about the size, leadership and business operations of the group known as Conti, as well as what’s perceived as its most prized possession of all: the source code of its ransomware.
Shmuel Gihon, a security researcher at the threat intelligence company Cyberint, said the group emerged in 2020 and grew into one of the biggest ransomware organizations in the world.
He estimates the group has around 350 members who collectively have made some $2.7 billion in cryptocurrency in only two years.
Conti “most frequently victimized the Critical Manufacturing, Commercial Facilities, and Food and agriculture sectors,” the bureau said.
“They were the most successful group up until this moment,” said Gihon.
Act of revenge?
In an online post analyzing the leaks, Cyberint said the leak appears to be an act of revenge, prompted by a since-amended post by Conti published in the wake of Russia’s invasion of Ukraine.
The group could have remained silent, but “as we suspected, Conti chose to side with Russia, and this is where it all went south,” Cyberint said.
The leaks started on Feb. 28, four days after Russia’s invasion of Ukraine.
The Twitter account has disabled direct messages, so CNBC was unable to contact its owner.
The account’s owner claims to be a “security researcher,” said Lotem Finkelstein, the head of threat intelligence at Check Point Software Technologies.
Classic organizational hierarchy
Conti is completely underground and doesn’t comment on news media the way that, for instance, Anonymous sometimes will.
After translating many of the messages, which were written in Russian, Finkelstein said his company’s intelligence arm, Check Point Research, determined Conti has clear management, finance and human resource functions, along with a classic organizational hierarchy with team leaders that report to upper management.
The messages showed Conti has physical offices in Russia, said Finkelstein, adding that the group may have ties to the Russian government.
The Russian embassy in London did not respond to CNBC’s requests for comment.
Moscow has previously denied that it takes part in cyberattacks.
Employees of the month
Conti, according to Check Point Research, also has:
- Salaried workers — some of whom are paid in bitcoin — plus performance reviews and training opportunities
- Negotiators who receive commissions ranging from 0.5% to 1% of paid ransoms
- An employee referral program, with bonuses given to employees who’ve recruited others who worked for at least a month, and
- An “employee of the month” who earns a bonus equal to half their salary
Unlike above-board companies, Conti fines its underperformers, according to Check Point Research.
Worker identities are also masked by handles, such as Stern (the “big boss”), Buza (the “technical manager”) and Target (“Stern’s partner and effective head of office operations”), Check Point Research said.
“When communicating with employees, higher management would often make the case that working for Conti was the deal of a lifetime — high salaries, interesting tasks, career growth(!),”
However, some of the messages paint a different picture, with threats of termination for not responding to messages quickly enough — within three hours — and work hours during weekends and holidays, Check Point Research said.
The hiring process
Conti hires from both legitimate sources, such as Russian headhunting services, and the criminal underground, said, Finkelstein.
Hiring was important because “perhaps unsurprisingly, the turnover, attrition and burnout rate was quite high for low-level Conti employees,” wrote Brian Krebs, a former Washington Post reporter, on his cybersecurity website KrebsOnSecurity.
Some hires weren’t even computer specialists, according to Check Point Research.
Conti hired people to work in call centres, it said.
According to the FBI, “tech support fraud” is on the rise, where scammers impersonate well-known companies, offer to fix computer problems or cancel subscription charges.
Employees in the dark
“Alarmingly, we have evidence that not all the employees are fully aware that they are part of a cybercrime group,” said Finkelstein.
“These employees think they are working for an ad company, when in fact they are working for a notorious ransomware group.”
The messages show managers lied to job candidates about the organization, with one telling a potential hire: “Everything is anonymous here, the main direction of the company is software for pentesters” — referring to penetration testers, who are legitimate cybersecurity specialists who simulate cyberattacks against their own companies’ computer networks.
In a series of messages, Stern explained that the group kept coders in the dark by having them work on one module, or part of the software, rather than the whole program, said Check Point Research.
If employees eventually figure things out, Stern said, they’re offered a pay raise to stay, according to the translated messages.
Down but not out?
Even before the leak, Conti was showing signs of distress, according to Check Point Research.
Stern went silent around mid-January, and salary payments stopped, according to the messages.
Days before the leak, an internal message stated: “There have been many leaks, there have been … arrests … there is no boss, there is no clarity … there is no money either … I have to ask all of you to take a 2-3 month vacation.”
Unlike its former rival REvil — whose members Russia said it arrested in January — Conti is still “partially” operating, the company said.
Despite ongoing efforts to combat ransomware groups, the FBI expects attacks on critical infrastructure to increase in 2022.
Did you subscribe to our newsletter?
It’s free! Click here to subscribe!
Source: CNBC