The Rise and Fall of the Trickbot and Conti Empires

good morning everybody um I'm uh very happy to see uh everybody here and uh glad to uh be here at in New York City uh I live in Milwaukee Wisconsin so for me it's a pleasant uh change of pace uh and uh today I'm gonna be talking about very interesting topic uh actually talking today on two topics uh to knowing I'm gonna talk about pen testing but today we're going to talk about threat intelligence and the reason uh why we're going to talk about threat intelligence is to really cover probably one of the most interesting events over the past couple years uh of emergence of the ransomware uh uh gang gangs uh merger of uh multiple games and then uh unprecedented leak of the data um that uh was out there and now oat was probably over the past year and it was a bit probably uh 14 months heard about uh Conti leaks and additional information so I'm going to talk about this I'm going to talk about our insight into the games that were called turkmat and Conti the story is actually interesting but uh the reason why I'm going to talk tell you what about about who we are what we do is uh to give you an idea of how threat intelligence uh can help Society how threat intelligence can understand and prevent cyber crime uh threat intelligence to me is not only about finding signals it's about social engineering its ability to find uh the needle in a haystack you would see the exploration of certain uh cyber gangs and ransomware gangs starts with social engineering it does not start with anything else then we're going to be talking about technology and the the way that bad guys use technology the way they misuse it and the mistakes they make so we learn more about them and the last component of thread until audience is artificial intelligence right now over the past six months we talk about shared GPT other artificial intelligence components but let me assure you that this is just a scratch of the surface the threat intelligence is based on uh artificial intelligence learning models that can detect uh cyber crimes uh and stop cyber crimes before humans become aware and bring this to surface much faster because of signaling so we'll take a short Journey today about uh talk about this but first couple introductions of certain terms uh I'm gonna use a number of different terms today um for the game it's one single game that we uh now know as Conti but the history of it is amate was a delivery infection mechanism sending out lots of phishing emails uh into people's mailboxes operated by part of the Turk birth Empire trickbot empire is just data harvesting abuse of that data and moving this into next stage which was the ransomware components initially it was the Reich ransomware but when the riot ransomware family uh stopped working properly and became became very detectable the uh same game went to County Conti was a ransomware gang on its own but soon trigbot and Conti merged into one group initially operating separately the reason why I'm telling you all about this is that they kind of keep in mind that it's a part of one game that started separately but then uh kind of uh gathered all together into one effective unfortunately very effective game so uh what's me what to talk about uh discovering first how we came about knowing how to get into the gang like the trickbot and it's a much more difficult to get inside the game on the social engineering side we see the EO effect of the game on many different levels but we see it as victims and doing forensics does not get you any closer to the bad guys who actually commit these crimes so how do you uh get inside the game well you start figuring out who is where who's talking about uh certain things on the dark web and to do that we have uh analysts we have dozens of analysts who spend their entire days on the dark web talking to the bad guys we are very very social good social Engineers uh I am not a terrible social engineer so um if you meet me in the hallway after this I can show you lots of uh text tips and tricks on how to uh do uh even practical hypnotices uh of the bad guys over the chat but um to start with you start with very very low you see a couple interesting trends of really bad guys that do reshaping uh using stolen credit cards to buy goods and they uh received that to Russia to other uh areas where they can sell these goods for profit uh some people start abandoning that business in 2017 uh in 2018. we found it you know kind of unusual because the business was profitable and it was not uh in terrible shape nobody shot it down the bad guys just gave it away or just completely shut down why what happened so once you start um um figuring it out and talking to the people you figure out that uh amethyst and trick about gang we're heavily recruiting from 2016 to 2019 and they recruited other bad guys who abandoned their businesses because the trickbot uh was unfortunately much more profitable the bad guys could make a hundred thousand dollars overnight with a very successful ransomware attack and that's uh on a single Target uh part of a larger game so we noticed that some people abandoned business and when we start talking to them they told us uh Hey There is a big secret we can actually get in uh on the ground level to this great game and really uh for a ransomware gang that uh has its roots into 2015-2016 cyber criminal uh groups and they were just extinguished last year six years of operation it's quite a bit of History quite a bit of profit so we were able to get introduced into the trig but uh game through many different channels but it really started with a couple very basic channels abandoning um their all businesses and then um once we were in uh we started suggesting uh the gang members hey I know this person this person is great and this person is great as well so we actually were able to bring in other aliases other personas into the game also referring to them as you know very trust producers but how do you stay within the game without really committing any crimes and really uh trying to uh learn about everything but not really doing anything bad and we hadn't done anything bad well there is a really easy trick you talk big but you do nothing if somebody says hey can you help me with this no no I'm busy with another bad thing um or um we come up with agenda saying hey we are building out this great new thing and then when somebody takes down some infrastructure on law enforcement saying hey they just took down everything we had so we were able to run circles around these guys build connections get into more of Observer role uh in order to figure out what's going