GroupSense CEO Kurtis Minder presented at last week's Colorado Airport Operators Association (CAOA) Spring Conference in Grand Junction, CO. As part of our nation's critical infrastructure, the aviation industry is prone to ransomware and cyber attacks, just like utilities, state governments, and schools. Members of the CAOA have the opportunity to take action against ransomware in their industry by taking a few small steps.
Combatting Ransomware in Critical Infrastructure
By Editorial Team on Jun 14, 2022 9:00:00 AM
Topics: Blog Events
RSAC 2022 In Review
By Editorial Team on Jun 10, 2022 9:15:00 AM
After a two-year hiatus, RSA Conference returned to the Moscone Center in San Francisco for another exciting week. GroupSense’s CEO, Kurtis Minder, and Director of Intelligence Operations, Bryce-Webster Jacobsen, presented their talk, “Dissecting the Ransomware Killchain: Why Companies Need It,” to a packed audience. Kurtis was also interviewed by Jax S. of Outpost Gray.
Topics: Blog Video Events
How to Talk to Threat Actors
By Editorial Team on May 26, 2022 10:15:00 AM
When faced with ransomware, revenue loss and damage to your organization’s reputation aren’t the only things to worry about. To reach the best-case scenario after an attack, your ransomware response team must understand how to talk to threat actors. With the right people on the team, you’re already off to a good start.
Topics: Blog Ransomware Panel
Responding and Recovering from Ransomware
By Editorial Team on May 26, 2022 10:10:27 AM
Ransomware is one of the most dynamic, constantly changing forms of cryptocurrency-based crime. As of February 2022, we’ve identified just over $720 million worth of ransomware payments in 2021 and that number keeps growing. But what happens when a business encounters ransomware?
Topics: Blog Events
Building a Ransomware Response Bench
By Editorial Team on May 12, 2022 10:30:00 AM
Old misconceptions of lone hackers sitting in dark basements are long gone and are replaced by the new wave of cybercrime-as-a-service models marking a new era. With operations like many other businesses, ransomware and other cybercrime gangs have a business structure, “customer” support, and an org chart. How can organizations communicate effectively with the threat actors that are attacking their systems with ransomware?
Topics: Blog Ransomware
The Software Won't Save You
By Editorial Team on Apr 29, 2022 10:30:00 AM
GroupSense CEO Kurtis Minder spoke at Colorado Mesa University’s Entrepreneurship Day on April 27. During his keynote, “The Software Won’t Save You,” he spoke about the genesis of GroupSense’s Ransomware practice, how attackers carry out ransomware attacks, and how each of us can help protect our own computer systems with simple cyber hygiene.
Topics: Blog
Ransomware Survival Guide
By Editorial Team on Apr 28, 2022 10:15:00 AM
Cybersecurity professionals now think of ransomware as inevitable for organizations of all shapes and sizes. With a relatively quick payoff, ransomware provides cyber criminals with a fast, reliable revenue stream. If your organization is facing an attack, it’s vital to get the first few decisions right.
Topics: Blog Ransomware
Good Cyber Hygiene is a Civic Duty
By Kurtis Minder on Apr 20, 2022 10:30:00 AM
This article was originally published on INC.com
Topics: Blog
Ransomware Groups are Getting More Sophisticated
By Editorial Team on Mar 16, 2022 2:00:00 PM
Ransomware attacks have exploded over the past few years, and ransomware groups have reinvested their earnings into their malicious businesses.
Threat actor groups have discovered a significant opportunity within the market to provide Ransomware-as-a- Service (RaaS). Much like the Software-as-a-Service (SaaS) offerings we are all familiar with, RaaS operations have employees, customer service, and a business structure to lean on. It paves the way for inexperienced threat actors to utilize the expertise of more advanced threat groups, ultimately expanding the effects of ransomware to a broader breadth of targets.
One RaaS group, Conti, became prolific over the last several years, with attack numbers above 1,000. The ransomware group is having a pretty bad month. After aligning themselves with Putin’s invasion of Ukraine, assumed Ukrainian members took the liberty of leaking months’ worth of internal chat logs and documents, revealing their internal business structure, office politics, and pay scales. GroupSense analysts have been translating and digesting the information, corroborating the intelligence with data that they have already collected on Conti through threat investigations.
Conti
Conti has successfully targeted and impacted significant players from the financial sector to the software industry, such as the Japanese electronics supplier JVCKenwood, London-based high society jeweler Graff, and the Irish health system. Last year, GroupSense threat analysts observed Conti’s tactics, techniques, and procedures (TTPs) when the group breached a client’s network and demanded ransom.
In a recent chat log leak, GroupSense learned that Conti has upper and middle management with entry-level employees that do the leg work. The separation of roles within Conti enables the employees to focus on specific parts of the cyber kill chain. Gaining initial access to the system is the most time-consuming part of the attack. It requires reconnaissance and planning, which “initial access brokers” work on over weekends. This leg work allows for more attacks and ultimately more revenue for the ransomware group.
Conti typically deploys their ransomware through targeted spear-phishing and broader phishing campaigns that contain malicious attachments or links. The attachments serve as vessels for deploying other malware that utilizes more advanced techniques. These vessels are typically called “loaders” or “downloaders,” and they will do their best to mask the actual malware such as TrickBot, or in this case, Conti ransomware.
When our client was hit with Conti last year, they hired GroupSense for our Ransomware Negotiation Services. As part of the service, GroupSense confirms that the actor returns the decrypted data before the client pays the ransom. After providing sufficient proof that the actor returned the data, our negotiator helped our client pay the ransom. Unfortunately, the story doesn’t end here.
