Security News > 2022 > March > Google exposes tactics of a Conti ransomware access broker
Google's Threat Analysis Group has exposed the operations of a threat actor group dubbed "EXOTIC LILY," an initial access broker linked to the Conti and Diavol ransomware operations.
It was determined that "EXOTIC LILY" is an initial access broker that uses large-scale phishing campaigns to breach targeted corporate networks and then sells access to those networks to ransomware gangs.
While the activities of EXOTIC LILY overlap with Conti's own operations, Google's threat analysts believe it's a distinct threat actor focusing entirely on the establishment of initial network access.
"While the nature of those relationships remains unclear, EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors," details Google's report.
Recently, researchers discovered that the Conti ransomware operation had taken control over the development of TrickBot's malware families, which is supported by conversations between Conti managers exposed in the Conti leaks.
It wouldn't be surprising if Conti had its own internal teams that focused on high-level spear phishing and initial network access that deployed these infections.