A

Welcome to Cyber Leaders. I'm James Lyon.

B

And I'm Kieran Martin.

A

Welcome or well, welcome back to the show where the geek, that's me, and the generalist, that's me, get together to discuss a whole range of wacky, weird, wired, wireless and frankly wonderful topics for the cyber security leadership community.

B

Yes, thanks to Sans, where we both toil happily. Mostly we can bring you the perspectives from across the spectrum of tech security. Perspective from someone who's been breaking the law, sorry, lawfully breaking into networks. That's an important clarification in order to help organizations defend themselves and give the baddies more and more bad days. So that's James, the uber geek.

A

To the sort of issues around policy and operations and posture that organizations need to defend themselves from the perspective of someone who used to run cyber defense for the uk, That's Kieran. A geek in his very own, I suppose, special kind of way.

B

Yes, I have my own community of, well, me and a few others. But anyway, we bring to you the perspective of expert guests from all over the world on different aspects of cyber security.

A

Indeed we do. And loyal listeners. We know there are some. And we love you.

B

Yes. And we do love our new listeners too.

A

Well, yes, we love all our listeners, I suppose, Kieran.

B

Both of them.

A

Well, there's probably one or two that we might have an argument with. But anyway, we're going to do something new today, aren't we, Kieran?

B

Yes, an abundance of newness in the season. Our capacity to reinvent ourselves is boundless. We're just great.

A

But particularly when we throw in a bit of AI suggesting new ideas. But anyway, ignore him listeners.

B

It's not from A.I.

A

i dare. Are you? We're going to start today with a quiz.

B

We are. It's a one question quiz.

A

Brain teaser, Einstein, levels of challenge.

B

We'll come back to him, but it

A

is for a specific reason. It's to help you, dear listener, work out if this is the right podcast for you.

B

Yes. Now you know our long running joke. Maybe it's a joke, maybe it's not about some of our listeners being compelled to listen because of court orders and things like that. But look, we're experimenting with new ideas for the podcast. So we want to give you the listener. We want to give you an out in advance.

A

So here's our question. When you saw this episode and saw the word Conti, did you think of

B

option one, the world's leading market leading handcrafted espresso making machines.

A

Option two, the legendary Scottish actor Tom Conti, best known to younger viewers as Albert Einstein and the recent Hollywood blockbuster Oppenheimer. Or to the older viewers such as Kieran and Kieran for his Oscar nominated performance in Ruben Ruben back in 1984.

B

Or do you think of option three? The extraordinary cyber criminal group who emerged from the shadows of the original big game ransomware hunters. And when in their prime, they caused the first declaration of a state of emergency as a result of a cyber attack, who crippled an entire national healthcare system. They forced the UK National Cyber Security center, when I was in charge, to dispatch a team of experts to the northeast of England to rescue services to vulnerable children who stole the personal details of Donald Trump, David Beckham and Oprah Winfrey and many others. And they seemed master of the criminal world. They survived Wade until their sudden, devastating, acrimonious and quite frankly hilarious collapse.

A

So if you went for option one, you know, give us a chance, go make some coffee on your posh Conti machine. But you know, maybe keep us on in the background.

B

But if you plumped for option two, Tom Conti, just switch off, go over to Netflix now, give the great man the homage he deserves. I'd recommend the 80s classic Shirley Valentine or maybe the Dark Knight Also Rises, the Re risening.

A

But if you went for option three, I can tell you with certainty you are in the right place. Stay with us for an extraordinary story of Conti ransomware gang.

B

Yes, today we're going to be talking about the Conti ransomware gang. But there's only one problem, James, with this new approach of a really serious deep dive into such a specific topic.

A

And that problem is Kieran.

B

Well, James, how much do you know about Conti?

A

Basically what you've already said. So I guess you'll have to say some more or the episode is going to be rather short.

B

Well, I do know a bit more than you. You're not actually that interested in threat actors, are you? You know, they're just too human. You're just interested in the sort of buggy code that they sort of send you and what it looks like and forth. But yeah, so I do know more about it, but I don't know enough about how to string out a whole episode.

A

Well, yeah, that's fair. And I must admit you're right. I do tend to be rather more obsessed with the digital chaos they tend to put out or the artifacts or reversing malware. But I do respect there are some actual humans behind it. So good job we foresaw this issue coming, Kieran. It's a bit of strategic planning has

B

taken place well by you, because that's why you're CEO, James. So what have you got up your sleeve? Or who have you got up your sleeve?

A

Maybe both. Well, back for his second appearance on the Cyber Leaders podcast is someone who has written the book on cybercrime, or more accurately, three of them. And his expose of another extraordinary group of evil hackers, the Lazarus Group, was so popular, the BBC turned it into a very successful podcast. Sorry, Kieran is another very successful cyber podcast.

B

Of course, yes, that's better.

A

That's better to eke their niche, as they say. Well, anyway, it was so successful, they made two seasons on the Lazarus heist. Then colleagues at the BBC made a thing third series, a really good one we've talked about before on the show about Russian cybercriminals. They renamed the whole podcast show Cyberhack. And now our guest is back with series four and it's on the Conti Group. It is amazing. It's out on the BBC on the 6th of July, but we get a little bit of a sneak preview here. So to discuss the extraordinary story of the Conti ransomware gang, please welcome back the one and only cyber journalist extraordinaire, the great explainer, it's Jeff White.

B

Jeff, welcome back. Thank you for coming back to the Cyber Leaders Podcast.

C

That's really kind of you. Thank you. That's quite an introduction. I'll try and live up to it.

B

Now, look, let's get stuck in because we've talked to you before about your incredible career in cyber journalism and all these baddies you've chased over. But today we're doing this deep dive into your new output. Fantastic new season of Cyberhack on the Conti Group. Tell us about how you came to do it. I mean, last time we spoke, you were talking about money laundering. You just knew more about North Korean hackers than anybody on the planet. But you've gone all Russian on us. What's the story about how this came to be?

