WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
At the end of February, the cybersecurity community was rocked by the appearance of alleged chat logs recording conversations between members of the prolific Russian-speaking ransomware group Conti. A Ukrainian cybersecurity researcher published over 60,000 messages allegedly taken from the backend of a Jabber server that Conti used for internal communications. Other cybersecurity researchers have since confirmed the validity of the messages. The leak contained 393 JSON files, consisting of 60,694 messages sent since 21 Jan 2021.
At the start of March, the same researcher released a password-protected archive containing an older version of the Conti ransomware source code; the archive was subsequently cracked and the source code published online. Later that month, the researcher uploaded the source code for version three of the ransomware to VirusTotal.
Conti is one of the most prolific ransomware groups currently in operation, with around 45 attacks per week on average, but it has repeatedly proved susceptible to having sensitive material falling into the wrong hands. In August 2021, a user on a prominent Russian-language cybercriminal forum published training materials and the IP addresses of “cobalt servers” that Conti allegedly used. This latest leak came after Conti’s bold declaration of support for Russia’s invasion of Ukraine, in which the group threatened to conduct retaliatory attacks on the critical infrastructure of organizations or nations that try to “organize a cyber attack or any war activities” against Russia, before editing the message to soften the rhetoric.
The leaked chat logs provide a privileged and fascinating insight into the inner workings of a cybercriminal group. It’s rare to obtain reliable primary source intelligence about threat actors’ tactics, techniques, and procedures (TTPs), structures and hierarchies, working patterns, undisclosed victims, private infrastructure, and cryptocurrency usage. And then the sheer size of the data set is both a blessing and a curse – while it’s a huge treasure trove of information, making your way through every single message would take years. Here at Digital Shadows (now ReliaQuest), we’ve been poring over the messages and crunching some numbers. Here are some of the initial insights we’ve gleaned from the logs.
One of the most striking observations that jumped out at us from the chat logs was just how much Conti’s operations resemble those of a real-world professional establishment. Numerous messages in the data set would not have looked out of place in a genuine organization’s Slack channel. And when we did the math, we found that it’s not only the content of the messages – it seems that Conti members also follow a standard working pattern that most of us would be familiar with.
As you can see from the graph below, once we looked at the time and date stamps of messages contained within the data set, we noticed a significant drop-off in the number of messages the group’s members sent on Saturdays and Sundays. The number of messages sent at the weekend was one fifth of the typical amount of communication seen during the week. We also noted that more messages were sent on Friday than on the quieter mid-week days of Wednesday and Thursday. It’s conceivable that the group ramps up its pace of work on a Friday, to get everything ready for a weekend with lighter staff levels.
This valuable insight into the group’s modus operandi is important context for defenders. If we know a little more about our adversaries’ working patterns, we can develop a better anticipatory sense of when attacks or ransomware negotiations are most likely to occur. While we couldn’t rule out a huge Conti effort at the weekend, it’s helpful to know that the group’s members seem to take time off to enjoy Saturdays and Sundays.
Here at Digital Shadows (now ReliaQuest), we monitor over 70 websites operated by extortion groups. Some of these facilitate the auctioning of victims’ data, while others are data-leak sites intended to pressure victims into paying a ransom as part of a double extortion attack. Each time a new victim is named on Conti’s site, our intelligence analysts release a tipper in our internal portal to inform our clients about the latest development.
In the graph below, we’ve mapped the number of these ransomware tippers reporting new Conti victims against the number of messages contained within the chat logs by month. The data reveals a correlation between successful ransomware attacks–when Digital Shadows (now ReliaQuest) analysts publish victim tippers–and message activity. The peak in attacks and increased number of victim tippers seen in November coincides with a peak in messaging activity, before dropping off at the same time. This data relationship is significant, as it shows that the more victims Conti successfully attacks, the more work must go on behind the scenes to discuss tactics and elicit payments from victims.
One notable diversion from this trend occurred in July 2021, when the number of tippers decreased but the number of messages sent actually grew. A potential explanation for this is that Conti users were actively discussing how to respond to the increased scrutiny on extortion groups after a spate of high-profile ransomware attacks. The ransomware group REvil (aka Sodinokibi) dropped off the radar at a similar time.
