You're listening to the Cyber Wire Network, powered by N2K. cyberwire.com for more information. And make sure you stop by the studio and meet the N2K CyberWire team. We'll see you there. AI is making phishing attacks faster, more convincing, and harder for people to spot, and traditional security awareness and phishing training weren't designed for this level of attack. Hawks Hunt helps security teams prepare employees for the attacks they face every day with personalized phishing training that adapts to each employee and reduces risky behavior over time. For IT and security leaders looking to strengthen their human layer of defense without adding more manual work, visit hawkshunt.com slash cyberwire to learn more. That's h-o-x-h-u-n-t dot com slash cyberwire. Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. Well, firstly, as a lot of your listeners will know, Conti were at one stage the preeminent ransomware group in the world. But the thing that really appealed about Conti was that, for reasons I'm sure we'll go into in this podcast, a huge trove of their insider internal secret communications was leaked onto the internet, just publicly leaked. We're talking something in the order in the end of 350,000 messages. That's Jeff White, BBC journalist and host of Cyberhack. Today we're taking a deep dive into his research into the Conti ransomware gang. And the reason that's so of interest to someone like me, sort of an investigative journalist, is that to tell a story, you really need three things. You need a victim and a villain and a hero. That's the classic thing. Now, heroes often want to tell their story when they've had a good experience. victims increasingly we can convince them to talk and to talk about what's happened to them but villains actually hearing from villains is quite hard you get sometimes people who've used to be a villain but have now gone straight who can talk about it or someone maybe who's in prison who got caught what's amazing about these leaks from inside conti is it was the villains talking at the time they were doing the crimes when they had no idea these communications were going to be public in the end you you really get to feel like you're inside the room with the the guys. It's incredible. It really is incredible. How do you go at such a huge trove of information here? How do you organize it and make it digestible? The simple answer is you don't and you can't. And that's one of the frustrations of this. I mean, look, I know what your listeners will be thinking. You're maybe thinking it yourself, Dave, as well. Just use AI. You know, use AI. It'll sort it all out. There's a couple of problems with that. I mean, firstly, it's a vast trove of information. I mean, 300,000 messages. I don't know how much it would cost to put that all into an AI engine, but I don't have that money. The other thing is that this is all, because the Conti gang were largely based, or at least the leadership's largely based, we believe, in Russia, these chats were all in Cyrillic. Now, translation engines do not do well with Cyrillic. So one of the examples is, you know, in the leaks, they keep talking about the cue ball, you know, like a sort of snooker or pool or, you know, billiards ball. And I couldn't understand why they kept talking about cue balls all the time. And it turns out it's a mistranslation in Russian. Bitcoin is Bitcoin, but the N in Cyrillic looks like a V. So when the translations and engines translate it, they translate it as bitkov, which is cue ball. So immediately you start to run into problems. And the other thing, of course, is these guys are using hacker slang, criminal slang. So again, they keep talking about the grandmas in the conversations, who's got the grandmas. And I couldn't understand why they're all obsessed with their grandmas. But then it turns out that in Russian, obviously, grandma's babushka. And there's some word, I forget the exact word, but something like babio or something, which means cash or money. So whenever they talk about who's got the grandmas, they're talking about who's got the money. So immediately just using an AI engine just wouldn't work. And the other thing is for me, as an investigative journalist, I want to get up close and personal with these guys. I really want understand who they are. And it's only once you've read, and I've read, I think I'm up to 47,000 of these messages so far. It's only when you're at that stage that you really feel like you know them, you understand them, you hear their voices and who they are. It's almost like you have to contend with Cockney rhyming slang. It's very similar. I watched a film yesterday about a very famous jewelry heist in the UK, the Hatton Garden Jewelry Heist, which was perpetrated by some very old school crooks who talked in cockney rhyming slang. And yeah, you're exactly right. It's not just all crime gangs. Lots of organizations have their own internal language, but it's very similar. Yeah. Well, let's talk about the organization itself. As you dug into these chats, what picture emerged of how Conti actually operates day to day? Again, it's fascinating reading through these chats because yes, there is gossip about what they're going to spend their money on. And there's a lot of bitching goes on, a lot of backbiting goes on in the Conti organization. Hackers can be quite bitchy people. But really what they're doing fundamentally day to day is trying to work out how they can expand and scale and develop their business. I have a theory about Conti, which is that, and actually a lot of ransomware gangs, these are not stupid people. I mean, ransomware is not an easy thing to do by any stretch of