C

Yeah, I've been covering sort of Russian attributed hacking for very, very many years. And actually one of the first stories I did way back when I was at Channel 4 News, the big UK news program, was about a guy called Evgeny Bogachev, who is accused of being kind of the godfather of a lot of modern cybercrime, a very colorful character. So I've always been looking for opportunities to kind of get back into that Russian story. And, yeah, what we wanted to do was really take apart this issue of ransomware, look at it in a new way. A fresh way. And as I'm sure you're both aware, and the audience probably maybe has heard of one of the biggest ransomware gangs going, particularly around 2021, was the Conti Ransomware gang. Huge operation accused by the US government of making north of $150 million worth of ransom in one year. And that, by the way, is a vast underestimate. They made a lot more than that. Wow. What was useful about Conti was that for reasons we can go into, there was a huge leak of Conti's internal messages. Something like 350,000 internal messages from inside came out. And I was always intrigued by that and intrigued by the idea of being able to just read through their messages. And I'd always wondered why nobody had sort of made more of that. I mean, Brian Krebs, another great cybersecurity journalist, did quite a lot of articles about it, but it struck me that there was this huge resource out there that didn't seem to have been used that effectively. But getting hold of the Conti leaks and reading through that, I suddenly realized why. I mean, yes, it's a vast trove of data, but it's all in Russian, and it's all in Russian hacker slang. So trying to translate it and dig into it has actually been really difficult. I'm currently 47,000 messages into those messages, trying to sort, pull out insight and trying to pull out data, but also trying to pull out sentiment from those messages. What's brilliant about this is you hear from the criminals themselves in their own words at the time they were committing the crime, and when they didn't even realize that those messages were going to be later leaked. So you really see into their whole interior world. It's absolutely amazing. It really is amazing.

B

It's a fantastic story, and we will definitely come back to what those messages tell us. But I think this partly shows we're programmed differently, Jeff, and it's more useful to have your programming than mine, because I'm the former civil servant. So I was just wondering, do they have a leak inquiry and did they find who leaked us? Whereas you actually delved into what this amazing trove tells us about cybercrime. So thank you for doing that, James.

A

Yeah, look, I do think this is going to be absolutely fascinating. We got to get into some of those messages, and these are gifts to the cyber security community because we spend a lot of time dealing with these faceless adversaries that subject us to these incidents and difficult weekends and nights, and they always seem to choose the right moment to do it for security leaders just as the business is busy with something else and it's the worst possible timing. And I remember my first example of this, the Kube Face gang back in 2009, where, like this, we managed to dig into their operations. We had photos of their office Christmas party. And I remember thinking it was fascinating that there was a Christmas party for a cybercrime gang. Jeff set this out, I suppose, with a little structure here. Before Kieran and I get excited and ask you about all the fascinating things you've learned and your Russian pronunciation, the origin story, we probably better start for folks here on who are the Conti gang? How do we think they got started? Let's start there, if you wouldn't mind.

C

Yes. For me, I would sort of trace this back. And we've been informed by some great experts, including at the UK National Crime Agency about this. So it's knowledge that I had a bit in my mind, but also has been filled in by lots of great experts and at the National Cyber Security Centre in the UK as well, Basically, this guy, Evgeny Bogachev, I think, was a really pivotal figure. He developed, was accused of developing a virus called Zeus. The Zeus virus, which hacked into bank accounts. It effectively intercepted online banking traffic. And they made out like bandits, those guys. They're accused of making upwards of $500 million between them. It's a vast amount of money. Evgeny was working with a couple of deputies and one of the deputies he's accused of working with went by the nickname Bentley. Bentley or Benny was the names he was using. He was actually over in the us, he was a Russian individual based in the us, and what he was providing was money laundering facilities. And this is why one of the books I wrote was about money laundering. Laundering is absolutely pivotal to any big money crime campaign or illicit campaign. And so Benny was helping them out in Russia. Once they hacked into Americans bank accounts using Zeus, Benny would help around. Zeus got cracked down on the money mules, got arrested and Benny skipped town and went back to Russia, where he's from, and then effectively created a sort of spin off of Zeus, went under the nickname the Dire Gang, who basically had a very similar virus used for very sort of similar kinds of things. Now, what's fascinating, one of the amazing wrinkles in this story is when they had the money back in Russia, they needed some kind of front company to wash the money through. And so the story emerged that they set up a film company called 25 Fifth Floor Film, because it was based on the 25th floor of a tower block in Moscow, and that was being used to wash money through, is the accusation. Now, some people who work for 25th Floor genuinely believed they were working for a film company and it did make films, and part of it was a functioning film company, but according to U.S. investigators, it was also being used to wash money through. And hilariously, 25th floor was not only making films, they decided they would make a film about cybercrime.

A

Wow, perfect.

C

And I actually managed to find the screenwriter who was due to write this film, it's going to be called Botnet. And I tracked this guy down and said, well, what happened? He said, well, these Russian guys approached me and they flew me across to Moscow and they knew a lot about cybercrime, this film company. And I was like, yeah, I bet they did.

A

I imagine they did.

C

He actually developed this whole script and the script was effectively a biography of Benny, the guy running the gang. It was a life story of his own life.

B

Wow.

C

Absolutely astonishing. However, disaster strikes the Russian government. The Russian authorities raided 25th floor film company and effectively shut it down. And the dire gang, the computer hacking group, sort of died a bit of a death with that company. But Benny rises from the ashes, renames himself Stern, is his new hacker name, and effectively doubles down on ransomware, which again, Evgeny Bogachev, the guy I talked about, the sort of godfather of cybercrime, according to the US government, he experimented with ransomware. But what Benny, who's now Stern, did was use the ransomware not to target individuals and encrypt individuals computers, but encrypt company's data, organisations, data. And with an individual, you might be able to get a few thousand dollars out of them for their data on their laptop. With a company, an organization, you can hit them.

A

Evolution of business model, Jeff. It's just fascinating, right? Evolving the business model and being really thoughtful on the kind of effort you put into cybercrime and how you're going to make more dollars by picking your targets. Things that businesses do.

