Google: initial access brokers work to help Conti ransomware group

Tactics of the access broker working with Conti and Diavol ransomware gangs exposed

Conti operations related to Exotic Lily initial access broker business

Google Threat Analysis group reported that threat actors focused on financial gains work with Conti ransomware gang and other hackers. A malicious actor group named EXOTIC LILY is the initial access broker closely linked to Conti and Diavol ransomware attacks.^[1] The Russian cybercrime group responsible for these ransomware distribution methods have been exploiting various flaws and using phishing campaigns to spread the malware.^[2]

Google report indicates that the threat family has already distributed this infection by exploiting the particular critical flaw in the Microsoft Windows MSHTML platform.^[3] This was a part of the phishing campaign involving 5 000 business proposal emails per day. The attack targeted at least 650 organizations in the world.

This campaign caused the analysis to start from the Google research team. The investigation determined that the initial access broker^[4] uses large–scale phishing campaigns to access corporate networks, and then this access to systems of companies can be sold to ransomware gangs.

Extensive phishing campaigns and the new business model

The threat actors – initial access brokers are opportunistic criminals that specialize in breaching the targeted system, so the access to open doors can make a profit when sold to the highest bidder. The group of these hackers started their activities back in 2021. It is said that the first indications of operations go back to September and involve data exfiltration and deployment of the human-operated Conti and Diavol ransomware variants.

Hackers work as a business because particular custom business proposal templates are created, and malware payloads get uploaded to legitimate file-sharing services to get shared with possible targets. The attack chain has a particular form too because it starts with spoofed domain registration. From there emails get sent via this domain and the relationship with the target can be built. Then the attack is launched by sharing the payload via the file-hosting service link.

The weird thing about these hacker operations is that actors work from 9 am to 5 pm EST during weekdays. All the activities during the weekend also get logged. It might seem unusual for cybercriminals to work on such a schedule, but it is analyzed before that many threat creators work on their operations with free days. They also report to their superiors, have managers, receive salaries for their work.^[5]

Connection to Conti ransomware operations

These EXOTIC LILY operations overlap with Conti ransomware activities, and the research team believes that the threat creators focus on the network access establishment. Report notes:

While the nature of those relationships (with other groups) remains unclear, EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors

The recent exposure with internal messages of Conti reveals that this is a business with dedicated departments that have particular roles and coordination. These ransomware creators also have been using major malware like TrickBot, Anchor, BazarBackdoor in their attacks.

It was even reported that Conti ransomware controls the development of the TrickBot virus family entirely. Those conversation leaks confirm the link between these. It is believed that Conti might have teams that work in the high-level spear-phishing campaigns too for initial network access implementation. But the lack of conversations related to such spamming indicate that these operations are more likely linked to external actors.