The Conti Leaks: An Unprecedented Glimpse into a Sophisticated Cybercriminal Operation
If you wanted to learn how an organized cybercriminal operation works, look no further than the threat group known as Conti. The recent leaks of the group’s chat logs have uncovered an unprecedented wealth of information and insights into how these veteran cybercriminals organize themselves. Cyber Threat Intelligence (CTI) vendors and independent researchers have spent weeks poring over the Conti leaked chat logs and have uncovered dozens of very significant findings.
One major discovery in the Conti leaks is the existence of an “OSINT Team” who gathers details on Conti’s targets. This team uses multiple techniques, as well as commercial tools, to find every piece of information about a target that will support the end goal of domain-wide Conti ransomware deployment. The OSINT Team also may engage with the targets (HUMINT), posing as marketing or sales people, gathering details and information about managers, executives, and how the company operates for exploitation later.
The Conti Organizational Structure: Resembling a Legitimate Enterprise
The Conti leaks have revealed that the group’s organizational structure resembles many legitimate companies more than a criminal enterprise. Conti employed middle management and a human resources department, showcasing the level of sophistication in their operations.
The chat logs from early 2021 also revealed that Conti had trouble getting their ESXi locker to work. However, by April 2022, they were able to implement a working ESXi locker, potentially by leveraging the leaked Babuk source code after it was released in September 2021.
Babuk and the Emergence of ESXi Ransomware
The Babuk leaks in September 2021 provided unprecedented insight into the development operations of an organized ransomware group. Due to the prevalence of ESXi in on-prem and hybrid enterprise networks, these hypervisors are valuable targets for ransomware.
Over the past two years, organized ransomware groups like ALPHV, Black Basta, Conti, Lockbit, and REvil have adopted Linux lockers, focusing on ESXi before other Linux variants. They leverage built-in tools for the ESXi hypervisor to kill guest machines and then encrypt crucial hypervisor files.
SentinelLabs’ analysis identified overlaps between the leaked Babuk source code and ESXi lockers attributed to Conti and REvil, with iterations of the latter sharply resembling one another. They also compared them to the leaked Conti Windows locker source code, finding shared, bespoke function names and features.
In addition to these notorious groups, smaller ransomware operations like Ransom House’s Mario and a previously undocumented ESXi version of Play Ransomware have also used the Babuk source code to generate more recognizable ESXi lockers.
Tracing the Babuk Bloodline: Connections Between Cybercrime Families
SentinelLabs’ analysis exposed unexpected connections between ESXi ransomware families, potentially linking Babuk to more illustrious operations like Conti and REvil. While ties to REvil remain tentative, the possibility exists that these groups potentially outsourced an ESXi locker project to the same developer.
The talent pool for Linux malware developers is surely much smaller in ransomware development circles, which have historically held demonstrable expertise in crafting elegant Windows malware. Ransomware groups have experienced numerous leaks, so it is plausible smaller leaks occurred within these circles. Additionally, actors may share code to collaborate, similar to open-sourcing a development project.
The Rise of Babuk-Descended ESXi Ransomware
There is a noticeable trend that actors increasingly use the Babuk builder to develop ESXi and Linux ransomware. This is particularly evident when used by actors with fewer resources, as these actors are less likely to significantly modify the Babuk source code.
Based on the popularity of Babuk’s ESXi locker code, actors may also turn to the group’s Go-based NAS locker. Golang remains a niche choice for many actors, but it continues to increase in popularity. The targeted NAS systems are also based on Linux, making the Babuk code an attractive option.
Defending Against the Evolving ESXi Ransomware Landscape
The targeted ESXi systems are critical infrastructure components for many organizations, making them prime targets for ransomware groups. As the Babuk code continues to proliferate, defenders must stay vigilant and implement robust security measures to protect these vital systems.
Strategies should include regularly updating software, implementing application whitelisting, and employing advanced threat detection solutions that can identify abnormal behavior patterns associated with ESXi ransomware techniques. Educating employees on the risks and indicators of these threats is also crucial for a comprehensive defense.
By understanding the connections between cybercrime families and the evolution of Babuk-descended ESXi ransomware, organizations can better prepare themselves to withstand the escalating attacks targeting their virtualized infrastructure. Staying informed and proactive is key to safeguarding against this persistent and adaptable threat.
Conclusion: Uncovering the Anatomy of a Cybercrime Empire
The Conti leaks have provided an unprecedented glimpse into the inner workings of a sophisticated cybercriminal organization. From their OSINT team to their organizational structure, Conti’s operations resemble that of a legitimate enterprise more than a typical criminal syndicate.
The emergence of Babuk-descended ESXi ransomware further highlights the adaptability and persistence of cybercrime groups. As they continue to evolve their tactics and exploit vulnerabilities in critical infrastructure, organizations must remain vigilant and implement robust security measures to defend against these evolving threats.
By understanding the insights uncovered through the Conti leaks and the broader trends in ESXi ransomware, IT professionals can better prepare their organizations to withstand the onslaught of cybercrime. Staying informed, proactive, and adaptable is the key to navigating the ever-changing landscape of cybersecurity threats.
To stay up-to-date on the latest cybersecurity news and insights, visit the IT Fix blog regularly. Our team of seasoned IT experts is dedicated to providing practical tips and in-depth analysis to help organizations strengthen their defenses against evolving cyber threats.