C

Yeah.

A

Stay with us, we'll be right back. Hi, everyone, James Lyon here, the CEO of the SANS Institute. A quick thought for you. Cybercriminals have networks, dark web forums, where they share what works, what doesn't, and where they're constantly sharpening their playbooks against us, so why shouldn't we do the same? That's exactly what the SANS Cyber Leaders Network is about. It's a place where CISOs and security leaders share what, what's actually working inside their organizations and what isn't, while getting Access to world class experts sharing insights into the latest threats and trends. You'll find me in there surfing around, sharing what works. So come join us at go.sans.orgcln that's Charlie Lima November. And if you're enjoying the show, one teeny, tiny, small favourite hit, subscribe. That's genuinely all we'll ever ask of you. And in return, we'll keep fighting to bring you the guests and conversations that you want to hear. Appreciate it all. Now, let's get on with the show.

B

Yeah, and just to build on that, Jeff. So these are a bunch of cybercriminals who've been in previous groups, they've had their ups and downs. They get together in various different hacking crime groups, they do different things, but then they change the techniques. They discover big game rants somewhere while all this is happening. And I think a lot of people know the answer to this, but it's just worth spelling out, how are they getting away with it? What are the authorities doing or not doing? I wouldn't expect James and I and our rural Cotswolds backgrounds to be able to do this without Sanford police from Hot Fuzz at least expressing some interest in what we're doing.

A

Don't tempt me with a good time, Kieran.

B

But these guys, I mean, we've referred to many times before, you know, they have business models and they're behaving like, you know, they're having strategy sessions and they're just reorganizing themselves, but they're committing crime on a global scale and they're planning more of it and they're getting, what is it with this environment they're working in? How does it work?

C

Yes, a couple of answers to that question. Firstly, I've been told by a well informed source that in Russia it is illegal to hack Russians in Russia, but under the Russian criminal code, it's not illegal to hack non Russians. So for a start, Russian law enforcement responding to this, you're on a sticky wicket in terms of what you sort of charge these people with.

B

What? Interesting law.

C

Yes. Yeah, yeah. Second thing is, obviously, you know, the Russian Federation's relationship with the rest of the world has been patchy at best and is obviously now completely in the toilet. And so, you know, what's the incentive for the Russian Federation to go after these gangs? There's also a suspicion that there's Russian government involvement in some of these gangs. Now I slightly push back on what some people say, which is all, I bet the Kremlin run all of this and all these gangs are actually tracking back to the Russian government. I just don't think that's true. I think these gangs are completely money motivated, but they know which side their bread's buttered. You know, they're working from within side a country. And if, you know, the Russian government comes knocking and says, we'd like you to attack a particular target, we think you've got into a particular target. Some experts have said there's evidence that the Russian ransomware gangs will play ball with that. Max Smeets wrote a book called Ransomwar in which he talked about some of these ransomware gangs cooperating with what he called pioneering exercises. And so we do believe that there's connections between these gangs and the Russian government, but it is not true, I don't think, to say that they're working on behalf of and from what Max Smitzer's research dictates and actually some other things that we've got from the leaks, sometimes these ransomware gangs do not like the fact that the Russian government wants them to do things because at that point they're not making any money out of that. Yes, indeed, various different explanations for why they don't sort of get caught in inverted commas. But there are takedowns. And again, the Russian government, Russian law enforcement has done takedowns sometimes of ransomware gangs. Has to be said, some of the suspicion is that, you know, one ransomware gang will inform on another one and get them taken down because obviously then they can take over the market share of the other gang. And again, crime gangs have done that since time immemorial, you know, taking down another crime gang operation so you can expand your business. So there's multiple sort of answers as to, you know, why aren't they behind bars, these of kinds guys.

B

No, it's fascinating and it's important. And you've referenced another friend of the show, Max Smith, who's been on talking about these issues. And I think that clarity does matter because we're going to go on shortly to talk about some of their major operations. And if you think in each of these cases, when we're talking about them, if you think that was directly ordered by the Kremlin, then you've got a slightly different set of political and security issues than you have if it's just crime harbored by the state rather than controlled by it. But let's get on to some of these major bits of history. Now. I joked earlier about looking at the world differently. As an ex civil servant, I also originally studied history and one of the problems when you study history is people get all into the analysis of why something happened and what it tells you, but they forget to tell you what actually happened in the first place. So we do want to get on to the whole point about their leaks and this trove that you're looking to and what that tells us. But let's just try and remind listeners because for a while, I'm going to say 2019 to 2022, I mean, these guys were on the rampage. They were terrorizing the world. So let's look at some of these. So, James, I think you want to start here with one of the hacks you're most interested in.

A

Oh, yeah, you know, you're right. In that time period, there are a lot of examples we pick. We should probably go through two or three, and we can ask Jeff. He's got a favorite. But I know one I do want to touch on because I thought it was fascinating Graph. Or graph, depending on one's pronunciation. Proclivities. A famous kind of luxurious jewelry brand for those who, you know, may not be customers and so inclined.

B

Yeah, I'd never heard of them until he got hacked.

A

I think that's why I learned about them too, if I'm honest. I was trying to play that cool, like I'm a regular jewelry girl, but everyone knows better. More likely to spend money on a fancy keyboard with magnetic switches, which I do have a lovely one in front of me. Anyway, fascinating attack here, Je. And I'm interested in this one because, of course, the victims were quite high profile, quite interesting data, quite interesting ransom dynamics. And also there was something about a pretty bizarre kind of semi apology that happened here as well. So what happened back in September 21st? Here, give us an outline of the attack.