on but one of our first encounters once we got access to part of our infrastructure was uh uh sheriff's office in Vigo County Indiana it's a very very small Sheriff's Office I think I've been into Terre Hall which is the part of Indiana where this is but um this little Sheriff's Office was taken over by uh the uh this by uh third bot of virus so we on the May 28th we detect this infection we're actually seeing the components of their ad infrastructure showing up within turricbot panels and we are seeing that the infrastructure we see uh their uh jail cell cameras uh being infected and uh booking PCS and Mayors computers shares computers all fun stuff um you know so we need to reach out immediately we make three attempts to reach out to these guys uh as they just ignored uh when we reached out through trusted uh third party they ignore them as well finally made a phone call uh to uh one of uh uh reporters saying hey uh there is a ransomware attack about happened in Vigo County Indiana And the reporter makes a phone call uh to the Vigo County and they tell them everything is under control we got it thank you for uh letting us all thank you very much that happens within the first two days then unfortunately uh three months later uh or two months later uh we read in the news that Vigo County Sheriff's Office did pay Ransom uh to trickbot so um this began um a very long very tenuous uh process of monitoring the game uh letting uh people know uh that they've been Bridge come is no government institutions I would say that a great thanks to U.S Secret Service that work with us for many months and years on this and took a lot of information uh from us stopping a lot of cybercrime a lot of things but disseminated through our networks but uh our uh law enforcement was integral part for this as well so how uh how do we progress further how do we get in uh much further within the game uh there are lots of different ways uh but I'm gonna teach you one of the most interesting ways that we've seen uh first of all uh one thousand one best idea uh to uh for present for your girlfriend um we really saw that one uh cyber criminal was uh nearly uh full access to the trickbot infrastructure uh at least reporting part uh decided to go for option 537. um he gave his uh girlfriend access to trickbot to buy herself something nice from stolen funds then Russia they maybe it's okay for them to do these things please don't give your significant other presence like this uh but uh definitely seen an interesting change because uh this young lady um turned out to be very entrepreneurial and very very curious so um she asked a lot of questions and she was not very shy about sharing that information with others so as we uh made friends with uh her boyfriend he said hey I I gave my girlfriend access and uh he introduced us uh our personas to her and she asked us a lot of questions and she gave us a lot of access no idea what upsec is thank you uh but um that definitely uh you know she gave us uh information that we need to know so she would ask us visually hey what this is and and takes a screenshot of uh her system well we tell her you know no idea you know I don't know but she actually shows parts of infrastructure parts of Logan's and when um her boyfriend was busy uh she would ask for help and she like hey you know here's my login details uh to my virtual machine can can you help us help us out yes we did uh so we logged in we got information um it's very curious that this young lady used Stone funds from the victims uh to buy uh things like uh squeegees uh for her car uh figure out how um uh things to remove uh scratches from the bumper of a car of her boyfriend that she scratched uh things for toenail fungus other girl things uh but um nevertheless uh she was actually very informative and the server actually became one of the most interesting early stage uh access points for us uh to get more information out of this so she would show information and keep actually relatively good accounting of abuse devices uh that you probably can't see here but it's just a list of abuse devices uh the access she got and what she did was that if she was able to catch things out use a credit card I'm gonna pass it to somebody else uh well that was uh nice and good for uh stolen information access to uh the botnet uh data but what happens next well now uh she is uh uh trying to make bigger box uh you know maybe buy more expensive nicer things so now she uh was introduced further into the game into their jabber server and the jabber server administrator actually went through great pins explaining her visually uh thank you very much um for uh how to log into the jabber server and uh giving her uh very important information like you know uh her password quote is in Russian cat and her password is uh you know it's fancy it got the uppercase uh number a special character it's a good password use it um so uh quote uh had the password uh password and the admin for the jobber server uh had much more complicated password because he had number one uh at the end of his uh password that says password uh so uh we were able to assert uh admin rights within this jabber server um for number of uh years uh from 2019 until the last days of the county game uh we had visibility into uh uh most if not all Communications within the game that were not encrypted we were able to get inside of their most critical Communications using this and other techniques what uh we call County leagues was said to be an exclusive product for hold security for my company uh that was uh delivered to us every single day as the data was streaming through the Java servers we had a different opportunity from uh a lot of folks that are here uh who heard about this and when the bridge became public at the uh on I believe February 27th of 2022 everybody starts reading the data who could read in the translate who could good but we had this opportunity to interact with this data we read this on this data every single day as it was happening preventing the breaches that they discussed you can see in the chats that a lot of things that they were planning to do didn't pan out but uh a lot of them due to our work and ability to intercept that not only that we had a great opportunity to use this data as conversation points when you read history you cannot change history but when you are seeing uh today's or yesterday's news you can use that knowledge to talk and ask additional questions you can manipulate the bad guys uh into disclosing more information by having the inside track so what we know as a county leaks was a great tool for our Discovery I'm not