Security News > 2022 > March > Google Blows Lid Off Conti, Diavol Ransomware Access-Broker Ops

Google's Threat Analysis Group has provided a rare look inside the operations of a cybercriminal dubbed "Exotic Lily," that appears to serve as an initial-access broker for both Conti and Diavol ransomware gangs.

Researchers' analysis exposes the business-like approach the group takes to brokering initial access into organizations' networks through a range of tactics so its partners can engage in further malicious activity.

"It's a full-time job," Google TAG researchers Vlad Stolyarov and Benoit Sevens wrote in the post.

Google TAG first encountered Exotic Lily last September, when the group was doing just that - exploiting the zero-day Microsoft flaw in MSHTML as part of what turned out to be a full-time IAB business "Closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol," researchers wrote.

The group has maintained a "Relatively consistent attack chain" during the time it was being tracked by researchers with its operators "Working a fairly typical 9-to-5 job, with very little activity during the weekends," researchers wrote.

In November, Google TAG observed the group impersonating real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.

News URL

https://threatpost.com/google-conti-diavol-ransomware-access-broker/178981/