C

Yeah, in a way, the Graff diamonds attack was a fairly typical conti mo. You know, they hacked into the organization, scrambled its data, stole a bunch of data, and then then threatened Graph and said, look, you pay the ransom to decrypt your data. But by the way, even if you refuse to do that, we are going to leak this incredibly sensitive data, and that's going to be a big problem for you because this is private data of your customers. So either way, you pay the ransom. And they were hitting the mark for in the millions. We think about seven, seven and a half million. It is fair to say that diamond dealers like Graff, you know, they have a hugely famous client list. I mean, Graff is known around the world and are institutionally secretive about that. So we interviewed somebody who you know, she's a diamond historian, jewellery historian for the podcast. And, you know, as a sort of warm up question at the beginning, I said, well, go on, who are Graff's famous customers? You know, get a bit of sparkle and a bit of celebrity. And she said, no, I won't name any of them. And I said, well, come on, I'm sure some of them have said themselves in the media that their customers of Graff. And she said, no, no, Graff will not name any of their customers. You do not get named. You get a white glove service. I mean, they have a side entrance. You can go in as a celebrity. You will never be spotted going into a graph store. The staff never talk about who they deal with. It is white glove service service. So the idea that this ransomware gang had a bunch of this data was obviously very worrying. Graff presumably was playing quite hardball because Conti, the ransomware gang, decided they would start leaking some snippets of this information to put the squeeze on Graff. So they started on their dark website, leaking out snippets of information. There was a journalist we interviewed, he was actually working on a different story, but he came across the Conti Dark website and he spotted these details. And so he did. I think that his name's Kevin o'. Sullivan. He did an article with some Daily Mail journalists about this and they said, you know, this Graff diamond jewel has been hacked and they've started le all this information and it was people like Donald Trump and Oprah Winfrey and David Beckham whose details they claimed to have. And so obviously for the Daily Mail, this was a, you know, a celeb heavy story. They can put photographs of Becks and Posh in the article and Donald Trump. The problem with it was in amongst the leaks of data, there was also data about very powerful people, including the Saudi royal family, which we don't think that Conti actually realized they leaked out. I mean, they probably just took a chunk of this data and stuck on the Internet. So then you've got this bizarre situation where it seems that obviously the Saudis are very unhappy about this. I imagine all the other celebrities are very unhappy about it, but we're not sure what happened in the background. What the next thing is is that the Conti gang comes out with an apology, an official apology on their dark web page saying, very sorry this has happened. The Daily Mail has alerted us to this. Thank you to the Daily Mail. They credited the Daily Mail and, you know, credited the journalist there and said, we APOLOGISE the Saudi royal family for this and of course, any inconvenience caused. We will now delete their data and take it offline. Now, of course, we have access to the leaks from Conti and we know from those leaks they did no such thing. They hung onto the data and in a brilliant exchange, one of them, you know, you can potentially blackmail these people in the future, and one of them responds and says, yes, we can shake and shake with the shakes. So they're going to hang on to these people's data. So it turns out, no honour amongst thieves, but. So you get this weird sort of reverse ferret, as we call it in the uk, from Conti, where they delete the data and get it back. All of this results, of course, in more headlines for Graff. And it got worse and worse. Interestingly, we're pretty sure that Graff diamonds paid. And the reason we know that is because they had a dispute with their insurance company, company Travellers Insurance, because Graf tried to claim, it seems, on their cyber insurance and the insurer refused to pay. And it seems there was a settlement out of court, but from that we believe the ransom paid was something in the order of $7.5 million. Now, just to put that in context, this entire process with Graf would have taken, let's say, a couple of months or so. We worked out how long it would take the average Russian to earn $7.5 million, and we came up with a figure of about 400 years.

A

Pretty good payday.

C

So if you're wondering why a ransomware gang bothers doing this, in two years you can earn not just all your life's money, but of your family's money for their entire lives as well. That's a significant incentive, isn't it, to carry out a ransomware attack, but just an astonishing attack.

B

Wow. So, I mean, the sheer bizarre nature of that story is just extraordinary. I mean, British listeners will enjoy the Daily Mail receiving an apology from an international crime syndicate. I don't know where to go with that one. But you mentioned to slightly make the tone more serious, because we're about to talk about two very serious hacks with real world consequences. You mentioned there was no honor amongst thieves. They pretended they deleted the data from the Saudi royal family. They didn't. We have proof of that. That's a really fascinating and important learning point.

A

And Kieran, a good takeaway for CISO's right there. Should you be faced with that in the future?

B

Yeah, well, we'll come to your damn takeaway at the end anyway. But there were more serious examples of the lack of honor amongst thieves in terms of the consequences. And let me ask you about two. One I know very well, know both of them fairly well, but one I know very well because I was personally involved, which is here in England in Redcairn, Cleveland local authority in 2019, where they, as far as they're concerned, they just hack a local government, but it's some serious consequences. And then two years later, the Irish national healthcare fiasco. So you've got local services and then you've got a national healthcare system, and they're both Conte and they're both highly disruptive, arguably, possibly not even arguably dangerous. Tell us about those.

C

Well, yeah, so the Redcar and Cleveland Borough Council attack, as you say, Kieran, this is council in the northeast of England. Very small, like a really small sort of local government area.

B

Yeah. So not much money.

C

Not much money. It's a lovely area. It's a beautiful area of the world, that I have to say. But, you know, it's not economically massively wealthy by any stretch of the imagination. And they get hit with ransomware. All their council data is scrambled. It's fair to say they did the best that they could. And obviously, as Kieran, as you say, you were in the National Cyber Security center at the time and were dispatching people up there to sort of work with them to deal with this, but just came completely out of the blue at them. This was an interesting point because this was sort of in the early days of what became the Conti gang. So at the time, I don't think we would have regarded that as, in quotes, a Conti attack. It was done by the sort of precursors of predecessors. But the people definitely who became Conti, according to the police we've spoken to. And it just caused pandemonium. I mean, services went under. We spoken to people who didn't want to appear in the podcast, but they did tell us their story. And they have a lot of health issues and a lot of requirements. Local council. And their support from local council just stopped. They couldn't get through on the phone. All the things they normally relied on, the carers, the helpers, all of that, it just dried up. And they, you know, it's not easy being a couple where one person's the other's carer completely. They almost broke up. It almost split the relationship. And had it done that, both of them would have suffered. But also the partner who was in very serious health condition, God knows where, she would have got help. That's the consequence. It's not just a ransomware attack and dating. It's a really traumatic period of their lives. It really, really messed with them. And that's just one fallout from that attack completely.

