Meet the hacker gangs dispute for billions of ransoms

The year 2022 started with an unusual movement in the world of cybersecurity, two of the main gangs in the world, specializing in digital kidnapping, suffered counter-coups.

The Conti group, which made a millionaire profit last year, had internal conversations and documents exposed on the internet. The case took place shortly after the arrest of some of the heads of another big gang, REvil.

Although the activities of these criminals have not completely ceased, the crash creates a space for power struggles in the area.

Conti and REvil specialize in ransomware, suspected to be based in Russia. Ransomware is malicious programs (or malware) that block access to data and computer systems.

Criminals then charge a fee to be paid in cryptocurrency, usually bitcoin, to grant access.

Conti is responsible for the most profitable variant in the history of this type of virus, and REvil was the leader in detected attacks in 2021.

Ransomware attacks have been on the rise in recent years. With increasingly professional organizations and more sophisticated techniques, criminals have seen their revenue soar in recent months.

Data released on March 24 by Unit 42, the research division of cybersecurity company Palo Alto Networks, places Brazil in ninth position globally in terms of the number of companies victims of ransomware.

The attacks, point out experts heard by the sheetcome from all sides: from people with less technical capacity to large groups active in the world — both Conti and REvil operate in the country.

An implosion attempt by Conti happened with the war between Russia and Ukraine.

Conti expressed support for the Russians in the conflict – some competitors chose the Ukrainian side and others said they were neutral because they were only interested in money. This caused a rift in the team, and prompted leaks of documents and internal conversations that allowed a rare opportunity to see the gang inside.

In addition to being able to see that its operation was structured as if it were a company, negotiations with hitherto unknown victims were discovered, indicating that the ransom was paid.

In these conversations, Conti members reveal a careful analysis of victims’ balance sheets to determine the amount to be charged for the ransom. In addition, the gang’s audacious plans are seen – the leaked documents even show a conversation, perhaps not so serious, about opening a casino.

Group extorted around BRL 850 million in one year

You can’t say that plans would be thwarted by lack of money: that’s what Conti excels at. Analysis by Chainalysis, which specializes in cryptocurrency data, shows that Conti received US$180 million (approximately R$850 million) in the last year from extortion.

“Conti did not affect a victim with US$ 100 million in reported profits, which usually involves companies listed on the stock exchange. If they had access to the network of companies with lower profits, they would not complete the attack”, explains Fabio Assolini, a researcher at the Kaspersky cybersecurity.

“In Brazil, we see medium and large companies being attacked by different groups, those that aim everywhere, and others that are more surgical [como o Conti].”

The criteria used by different groups may not be exactly the same, but the case illustrates the structure of these gangs – and there are several others at work.

Even Conti was not so intimidated by the leaks and was seen in attacks in recent days, according to an analysis by the specialized cybersecurity consultancy NCC Group.

For Assolini, the coup against Conti creates a certain temporary vacuum in ransomware. Especially since it comes right after another major group, REvil, was arrested in Russia in January. It is the gang with the highest volume of attacks detected in 2021, according to an IBM report.

Assolini reckons that other gangs will try to occupy the space, and these same criminal organizations will return in the future under other names.

Legal punishments for these groups, as happened with REvil, are rare, as many of them have members in several countries, or act targeting nationalities different from their own, which requires international cooperation.

With that in mind, some authorities have started to change the way they act against these groups, focusing on helping companies defend themselves rather than trying to find out who they are and punish the attackers, as well as tightening laws to deal with these cases.

What to do to defend yourself

Care to block ransomware attacks starts with the proper configuration of services connected to the internet, such as remote access to computers or VPN.

“Avoid putting things face-to-face on the internet,” says Daniel Barbosa of cybersecurity firm Eset. In other words, the logic is to take care of haste when connecting services, avoiding the default settings (and passwords), as well as using those mechanisms that require another step beyond the password to gain access to systems – a procedure known as multi-factor authentication. .

In addition, the expert recommends caution with access management (who can enter which system). This measure is particularly important to combat RaaS.

It is also important to segregate the firms’ internal networks. “Keep server networks separate from workstations”, explains Barbosa, with the caveat that care must be taken not to leave the bridges that connect these networks distinct.

He also recommends caution with the security tools implemented. “It’s no use using something that the employee himself can disable”, he says.

The state of the art in these defenses is the adoption of the so-called “zero trust” protocol, a set of security rules that encompass all these steps described by Barbosa – and more.

In it, access to company systems and data is limited to only those necessary for the function. In addition, people must constantly verify their identity to gain access to services, even if they are using a computer in the company’s building.

Historically, the recommendation of cybersecurity experts is that companies have good defenses and a good plan to react in case of an incident, and not pay ransoms to criminals to restore access.

“There are no guarantees of a return to normality”, says Flavio Silva, information security coordinator at Trend Micro Brasil. He also warns that even with the payment and the return of the systems, hackers can continue with extortion attempts, for example, not to leak stolen data.

Daniel Bortolazo, systems engineer at Palo Alto Networks, recommends starting your defense strategy with a business impact analysis. In which areas would a loss of data be most damaging? Which sector could lead to a more acute image crisis if compromised?

With this, it is possible to prioritize defenses and even apply zero trust only in specific corners, since large-scale implementation is costly and time-consuming.

Bortolazo also makes an alert for the return to the offices. With the pandemic and employees working remotely, IT efforts naturally turned to protecting the environment with people working remotely. “But the evolution of the institution’s security was stopped for two years”, he says.

Defenses now need to consider greater employee movement in hybrid models. “I have a laptop that comes home, goes through remote access that has security on arrival, but will also come back to the office from time to time,” he says. “There is an unknown there of the new possibilities of attacks that will appear”.