imagination. To wake up as an intelligent person every day and extort people is hard because you have to really get close to your victim. You've got to really put some pressure on them. I don't think intelligent people are easily able to do that. So I think what happened with the Conti gang is they ended up, certainly some in the team, reframing what they did as business. It's like, okay, I have a client list. I've got to hit my client list today. I've got to negotiate with this person. I've got to meet that person. I'm juggling this client. It just, being a business was a way to scale it and make money. But being a business was also a way, I think, psychologically to just keep doing this quite horrible task day in day out And so that what they obsessed with And it was mundane stuff I mean I be honest with you Dave one of the main things that they talk about obsessively day in day out is recruitment They cannot get enough people through the door They can And there some solid logistical reasons for that. They can't advertise what they're doing openly. They can't say, do you want to join a ransomware gang? Put that on monster.com or Indeed or whatever. So they had to be quite cagey. And immediately, as soon as they reveal that this is actually something quite dodgy, half the candidates just disappear. They don't want to work for crime gangs. So they have to recruit loads and loads of people initially, because at the end of the process, they're only going to end up with a fraction of those people really being able to work and work properly. So they're just obsessed with getting bums on seats. It's really interesting. And how much they pay these people, what they tell them, whether staff management issues occupy a lot of time for Comte. What does the power structure look like internally? How are they organized? That's a really good question. And there is, and we explore this in the podcast, definitely a central power structure. So the man who's behind all of this goes by the hacker nicknamed Stern. Stern was the boss. Stern had the money. We can go into who he is alleged to be and why he's got money in a bit. But he's also got some junior people. There's a guy called Mango, who's kind of like the office manager. There's a guy called Professor, who as the name suggests, he does a lot of the coding. He regards himself as a sort of champion coder. And so there's all those people internally. But what Conti struggled with, and one of the things that ended up helping Conti's demise, if you like, was that it was a numbers game. The more victims they hit with ransomware, the more money they made. So what they turned to was the affiliate network effectively franchising out the operation, making their malware available for other people to use. At that point, that central team of people loses control of the brand. In the same way that McDonald's has to keep a careful eye on what all its managers are doing so that the McDonald's brand is still reputable. All those McDonald's restaurants are all run by individual managers, their franchises. Conte was a bit the same, but they weren't able to do it to the extent that McDonald's were able to do it. Because juggling these people and controlling these affiliates became a huge headache. So you've got a tight central structure, a tight product. But in trying to scale it, they ran into the problems franchise operation runs into. Well, let's talk about the boss. Who do you suppose was behind this? As I say, there's a hacker nickname called Stern. We see from the leaked chats from within Conti that we've been through, we see Stern as being the boss. He's the guy with the money. Always a shadowy figure. Doesn't say a lot in the chat. is very terse, I'd say very Russian in his communications, doesn't say a lot. Why use five words when one word will do? But he's clearly in charge. Now, when the leaks started happening, and these leaks from Conti came out in the wake of the war against Ukraine, when Russia reinvaded Ukraine in 2022, someone in the gang was clearly sympathetic to the Ukrainian side. Conti declared their support for Vladimir Putin's special operation, as he called it, And someone in the gang did not like that. So that's how these chats get leaked. Someone, a Ukraine supporting person with access to the chats, leaks the whole lot. So we see Stern in those conversations. Obviously, it wasn't just journalists and researchers looking at those chats. Every law enforcement agency worth its salt was downloading the Conti leaks and trying to work out who was involved here. German police, the BKA, the German sort of federal police, looked into this. They put this information together with intelligence they had, And they came out with a name, a man called Vitaly Kovalev, a Russian guy in his 30s, who they claim is the true face of Stern. We have got actually quite a lot of information about Stern as part of the podcast. We rummaged out videos on the internet where he appears. And it's quite disconcerting because he, you know, in the podcast, I've sort of said, look, Stern is the kind of guy, he looks like the kind of guy who if you had a car crash or your car needed to push and you were looking around for somebody to help you, Stern looks like the kind of guy who'd helped push your car. He looks very friendly and cheery. But actually, he's alleged to be behind this giant crime ring. It's a very disconcerting thing seeing him face to face. Did we have any insights on his background and how he came to be in this position? Well, yes. So it's interesting. I'm sure you found this, Dave, with cyber stories. They kind of get sometimes put together in hindsight. so one thing happens and then