Security Operations

Countermeasures and observability key to defending against attackers trying to buy security products

The leak of Conti ransomware's internal chat logs revealed the attackers tried to buy security software so they could figure out how to bypass it and avoid detection

This week a Ukrainian security researcher leaked multiple years of chat logs and files from the Conti group. Conti is a ransomware group that Sophos has been following closely for a number of years. On Feb 28, we reported on a Conti attack targeting a healthcare provider.

In those chat logs we see mention of how the Conti group tried, and failed, to purchase licenses of Sophos Intercept X (or “Endpoint Security”). According to the chat, they were doing this so they could test their latest malware to see if Sophos’ products would detect it.

This is a common strategy among malware developers and groups: they acquire or steal as much security software as they can in order to test if they can effectively evade it. This practice is seen across the security industry, and Sophos takes precautions to mitigate the risk in its product development and operations.

What’s interesting here is that the chat logs show that Conti’s attempts to bypass Sophos products were unsuccessful and that, as a result, they attempted to acquire a licence in order to gain further access for their tests.

Getting access to security products

To begin with, we can see that the Conti group signed up for a free trial, which is available online. You may be asking yourself, “Why don’t you block them from getting a trial account?” The answer is straightforward: any kind of blocking could inadvertently prohibit legitimate users, and these “testers” supply us with intelligence that better helps us to defend our consumers and partners.

Next, we can see that on May 27, 2020, the Conti group attempted to upgrade their free trial by purchasing the full product.

They tried to do so under the guise of a fictitious company called DocSoft, which purported to be based in Kyiv, Ukraine. One of our countermeasures for this type of activity was activated: we flagged the account as suspicious and, with our channel partner in the region, said we needed a video conversation before proceeding with the transaction.

This countermeasure was effective: the Conti group abandoned the transaction at this point. It appears that a video call was just too risky for them.

The leaked chat logs match this timeline: we can see in published logs that the Conti group’s attempts to get these licenses failed.

What else we learned from the logs

It is worth noting that the logs also indicate that one of the reasons that they were trying to get more access to Sophos’ products is because our products were successfully thwarting aspects of their malware and techniques. They apparently hoped to try and use the fully licensed products to figure out how to bypass those protections that were stopping them.

Why tell this story?

We believe it is important for security vendors to share information of how adversaries try and buy products as it can help others to be on alert and know the tell-tale signs so we can all better protect our customers.

As Joe Levy, our chief product and technology officer said on Twitter in response to the chat disclosure, “Better to invest in hardening, observability, and improved detections than in commercial hoops beyond basic trial/eval diligence.”