B

And let me just interject there, abusing sort of host privilege, because as you said, I was head of the National Cybersecurity center at the time, and it was a really interesting and troubling case about the human consequences, but also just from an operational point of view, how you have to manage risk. So another previous guest on the show, Paul Chichester, still the director of OPER operations, he came to see me one day in 2019 and said, you need to know this. I've just sent a team of some of our best incident responders up to Redcairn Cleveland, and I said, what have you done that for? I knew there was a major issue, but it turned out there were some things that, whilst unpleasant, were manageable. You know, the website not working, leisure centers struggling to stay open and timetable confusion and so forth. There were the sort of very difficult issues you talked about. There's some issues about school transfers at age 11, but the big one structurally was Vulnerable Children Services, where all of the case data was locked out. So there were real issues about child safety. If some. Somebody, for example, was getting out of prison and there was a case file that said, look, you need to have somebody at the family home if they have a history of violent offending or whatever. None of that was happening. So for the first, and I think only time, we sent a team, a pretty large team, and as the council leader was good enough to acknowledge in public, when all this was investigated in Parliament, they slept in camp beds in the office and they just worked flat out until they got most of it restored. So you had to triage what you cared about most. But what you've brought up brilliantly there, Geoff, is just the horrible human consequences of this. Which brings me to the fully formed Conti in 2020 in one of their most infamous attacks, which also, I think, brought them into some tension with some parts of the wider sort of Russian criminal and probably Russian state ecosystem, because it was so brazen and so bad. And that's obviously the Irish healthcare system. Tell us about that.

C

Yes, this was 2021, and as you say, Conti really hit their stride by this stage. And it's worth noting that at this point, Conti were certainly experimenting with, and may have already sort of fully moved into, you know, the affiliate model, basically franchising out ransomware. So the thing with ransomware is the more victims you hit, the more money you get. So you want to spread it far and wide. But the people who develop the ransomware and they write it, they're not necessarily the best at spreading it. And so they basically created a franchise operation where anyone really around the world could sign up as a Conti affiliate, get hold of this ransomware, spread it. If the victim paid, 80% would go to the affiliate who spread it, and 20% would be kicked back to the ransomware gang. Which immediately gives you an indication of sort of where the power sits. That 80, 20 split. You know, these affiliates were very powerful people. But it also meant that Conti started to lose control centrally of how and where its ransomware was being used. And there's debates in the leaks, actually about this, you know, where the boss, Stern, sometimes doesn't know what's being attacked and is surprised by this. One of the affiliates, it seems, or one of the members of Conti, goes after the island's health service executive, which runs basically healthcare in the public of Ireland. Again, pandemonium. Hospitals shut down. You realise there's just this rolling network of stuff in healthcare that's just constantly in use, blood tests, diagnostics, all that kind of stuff. And they just get used to it. You know, you get. They don't know really what's wrong with you, but they take some blood, they send it off and then a few hours later, and it's amazing this, a few hours later, they get back full results. Brilliant. We know what's wrong with you and now we can give you the treatment. As soon as that grinds to a halt, you just get this backlog filling up. Your ward is then full of people and you don't really know what's wrong with them. And I think we have this idea that doctors, you know, take your pulse and your temperature and give you some pills to do the wrong thing for a person not knowing what's wrong with them, give them the wrong tablet, give them the wrong treatment, you could kill

A

them or simply even delay the process. Of course.

C

We spoke to one woman who she fought off cancer and she was having radiotherapy for her cancer treatment. And this radiotherapy was amazing. They had to target the radio waves exactly at the right coordinates. All those coordinates, of course, stored on a computer, which was now inaccessible, so they had to write the coordinates down by hand. You get some of those coordinates wrong, you've just zapped the wrong part of this woman's brain and that's going to cause a huge problem. So she was really Worried that this might actually affect her life. Now, in the end, with HSE in Ireland, the hackers did give over the decryption key. They actually gave over the key and they managed to unscramble a bunch of this data. But it wasn't as simple. I didn't realise this. It wasn't as simple as, like, plug in the key, yay, everything's unlocked. It takes ages and ages and you've got to do it system by system. So even when they got the key and Ireland's HSE didn't pay, the ransomware gang gave them it. It still took ages. And it's worth saying that part of what we get from the leaks is this really interesting discussion around healthcare. And do you hit healthcare? There was a range of views in Conti about this. Some people say, we're not going to do that. Some of them it is a moral outlook, but others, it's like, we don't want to put a target on our backs. You attack healthcare during a COVID pandemic, that's to get us a lot of unwelcome attention. But at the other end of the spectrum, there are people who quite literally are saying, well, sort off, I'm a criminal, I'm a crook, of course I don't care about morality. And of course Covid is exactly the right time to hit a hospital, because that's when they'll pay. So there's this range of opinion going on, this debate going on there, which I find interesting.

B

So just last question on this, because it's so interesting, why do you think, or did the messages tell us anything about why they handed over the crypto key? Because. So there's a background here. This is national level fear and anger. The Irish state is actually under some pressure, including from some part parliamentarians, to pay because health services have ground to a halt. All those disastrous human consequences you're talking about. There is fear about the wholesale breach of medical data, secondary issue relative to the disruption. But it still matters. People think there's going to be a download of their most sensitive information available. Is it this moral debate? Are they feeling the heat from other cyber attackers? Because this is such a big story and they're seen to have gone too far, even for criminals. Is it pressure from the Kremlin? Because, you know, Putin doesn't need people thinking he's launched an attack on a neutral, non NATO country. Country. What's going on?

C

Yes, it is murky, to say the least. And there's various things we got told which we haven't managed to substantiate about this for the podcast, but there's a few different dynamics in this. I think the Conti gang, and this is my sort of opinion, had got used to hitting American hospitals, which are private companies, effectively, and they got used to the idea that you could hit a hospital and it was a private company and they would pay a ransom. And that does happen. We've seen that happen. I think they maybe misunderstood what was happening with Ireland's hse.