another thing happens and you end up looking back down the telescope. But what we believe about this character Vitaly Kovalev who went on to become Stern is that he's got, according to law enforcement agencies, a very long career in cybercrime. Starts out as part of a group called Zeus who again you and your listeners may be familiar with the malware from way back when. Kovalev is accused of being part of the laundering network around Zeus. Was working in the US around the time under the nickname Bentley. and effectively got his start, I think, there. That's the accusation against him. And then goes on to set up his own gang and then eventually goes on to head up Conti. So that's the sort of genesis, certainly putting the pieces together from the BKA, the Department of Justice in the US and the National Crime Agency in the UK. That's the timeline they sort of see. And so you see this very, very long, decade-long career, if those allegations are correct, in crime. Do you have any sense for how the leadership of this group maintained order? What could they hold against someone? In terms of their victims, you mean, or their employees? The employees. Well, the employees, it's really interesting in that they have a certain amount of power because they are creating the malware. I mean, fundamentally, at the heart of any ransomware operation is the ransomware, the encryption software. And what's interesting is my impression of those guys is they're coders. They exist to write very, very good code that encrypts lots of data very quickly. That's your job. But getting that ransomware onto a system, well, that involves sending phishing emails, potentially carrying out, you know, lagging operations where you phone up help desks and trick them into installing it. You know, there's a whole sort of phishing, social engineering side of this. The coders in ransomware gangs are not necessarily the best at that. So they outsource it, and this is the affiliate network, they outsource it to others. And in terms of the control they exert, it's interesting. There is, and I'm sure you've, this is not news to you, there's a sort of pendulum swing that goes back and forwards in terms of power between the affiliates and the ransomware operators. The ransomware operators need the affiliates to spread the stuff, but the affiliates, they're the ones who actually end up infecting the victims and making the money. And actually the split of money, I think, reflects that. Often we've seen a split of money, 80% going to the affiliate and 20% going back to the ransomware gang. That implies to me that the powers on the affiliate side and the ransomware gangs are in a competitive marketplace. In fact, one of the gangs I was reading about today, Brian Krebs has been blogging about this, the Gentleman Ransomware Group, was offering 90% to the affiliates. So there a marketplace And you see this in the chats You see this in the Conti chats They talking about how much other gangs are offering what split they offering can we compete It a competitive marketplace We'll be right back. This episode is supported by Black Hat USA. If you follow the research, you know a lot of it breaks on Black Hat stages. hundreds of peer-reviewed briefings, more than 100 hands-on trainings, and the largest business hall in Black Hat's history. Six days to learn the skills you'll need tomorrow, August 1st through the 6th. Use code CyberWire for $200 off your briefings pass at BlackHat.com. We'll see you in Vegas. One of the fascinating elements of your research involved the internal debates about targeting healthcare organizations. Take us through that. Yes, healthcare obviously is a very contentious target. This is the point where cybercrime turns very, very real-world effects indeed. In the UK, we had in the past year the first confirmed death as a result of a ransomware attack. For the family that lost their family member, the idea that a cyberattack took your relative's life away, that's a horrific thing to contend with. And even if not that, we've seen operations, very, very, very, very sensitive operations and very sought after operations, you know, being rescheduled. So it's not just the deaths, it's the suffering of people and the psychological suffering. So healthcare is contentious. I think there's this sense that, oh, all these ransomware gangs don't care. They'll just hit hospitals. They've hit hospitals before. From what we see in the Conti leaks, it's not that simple. There's a very wide range of opinions all the way from people who, you know, in the case of some people in Conti, one particular guy called Target was extremely aggressive and basically deliberately hit hospitals during the pandemic, knowing that at that stage, it was likely those hospitals would want to pay up. But you see all the way at the other end, you see other operators saying, we don't hit healthcare. Now, questions about why that is, you know, is that a moral outlook, an ethical standpoint? Or do they just realise that if you attack a hospital, you're going to have a target on your back from every law enforcement agency in the world. I don't know. I don't know. I think it's probably a bit of both. But healthcare certainly is an interesting one for them. And the other thing is that certainly in the UK, very unlikely a healthcare operator in the UK would pay up. I mean, we have the National Health Service. They generally don't pay. But obviously in the US, where I think you are, Dave, there are private hospitals who will pay. So again, knowing the nuances of the territory you're attacking, that's not always something that ransomware gangs? No, I think. There was another incident involving the