Let’s take a closer look at the number of messages in the chat logs sent per month, from January 2021 through February 2022. This featured in the graph in the previous section, but it’s interesting to look at these statistics in isolation. As indicated by the graph below, the number of messages sent per month varied wildly, from a high of over 8,000 in November 2021 to less than 2,000 in February that same year.
We can only speculate about the reasons behind peaks and troughs in chat activity. In November 2021, Conti acknowledged an attack on its infrastructure, where— according to the group’s representative on a cybercriminal forum—no information about the group’s “system” or “people” was lost. The representative also claimed that all of the group’s systems had been restored and that the group was working as normal following a security audit. It is realistically possible that the record high number of messages sent in November 2021 was linked to this attack; this may have included messages initiated as part of the security audit, for example, or Conti members reacting to the controversy and trying to ascertain the extent of the damage.
We also observed Conti attempting to recruit new members in November 2021. The same forum representative put out advertisements for “networkers and access providers”, penetration testers, or individuals with access to “corporate botnets”. Perhaps the spike in activity reflects these recruitment efforts, or part of the onboarding process to welcome new members to the team and teach them the ropes.
August 2021 represents another month with a notably high number of messages sent. As we mentioned at the start of this blog, Conti was dealing with fall-out from its own leak at this point. A cybercriminal forum user shared approximately 27 GB of Conti’s “videoinstruction […] + tools”, including “RedTeaming videos, RedTeaming tools, malicious PowerShell scripts”. In a separate thread, a different user leaked Conti “training materials”, the IP address of Conti’s “cobalt servers”, the username and Jabber ID of the Conti “admin”, as well as a link to the Conti “Tor chat”. The user alleged that Conti’s operators had not been paying their recruits a high enough proportion of any ransom extracted from victims. The increased levels of activity in August 2021, compared to the surrounding months, may reflect Conti dealing with the repercussions of the leak, attempting to identify the source, and arranging mitigatory measures.
Next we decided to take a look at the distribution of messages among all the different users named in the chat logs. The graph below shows the number of mentions of the various usernames, although we’ve removed the actual monikers for safety reasons, and we’ve only visualized users who sent at least 100 messages. This was a surprisingly low number – only 23 percent of users. This means that the vast majority of users who appeared in the chat logs sent a remarkably small number of messages. We can only speculate as to why these users did not get more involved… Perhaps their performance was found wanting, or perhaps Conti operators and affiliates switch between lots of different usernames for operational security reasons.
Our analysis showed that the top 10 percent of users in the data set accounted for 80 percent of the messages sent. This indicates that there is a handful of users who play a major role in running operations, suggesting that important decisions and strategizing are concentrated in a small group. Most of the individuals featured in the chat logs play more functional roles in the Conti operation. As you can see from the graph, one user in particular stands head and shoulders above the rest, with more than 8,000 messages from this account contained within the logs. Other users repeatedly referred to this user as “boss” or “chef”, indicating that they have a leading role within the organization.
We were also interested to see when the most prolific users appeared in the logs, and whether there were any unexplained gaps in activity. The graph below shows a timeline of activity for the top ten most prolific users in terms of messages sent. Although two users had short spells of high activity before disappearing, the graph shows that many of the most active users consistently sent messages over the time period contained within the logs. This indicates that users who reach the upper echelons of the organization’s operational structure hold these positions on a long-term basis, perhaps building up their skills and expertise within the role.
Finally, we decided to look at activity distributed over the working day. In addition to not working weekends, as we discussed earlier, it seems that many Conti affiliates concentrate their efforts in a limited number of hours per day. Although we don’t have an indication of the time zone that the messages were sent in, the graph below shows that activity increases slowly between 0500 and 1200, with the peak in activity occurring between 1200 and 1800. Given the number of indications that Conti operates like a professional organization–with working rules, HR policies, paid time off, and penalties for underperforming, it is perhaps surprising that we do not see consistent activity between the traditional working hours of 9 to 5. Conti affiliates are almost certainly spread over a wide geographic area, meaning that the peak in activity we see represents a crossover time in which operators all over the globe are all online at the same time.
Using data analysis techniques like this to provide intelligence about the dark web is just one of the ways in which Digital Shadows (now ReliaQuest) monitors threat actor activity across the cybercriminal landscape, providing unique insights to help organizations understand the nature of the threat actors looking to get access to their assets. If you’d like to search the dark web and cybercriminal underworld for malicious mentions of your organization or exposed data for sale, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.