B

I agree.

C

And didn't realise, no, this is the entire country's health service. This isn't just hitting a private hospital. There's a bit of that. There's also the fact that the Russian embassy in Ireland came out with an amazing statement, which, again, we put in the podcast, sort of condemning this and saying, we don't support this. Now, as I say, I don't think these ransomware gangs are run by the Russian government, but a lot of them, certainly Conti's accused, being based in the Russian Federation, they don't want to piss off the government, for want of a better word, pardon my French, you know, so that clearly helped them, you know, focus their minds. But also hsc from the very beginning, said, look, we're not going to pay the ransom. I think in the end, the Conti gang went, look, this is just not worth it. Give them the key, walk away. We don't want any of the consequences to this. That's my back of the fag packet maths on that.

B

But they're not done with governments yet, are they, James?

A

They are not. And, hey, I'd like to highlight two things in there. It's just fascinating stuff, Geoff, that it's easy to run past, but you made a remark there that really matters. For practitioners who may run into future instances of ransomware with decryptors. You know, cybercriminal gangs don't spend a lot of time working on the quality assurance and kind of speed of decryption processes. You know, over the years, I've seen lots of examples of decryptors that were broken and, you know, essentially turned into inadvertent destruction wear as opposed to ransomware, if you even get your hands on them. And I think that really does underline the importance of the kind of preparatory processes and the assumption that one can't just pay off the criminals to get your data back. That's a remark that is, you know, important to highlight to our practitioners here and that we can learn from. And the other thing I wanted to highlight, you kind of mentioned the targeting and what these tools can be used for. You know, back Jeff, when you and I in the dark ages of cybercrime first met and there were dinosaurs romping around, I'd just run into one of the first examples of a malware gang, including an end user license agreement, stipulating that you couldn't use their toolkit for law enforcement or hospitals because they didn't want the attention. And so, you know, it is interesting, there is a whole spectrum of appetites and motives here, as you notion. And of course they're after money, they're commercially motivated here, but creating an international political event may not be desirable. Which of course brings us to the coup de grass here, Costa Rica. Yeah, So I mean, 30 odd institutions hit back in April 22, a declaration of national emergency on 8 May 22. Tell us about what happened here, because this is stunning, isn't it?

C

It's fascinating and it occupies a fascinating place in the sort of history of the Conti ransomware gang. So put this in context from the chats. We know that late 2021, Conti were riding high. There's loads of amazing comments on them saying, oh, next year, you know, it's going to be even better if we can keep this weight up. And they start talking about buying apartments and they start talking about how making. They are just absolutely coining it in and delighted with themselves. February 2022, we obviously get Russia's full scale invasion of Ukraine. Off the back of that, we get this amazing moment where Conti at first declares support for the what Putin describes as his special operation and then reverses and says, no, we didn't mean to say that. But in the interim, the Ukrainian side of the Conti gang, because they had members in Ukraine, were completely incensed by that. And you see in the chats, actually the leaked chats, you see this sort of back and forth between people supporting Russia and people supporting Ukraine. Off the back of that, someone in the gang decides they're going to leak Conti's entire chat log, every message the gang sent to each other. Every second of every day for the last two and a half years, 350,000 messages spill out. As you can imagine, it's caused pandemonium in the gang. They were already facing stress. The boss of the gang, Stern, this character we talked about earlier, had basically gone AWOL by this point. Nobody really knew where he was. The gang was fracturing and this was kind of the final nail in the coffin. They decided they would disband and they would just go their Separate ways. But then we get this sort of swan song attack, if you like, attributed to Conti. The attack on Costa Rica, absolutely astonishing. I mean, took down multiple entities in the Costa Rican government. And the Costa Ricans we've spoken to believe that Conti was hitting them and responding in real time to what they were doing. So when they went on TV to talk about the attack, Conti would time their next bit of the attack for that TV appearance. For, for example, it became a bit of a pylon. There were other gangs. I think HIVE was one of the other gangs attacking Costa Rica. And so you get this pylon attack that happens. The country really suffered. I mean, you're talking millions and millions of dollars of cost. Import, export was one of the things that really got hit in Costa Rica. And it makes a lot of its money by import, export. That stuff got absolutely hit ports, you know, forced back to using paper and pen customs declarations having to be done on paper. It really cost the country. And what's really sad about that is obviously Costa Rica, it's a small country, it's not a very rich country. It's a long way away. A lot of people don't know where it is on a map. The Costa Ricans we've spoken to believe it was used as a test case. And I think that really got to me because it's like your country, it can be sort of pushed around a bit, you know, just to prove what we can do and test what we can do. Now in terms of what Conti's motivation for doing this and how this feeds into the story, we don't know because we don't have access to the leaks at this point because the leaks only go up to when they were leaked. You know, 2022, February. We don't really know what happened here. Was this Conti trying to get back on its feet? You know, was this Conti doing one long last operation to sort of, you know, mic drop, walk away? Was this a rogue affiliate who did this? Was somebody within Conti who is trying to market Conti's ability as a sort of nation state weapon to say, look, you know us for ransomware, for profit, but look what we can do to a country. You know, anybody fancy buying this? We don't really know. There's lots of different explanations possible for it. And again, Max Meats, you know, who wrote ransomwars, has talked about this, about the possible explanations in it. I do find it fascinating, but fundamentally for the Costa Ricans, they declared a state of emergency and it cost them so much money to fix this again, they refused to pay. They were not going to pay pay in the end.

B

Yeah, something like 2% of GDP. It's an extraordinary figure and it's quite a death rattle for the Conti Group. I hadn't realized the leaks were before that, and it was already on its last leg. So. Just a quick question, Jeff. Do we know what's happened to some of these key people, the operators in Conti Group? Are they reforming? Do they have a new badge? Are they living quiet retirements and luxury in some of those nice areas of southern Russia? Not so nice at the moment, but. But you know what I mean.