Saudi royal family. Share that with us. Yes, this was an astonishing moment in the evolution of Conti. The Conti gang broke into a jeweler called Graff, the famous Graff Diamonds Company, who sell obviously jewels to all sorts of very, very rich, famous people around the world. Conti did what they always do, which is scramble Graff's data and then steal a bunch of data. The reason for that is if victims refuse to pay up to have their data unscrambled, Conti would simply say, well, you may not want your data unscrambled. Maybe you've got a backup, but we've also got your data and we'll leak it onto the internet if you don't pay. This is a double extortion technique. Exactly what they did to Graf. Graf played hardball, did not want to pay. So Conti decided they would put the squeeze on the victim and they would start leaking some snippets of Graf's customer data that they'd stolen. In that was data about famous people. Donald Trump, David Beckham apparently were in there. The Daily Mail wrote an article about this in the UK. Now, what the gang had not realised, Conti had not realised, was in amongst the data leak that they put out was data about the Saudi royal family. Now, there were people in the world that you want to upset and there were people that you don't. I would definitely put the Saudis in the latter camp. We don't know what happens next. What we do know because of the leaks is that the Conti gang really, they really got scared about this. There's talk about the fact you could be disappeared, you know, as a result of this. You've upset some powerful people. They won't like this. We then get an apology from the Conti gang to the Saudi royal family individually, saying we're very sorry for any inconvenience caused. They then thanked the Daily Mail for pointing this out, which came as a big shock to the Daily Mail journalist. And then the Conti gang said, we're very sorry, we will of course delete the Saudi royal family's data. Now, thanks to the leaks, we know they did no such thing. And in fact, there's a brilliant snippet, which was rummaged out by actually a private tech security firm called Syjax, who went through some of the leaks with us and helped us with it. And they found this great snippet where one of the gang members talks about the Saudi leak and says, we can shake and shake with the shakes. I.e., they've got the shakes, the Saudi shakes data, and they will shake them down later on. They will hang on to this data. So when they tell you they delete your data, these ransomware gangs, they're almost certainly lying. well one more specific story there was an arrest in miami that got the gang's attention what was going on there yes so again the gang had to recruit and they had to be quite careful about how they recruited and and with any organized crime enterprise you have a challenge about how many people you tell because the more people you tell the more vulnerable you are so they would recruit people as sort of techies and coders initially and then gradually inculcate them into the gang and expose more to them. One of the people they recruited was a woman called Ala Vita, who's actually from Latvia. She worked as a CODA. She thought it was just a remote work job. She didn't really ask many questions. She then realized over time this was a criminal operation. She actually ended up in Suriname for reasons that we go into in the podcast. It's quite weird. Suriname's a tiny country in South America. The US government started looking into Conti. And with Alavita, they didn't have to do much research. She actually hosted some of the malware on her own website, alavita.nl. So finding her name wasn't that big of an investigation. The US government tracked her down to Suriname, where unfortunately she and her partner had overstayed their visas. So the US government said to the Suriname government, if you're tempted to extradite these people, could you fly them perhaps via Miami? So Alavita gets a knock on the door one day, ends up in Miami, and is then under custody in the US. Now, interestingly, because of the leaks around Conti, we know what their reaction to this was. Weirdly, it took them quite a while to notice this. One of the gang members had to report to the senior management to Stern, look, you do realise one of your people's been arrested. They then go into emergency panic mode because they realise Alavit could spill all the secrets. Or even if she just gives them the password, but the conversations will be potentially on her laptop or her devices. So they start working out, how can they spring Allah out of prison? And one of the big issues is, they've got a lawyer, they have a friendly lawyer in the US who knows the system but how do you pay the lawyer without your money being seized or tracked They trying trying to work out like have we got money in the US that we can somehow free up to pay this lawyer Because it going to cost us hundreds of thousands So they kind of go into overdrive. Now, we don't know what happens with that process in the end. We do know Alavita was eventually convicted. She'd, by this point, been in custody for quite some time. So I think she got a couple of years, was then put on a flight back to Riga and is now back in Riga. And actually, a German journalist managed to track her down and interview her. And we've spoken to that journalist for the podcast and we've got snippets of Allah. And she's, honestly, she's the classic criminal cutout. Didn't ask many questions, didn't really want to know, just happy to do the job. And I don't know about you, Dave, I've come across that in multiple cases where there's just some person who just doesn't ask enough questions and