Stu Sjouwerman is the founder and CEO of KnowBe4 Inc., a security awareness training and simulated phishing platform.
Little is known about how ransomware gangs operate and how their operations are structured. Having conducted an in-depth analysis of leaked chats of the Conti gang (one of the most dangerous ransomware gangs of all time) that surfaced last year, security researchers released a report that provides insight into a modern ransomware syndicate.
Interestingly enough, the syndicate seems to cover all key elements present in a modern organizational structure, such as job design (requirement or specifications of the job), departmentation (how different structures coordinate work), delegation (how jobs are assigned or distributed across groups and teams), span of control (number of individuals who report into a manager) and chain of command (line of authority).
A Scalable And B2B-Focused Business Model
Running a full-time ransomware operation is capital intensive with specialized skills. It requires threat actors to build, test and continuously update the malware as well as manage the delivery, extortion, negotiation and transfer of money. This is why most ransomware groups like Conti have shifted to a ransomware-as-a-service (RaaS) model, where large-scale operations are broken down into specialized tasks that are fulfilled by various parts of the attack chain.
RaaS operations can be divided into two main groups: operators and affiliates. Operators are typically salaried workers who build and maintain the malware, advertise and sell access to their tools, and maintain the victim payment portal and the leak site on which compromised data is published. Affiliates are workers who leverage the malware and target and compromise the victims as well as manage negotiations.
A Medium-Sized Startup With Clear Departmentation
Conti is believed to have made $180 million by extorting businesses in 2021, and researchers estimate their lifetime revenue to be $2.7 billion (that too within just a couple of years of operations). While the organization does not appear to be extremely organized, researchers did note that it has different teams divided into functional areas or departments.
For instance, the managerial layer is responsible for things like hiring, finance, payroll and other budgetary and cross-departmental responsibilities. System administrators and software developers ensure continuous development of the malware and related functionality as well as uninterrupted access to the overall RaaS operation. Access operations are people tasked with breaking into victim environments using a range of techniques such as phishing, credential theft and vulnerability exploitation. The organization either employs salaried people for this or outsources this function to third parties (a.k.a. initial access brokers).
Specialized Workers Delegated To A Specific Role
The syndicate actively recruits workers with specialized skills for roles such as malware developer (manages the development of malware), malware manager (recruitment and training of developers, malware testing and infrastructure procurement), crypters (ensures that the malware does not get detected by antivirus programs) and spammers (deploys malware through targeted and indiscriminate phishing campaigns).
Although RaaS collectives are usually associated with illicit roles, they also need people to manage their technical infrastructure. As a result, several seemingly legitimate jobs, such as C++ programmer (with reverse engineering skills), full-stack web developer for PHP, NodeJS, Windows system administrator, data analyst, business analyst, UI/UX designer, HTML designer, etc., were advertised on leading Russian recruitment websites.
Conti openly recruits for illicit roles such as penetration testers (people who know how to discover vulnerabilities, hack or bypass cybersecurity software and remote monitoring management software), bot herders (people with their own network of botnets) and targeted spammers (people who specialize in spear-phishing campaigns).
A Formal Chain Of Command
It is evident from Conti chats that the operation is divided into several teams or groups. Each group assigns a team leader (one or two, depending on the size of the group). Team leaders report to a manager who appears to be overseeing the collective work, administering salaries and approving expenses for reimbursement. The manager reports to an organizational leader who appears to own a functional area of the operation. For example, in a conversation between two individuals, one asks if they need to attack logistics and the manufacturing sector. The other replies that they have a team solely dedicated to defense or military companies.
Legendary Chinese military philosopher Sun Tzu wrote, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” In the context of cybersecurity, it is not just important that organizations improve their understanding of their own setup, their assets, their users, software, systems and weaknesses, but also know how their adversaries operate and the tactics and techniques they use to hold a business hostage.
Organizations need to spread this knowledge across their stakeholders, their users, employees, partners and customers so that they, too, remain vigilant and focused, acting as a robust layer of defense against such perpetrators of cybercrime.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here