going to spend too much time about uh talking about this uh there are lots of parts of County leagues that were not uh um released yet uh the person who is called Conti leaker is a friend of mine uh his uh name his identity will remain private until he uh deems uh to disclose his uh himself with his identity but more about the operations the operations uh continued and with more visibility more based in we were able to see every single aspect of of this gig as it was evolving so we talked initially about amethyst and amate was a phishing campaign the management panels for these fishing campaigns they were sending out uh tens of thousands if not hundreds of thousands emails on daily basis and they kept statistics they would have uh the knockback servers the infection servers the payload uh modifiers and they kept very uh scrupulous details of how the infection rates are going if the fraction rate is too low if the clicks rate is not working they would change the email campaigns they would change the infection agents so this was extremely complex component um that that's happening but within uh the ransomware gang um the big part is ransomware itself so how do you keep everything straight how do you keep all the communication straight there were uh tens of thousands of victims um ransomed during that time and how would you use uh even communication components now as ransomware unfortunately evolved there are panels for ransomware negotiations back then there were no panels they were just simple email components and protonmail Anonymous email server was uh de facto uh main component for communication between uh the uh ransomware guys and their victims but how do you keep track of so many victims and so many protonmail accounts well um the nice guys at uh that were really harvesting all that information there were asked us to keep an eye on their operations we said that we will and then as soon as they gave us information today it's too much work uh but uh 10 000 uh plus uh protonmail accounts were used uh for um the ransomware harvesting each account will have a complex password each account would be unique and you cannot aggregate that information all in one so you would be gathering all this data through scripts into one place to see if somebody sent you a new email uh from that perspective watching ten thousand accounts was a job of two uh cyber criminals within the Iraq being and once the account is activated meaning if uh that runs over attack is happening now there has to be a negotiation account assigned to it the strain of ransomware so it would be like a t2-245 so it would be type of uh rents where and that encrypted uh Target um it would be assigned to an email address and this email address would be used for negotiations even having this much information didn't help uh much uh to us or even to law enforcement uh even though you know how the bad guy is negotiating it's not like this account but have a password decryption Keys unfortunately it was extremely difficult and uh very few cases we were able to obtain the uh decryption Keys uh for the victims ahead of time but from the perspective of seeing negotiations seeing some of the internal components but then that gang we knew uh how to assist certain victims we knew how to press uh the bad guys and we knew their breaking points as well but having all this information turned out to be not very useful uh even from the legal perspective entering any of these email accounts is a trespass protonmail uh are the owners yes for certain uh portion of time they were asked to enter those accounts but when that permission was revoked uh law enforcement cannot enter it we can't enter it uh without uh warrants or without legal reasons so unfortunately not much can be done about these accounts um and uh quite a few of those were used for offshore Ransom negotiations I'm going to give you an interesting story about how the bad guys perceived uh the ransomware attacks how would they were uh handling them and how the bad guy's minds work Believe It or Not uh the ransomware um cyber crime the type of cyber crime is based on Honor's system the bad guys have to be brutally honest with their victims what they call customers uh and they're paying customers and bad customers for them the reason why ransomware is a crime of honor is that the bad guys always need to be transparent and they cannot ever lie the reason why victims pay is that because the ransomware gang never lies to them if they say that we're gonna release data they will release data if they're gonna destroy the decryption keys they will destroy decryption keys if the victim pays they would never put them into uh double jeopardy they would not extort them so the victim knows that if they pee they're going to get their stuff back so this is a part of the game this is part of the game as well uh Russians unfortunately been became very very transparent very honest about these things uh the Cyber criminals in China in North Korea and other places sometimes they'll cross the victims but Russians consider this to be a a crime of Honor they actually get very offended uh and uh to a point of physical violence if somebody would suggest that they don't deliver on that promise if you think about this you would understand that how important the consistency for that crime is so I'm going to give you an example of something like this um in uh 2019 good news and bad news for Riot this is in the Russian but I don't think you would be able to read it even if you could read the Russian because it's uh the size of the screen nevertheless um this is communication from uh one zeroic bosses to the group saying that uh one of the cyber security firms uh found as uh weakness where in some cases the decryptor forayak would not decrypt certain very very large files one terabyte plus files would not be decrypted um using their decrypter and they call it bad news they say that this is bad news because it's a bug the reason why it's a bug is that it stops the delivery of the promise the promise to decrypt so they take very scrupulously and tell us terrible news um uh that there is a bug but uh good news is a there is a fix we rolled out the fix all new ransomware going to be was that fixed and second we went through the history and no files were really subject to that bug to the best of our knowledge so the bad guys see good news as ability to fix that software it's almost a real software development um to this degree and from that perspective you need to get into their minds how set the bad guys uh on committing certain cyber crops in uh with time of covet um we've seen a number of differe