C

Very good question. Yeah. In the final tail end of the leaks, there's always discussion about parts of the gang reforming. There's a member of the gang called Fire who posts this very sort of heartrending sort of final post and says, you know, we shall meet again. We know that our operation will rise again. So we know the aspiration there. Certainly the members of the gang who were affiliates who are using Conti's ransomware to go and spread it, some of them would inevitably have just joined the next ransomware gang to come along, you know, because all these ransomware gangs are constantly, you know, seeking new affiliates, new and experienced affiliates. Some of them would have moved on in terms of the people at the heart of the gang gang. Subsequent to the Costa Rica attack, we had this remarkable moment where in the end, it was the German authorities, the bka, who outed and named the person they believe is the true identity of Stern, the boss of Conti, this enigmatic character. They claimed he's a guy called Vitaly Kovalev, who's a Russian living in the Russian Federation. They released a photograph of him, a couple of photographs, but there wasn't really much to go on. And obviously, as a journalist, investigative journalist, I like to see these people. I wanted to understand more about them. I want to sort of, you know, hear from them, ideally. And in a remarkable terms of events, there was a telegram account that got set up that was claiming to leak details of the Conti gang, you know, their real identities, etc. Somebody replied to that telegram account with a photograph that appeared to show this man, Vitaly Kovalev, accused of running the Conti gang. And what that led us to was a whole bunch of social media videos with thousands of followers. There's somebody Kovalev's connected to who's quite a big wheel on the Internet and actually quite a star. Like an Internet star. These Videos have thousands of views. And I thought, well, I'll watch all these videos, but I'm pretty sure, I mean, you know, Vitaly Kovalev would run a mile from this. He's one of the world's most wanted cyber criminals. Oh, no, he's there in the background, waving away, bopping around, dancing. We see him on holiday. We've managed to identify the resort he went to on holiday. And it's sort of $25,000 a week resort somewhere in southern Russia. So he is still apparently living at large and having a good life.

A

And Jeff, if I'm not mistaken, he was sanctioned by the US and the uk, but to this date, not arrested, I don't think.

C

Correct. Yes, he's been sanctioned. He was also charged, charged with what he's accused by the US of doing in terms of money laundering way back in 2010. So he's been charged and also sanctioned. We will obviously be, as part of the podcast, reaching out to him for comment on this and we sort of welcome his input, welcome his contribution.

B

Yes.

A

Good luck. So if he's listening to the show now, consider that an invitation. Jeff, I do have to say as well, my little bit of background research on this which will pale in comparison to yours. It is fascinating when you look him up as a character and how he's of kind covered on the Russian side in local language. I mean, he really is presented as an engineer. His certifications are on show. He's a stable system builder, you know, not a cyber criminal. He's kind of portrayed as a bit of an Internet genius.

C

Yes.

A

With connections to influence. It's just fascinating and not what you expect at all, is it?

C

No, absolutely not. And I'm a bit conflicted about this because obviously having watched, you know, videos in which he appears and sort of heard a little bit of him, it's disconcerting, the disconnect between what he's accused of doing, which was a campaign which, as we talked about, threatened in the end, people's lives with targeting healthcare. The extent to which he knew that or not, we don't know. But the gang he was accused of running certainly did. But as I look at him, he's just got this very benign face. In the podcast. I describe it as if your car broke down and you were looking around for someone to give you a push. You probably think, oh, he'd probably help out. It's really difficult to reconcile his demeanor with what he's accused of doing. And perhaps in his own head, he was just a business person. If the accusations against him are correct. Maybe he thought, well, Conti was just a business that I ran. Maybe that's how he feels. I don't know.

A

Fascinating, isn't it? Fascinating. And you know, Jeff, I know that over years of tracking cyber criminal gangs a bit differently to you. As I say, I do tend to focus on the malware and the data and the attacks and exploits versus the humans. And, you know, you and I talked on the last podcast where you joined us about how we could meet in the middle and you could learn a lot from following the money and thinking beyond the technical parts of it. And it does seem like this gang has dissipated off into other places. And the rumors are some of these folks ended up in kind of black bastards, royal black, you know, these kind of other follow on gangs. And that will be hard for us to ever truly know. But I suppose I'd love to give you this opportunity, you know, having now researched all of this for so many years and learned about these different gangs and these individuals. You know, when you look at the leaks you've been pouring through the 47,000 odd messages so far, what do you think overall, it tells us about cybercrime. What are your kind of two or three macro conclusions from seeing the inside of the operation in a relatively unique, unique way?

C

The thing that's really come across to me is I've got this theory that these people are bright. You know, you can't do this stuff if you're thick. They're not like hitting people over the head with a hammer. They are, you know, developing computer code. They're extremely smart at what they do. I think if you're a smart person, it's quite difficult to wake up in the morning and extort people. Ransomware is a crime of extortion. You have to threaten your victim, intimidate them, and force them to pay. I don't think many intelligent people wake up in the morning comfortable with doing that. You know, I think what their brain needs is a different way of framing this. You've got to have some psychological lens through which to see it, which makes it okay. And so I think the lens that Conti's members use, and from the chats, this comes through for me loud and clear, is this is a business. We are not attacking a victim. We are in competition with our victim. And you see that in terms of them describing themselves as post paid penetration testers. You know, the idea that you would normally pay for a penetration test to expose your vulnerabilities. Well, we've done one of Those tests, we just didn't tell you we were doing it and you failed. So now you have to pay us after we. We've done the test. What they regard this as is not attackers attacking victims. What they regard this as is a competition between two businesses. There's the business that's defending and there's Conti with its ransomware, that's in competition. And when you're ransomed, when your data's encrypted and exfiltrated, you lost the competition. And like in any competitive state, you pay for that, you pay a money amount. I talk about the crime triangle, where you have, you know, villains and victims and heroes, you know, the three things you need for crime, Really. I just don't think they see the world like that. They see this as just completely competitors. They're competing between themselves as ransomware gangs. Their victims are competing with them. And the heroes, I don't think they see the heroes, the FBI and likes of Sands Institute and stuff as heroic. I think they see them just as competition. This is a state of nature. These people are brought up in a state of nature. And in a state of nature, the person with the biggest fists wins. That's just how it is. It's not criminality, it's just business. I think that's how they see it. And so I think for the defenders, you know, if you're talking to your business in terms of, oh, we need to defend against these attackers, I'm not sure if that's the right way to explain it. I think you have to say to your bosses, you realize we have competition out there with these ransomware gangs. This is a hostile takeover. If we don't get it right, we are going to lose this business competition. In the same way you fund your business to be more competitive, you are funding your business in cyber security to compete against the ransomware gangs who are competing against you. I don't know whether that reframing helps, but that's certainly what I.