Conti Again?
Months later, the client’s customers started receiving phishing emails on the same thread that Conti used to communicate with the client, meaning the actor had access to the old email thread. This method, called email chain hijacking, allows the threat actor(s) to send phishing emails by replying to old email threads, which tricks victims into thinking the email is
legitimate. Access to the original email thread strongly indicates that Conti could be behind a repeat attack.
The phishing emails were riddled with typos, grammar mistakes and had other pronounced signs of phishing, including mismatched sender names and addresses with a badly spoofed email domain. Typically, when Conti uses phishing as a vector, they are careful to cover their tracks and make the email look as legitimate as possible. Email chain hijacking increases the likelihood of success for phishers. Furthermore, Conti was not known to use email chain hijacking in previous attacks. With these conflicting pieces of evidence, our analyst dove deeper to find out if the phishing attack was coming from Conti or a second and unrelated actor.
Connecting the Bots
The GroupSense analyst started an investigation to compile a list of threat actors who had
historically used the email chain hijacking technique within previous campaigns. During this investigation, the analyst identified the following groups:
- TrickBot Gang
- The newly revived Emotet
- TA 551 (Shatak)
- IcedID campaigns
- QakBot campaigns
In November 2021, the intelligence community discovered that the TrickBot Gang teamed up
with TA551 to deploy Conti ransomware. In January 2022, SANS found that Emotet had reemerged with help from the TrickBot group. In February 2022, AdvIntel discovered that the Conti group had taken over the TrickBot operations.
Knowing several roads lead back to the Conti Group, the analyst deployed the malicious link in a sandbox environment. The link downloaded several pieces of malware to the device, including the IcedID loader operated by TA 551. GroupSense assessed with high confidence that the Conti ransomware syndicate was actively targeting our client’s customer base using stolen email threads.
Below are the hashes gathered upon detonation and the IP addresses that the payload contacted.
IP Addresses:
- 208.95.112[.]1
- 23.21.43[.]186
- 54.225.179[.]233
- 82.221.103[.]243
SHA-256 Hashes |
00c62ed42795f996b5f963c69ce918c2623d72896ebb628dfd9bc800514900ce |
086a7e44de35a235bc258bf1107e22a7dc27932cb4d7e3ebcd1f368acc000caa |
0cd5b187ffad353e52c996c8f5bb1f5499d42e3525a56d1787a587a00b67b491 |
0f8ced5f44da7acf761d497fbffd203cc8d213d837ca76e0c63d90bf914d2f76 |
10d8b828af4080ab9d7a4943a64960bf047637a95ac3aac046b9e7b7232943b6 |
31fc706ae4bd5093aecb6a0b7f9d3b686feb284076b1122aaff978779612dc06 |
51980490612ad901964738ab28951c55b2140e71e460a43bd4bc3ef80cd626b2 |
5a0b7495f961d70b1e9a5a41aaae77748f9fb042110b66ea76ef7c5757e61fa1 |
5e872715109b381c99aa19e2435628640505794e09a1998de7b92c2a5aea38e1 |
61acd6e7405fad348433f8de4b12ed97b42caccbcf28fe0e4ba4b4a5d2ea707e |
68e37eed2e04830fce9f735d8a2ecebb19a651394f5d590581370ac5d7754d90 This one matches a ruleset for the IcedID payload |
6b0ceccf0103afd89844761417c1d23acc41f8aebf3b7230765209b61eee5658 |
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea |
6cce352f8426a6cb2d41d5d108658cfa1244f0142d6f60bc96e3c4c2904913c3 |
aa5daecee872ca7c079b5363c2ffb0a6bbb335414ac3ce2006bc18015fcd45e4 |
bc05a98d03525d3255d0e2d55edd6afb93e4b5ef7db2ff17609b541a5fce3d7d |
bdd5111162a6fa25682e18fa74e37e676d49cafcb5b7207e98e5256d1ef0d003 |
d1b9d32702d7d7a184ab4654c204e6d385a9499fde63e0b06bda60f8077a7862 |
dfc98ccf84f4551aae0f4ac0334df103e2cfeb7a55af486b68c0392fc78a5fa4 |
e39d6a57d2f16e60c4075d07741dadd6a2742a85aceb250083d7ab103279f737 |
e5a870dda2bca2b632f9aa3eee7768b5dd1498046d53af5fb6b5d5920debe27a |
f6006f75b9c9f94761370e6810cdf9bc1d2794f7a3513a9bfe119606d76d2992 |
261fcca4a1177c03c7aff8b3bcdbf4016c2a3da6674e6afb4c8a885d9784064b |
Repeat Attacks
It’s rare for ransomware groups to attack the same target twice. Because RaaS groups run like businesses, they work on similar reputational rules as legitimate companies. If a RaaS group says they will return stolen data from their victims, they are expected to keep their word. If they return the data to the victims, they can only cash out on the data once.
In this case, Conti was trying to cash out twice on the same set of stolen data. Our analysts have not seen such a brazen attack that would damage a threat actor’s reputation before.
Wider Implications
This investigation suggests that the Conti ransomware syndicate is rapidly increasing its sophistication and standing in the initial access ecosystem. This increased sophistication means that they can hit larger, more complex systems and demand even higher ransoms in the future.
Topics: Blog
The Inner Workings of the Conti Ransomware Group
By Editorial Team on Mar 4, 2022 2:24:16 PM
Earlier this week, a Ukrainian security researcher with insights into the Conti ransomware group leaked almost two years’ worth of internal chat logs. Conti is responsible for a number of high profile ransomware attacks.