they end up in a crime game. It's bizarre how often that happens. I'm curious. Yes, you know, I think we all have an idea in our mind of what a cybercrime group is like and the people who are involved with them. As you were going through all of these messages, did it challenge your assumptions about who these people were as you got to know them? I'd always, it's a very common cliche in the business to describe cybercrime as a business. You know, in the cybersecurity industry, oh, it's a business, nine to five. I'd always known that. But it really did just bring it absolutely home to me, the mundanity of what they were doing, the staffing issues they had to deal with, the fallouts between different team members. oh, this person hasn't logged on, or I'm having trouble with this software. It's only when you've, I've not thought of this before, but it's only when you've read 47,000 messages, quite a lot of which are very boring, that you realize quite how mundane and business-like this operation was. They thought about the same stuff every organization thinks about, recruitment, retention, strategy, reputation. These were all things that Conti thought about and thought about quite deeply. So yeah, I found that interesting. And I found that interesting juggling that against the fact that they couldn't get away from the headwinds that a criminal operation still has. You can't trust each other. You don't know who you're working with. People don't hang around because they haven't signed contracts. They can flit at any time. They can flip on you at any time. So no matter how business-like content you got, it still had the Achilles heel that a lot of crime gangs have, the fact that you can't trust who you're working with. Yeah. As they ultimately unraveled, how does the information that you have, being able to look in on these conversations sort of in the rearview mirror, how does that inform your understanding of what ultimately led to their downfall? Well, the conversations between Conti members, the internal chats got leaks in February to March 2022, as the war in Ukraine was starting to break out. Conti did one last job, which was the government of Costa Rica, which is quite a step up. They'd attacked local government before, they'd attacked big companies, but to go after an entire government was quite a change. They did manage to take down parts of Costa Rica's government's infrastructure, the treasury, import exports were affected, taxes, pensions, government payments to government employees they were you know and what was interesting was it wasn't just Conti in the end Costa Rica became a sort of pylon of different groups um now what's interesting about that is we don't know why that happened because at that point the Conti gang was starting had disintegrated largely Max Smeets who's an author who wrote an academic also who wrote a great book called Ransom War has various theories for this and I think he's done a good job of summing them up you know So was this a last swan song to say, well, you know, mic drop, we're out of here? Was this somebody trying to say, well, Conti's not gone, we're still here, you can still use us? Was it a rogue affiliate who just went after a government? Had Conti at that point merged into some kind of nation state activity? We don't know. All we know is that's the last one that's attributed under the Conti name. We think Conti's members went on to set up new gangs to become affiliates in other gangs. But that's the sort of the swan song, if you like, of Conti, the death of Conti. After all this research, were there any particular things that stayed with you personally? The thing that really stayed with me was an interview that we did with a woman who is based in Ireland. And Conti in 2021 attacked the Irish Health Service, the National Health Service of Ireland. Did huge damage. I mean, it was just, it was absolute chaos there. This woman had a very rare form of cancer and she'd actually had the chemotherapy. She'd largely beaten the cancer, but there's a final course of radiotherapy. I've never had this experience, thankfully, with a family member, but these operations are so precise that you need to target the radiotherapy at exactly the right bit. It was in her brain, this particular cancer. And so she was on the final stretch, but there were these final moments of, okay, I've got six appointments left, and they'll do these exactly targeted, precise radiotherapy treatments, and then I'll be free. I've beaten it. I'm done. And she gets the phone call to say, sorry, the operation's off. And then she has the moment of looking at the doctors, writing down the coordinates for the therapy treatment in pen, which would normally be on a computer. They had to type them in manual into the computer because they'd lost the records. And she's looking and thinking, if they get a coordinate wrong, this doesn't work, this treatment doesn't work. That's how close to the wire you get. And so something like that, speaking to something like that, makes you realise, we think of cyber attacks as often being quite spreadsheet, quite white collar, quite digital, but real people really suffer. And that's not to mention all the people, a lot of people who listen to this podcast, who deal with defending against this stuff, who have to pull 18-hour days, seven days a week to clear this mess up. Our thanks to Jeff White, BBC journalist and host of CyberHack, for joining us. We'll have a link to his work on the Conti Ransomware Group in our show notes. And that's Research Saturday brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Iben, Peter Kilpie is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.