B

Well, it absolutely helps because I want to build on it and ask you, let's take the conti of 2021 in its pump, causing havoc around the world. There's horrible cases we've talked about. If it were to regroup today, do you think we'd be any better prepared for it?

C

It's a very good question.

A

Oh, Kieran. Brutal.

C

One thing that's useful about the big attacks we saw last year on UK high street businesses and also Jaguar Land Rover was. It did raise the stakes with this. You know, my mum, for example, Actually, my mum had heard of ransomware before because she's, you know, listened to all my output and read all my books, what you do as a mum. But, you know, lots of mums and dads around the world, around the country in the UK suddenly heard of ransomware and understood it was a thing. So for a start, there's understanding in communities, there's understanding amongst employees. And also businesses can use that to say, look, we don't want to go there. How do we not become the next Marks and Spencers or co op or whatever? So I think there is learning there. My worry is attention spans are short. There's lots of pressures in other ways. There's economic pressures in the UK at the moment. It's not just learning lessons, it's applying them. Applying them long term. And so I would argue, yes, we're probably a bit better prepared than we were back in 20, 20, 21. But it's maintaining that and improving it I think was important.

B

Really helpful. Thank you. Well, look, we have kept you far too long because that was just so interesting. But that is all we have time for.

C

Thank you.

A

So sorry, Professor Martin, what about my 30 second takeaway?

B

James? Look, this is a new format. It's a really, really cool deep dive into the history and lessons from a major cyber criminal group. Your takeaway, it just doesn't fit anymore. I mean, what are you going to ask Jeff to say? What's his takeaway? Cybercriminals are bad. Don't hack hospitals, kids.

A

That does sound like good takeaway, Frank. And probably a T sh but for the audience, just for visual clarity, seeing as you can't see, I now have tears in my eyes. Kieran, I've got to have my takeaway. We've got to help security leaders with something tangible. Aside from being fascinated, obviously.

B

For goodness sake. Well, you are the boss. Okay, can you figure out a way of shoehorning this in somehow?

A

I've got an idea.

B

Okay.

A

It might be good. So, Jeff, as you know, I do want our listeners in the cybersecurity profession to have something that they can learn from this. Aside from just being hugely entertained, I mean, you've shared lots of fascinating facts. So how about this? In 30 seconds or so, have a go at completing this kind of opening statement. I'll lead you in and see what you can come up with. The Conti Group showed us that we have to be better at dealing with cybercriminals in the following ways. Can you do something with that?

C

I can give it a go, yeah. Yeah.

B

What are the lessons?

C

The lessons are out there in the world right now. There is a Conti Gang or an equivalent who are surveillance. Your business is happening right now to your business. They are looking over your business and they are working out who you are, how much you're worth and how they get in. So understand that for a start. And they're going around industry by industry. You know, this week it's transport, next week it's pharmaceutical, next week it might be agriculture. So your chances of not getting on their radar are slimming down. So for a start, in the same way that, you know, working out how vulnerable your flat is to being broken into, the best way is to break into it, start looking at yourselves as a target. If you're not doing it already, how are you vulnerable? What's your public exposure like? How much is out there about you? And I think this is what organizations really struggle with. What are the weak bits and the difficulty with that. Approaching that from an IT department point of view is the IT department will always look at the technical weaknesses. That's not what people like Conti look at. They look across the organization. They look at the bits that don't think they're going to attack, you know, somebody in HR or Payroll or something that doesn't think they're a target. So, again, looking across your organization, understanding the linkages between bits of the organization, understanding what's valuable and where it is, and understanding who controls that valuable stuff, and taking all your premises and all your prejudices away and really looking at your business, what do we do? What's valuable? Who controls it? That's a good place to start, because that's what Conti will be doing to you. That's the surveillance. Exactly. The Conti Gang successors will be doing to you.

B

That was annoyingly excellent, Jeff, because you've defeated my attempts to abolish James Takeaway, because you did far too good a job. So, Jeff White, thank you so much for coming back on the show. And when is this excellent new series out?

C

We are looking at the 6th of July for broadcast for series four of Cyberhack.

B

Excellent.

A

Thank you. There you go, folks. Well, Jeff, thank you again, not just for coming and tolerating Kieran and I for a second time. You really are a glutton for punishment, but for the work that you do. Now, I've known you a long time now, and these deep dives into cybercrime I think, really do offer unique perspective to those of us that bury our heads in code. And I think it's not only fascinating but incredibly helpful and a good reminder of why this work matters, the kind of life and limb impact that can come from it. So a personal thanks for your persistence and mastering of Russian where appropriate to read messages, including Russian slang.

C

Oh, thank you.

A

And with that, I think that is all we've got time for today. But again, of course, if you're fascinated in this topic, you can always pick up Jeff's upcoming podcast series. So thank you very much everyone for listening.

B

Thank you for listening. Thank you Jeff. To listeners, do leave us a rating wherever you got this podcast. People who understand modern communications technology tell us that that sort of activity helps, especially if it's a nice rating. And if you have any suggestions or follow ups on our show, email us at cyber leaders podcast sans.org that's it.

A

And again, thank you everyone for listening.

B

Thank you for listening. And keep cybering.

A

For me, Kieran Martin and me James Line, it's goodbye and friends. Don't let friends use hackily put together decryptors from cybercriminal gangs.