The Rise and Fall of the Trickbot and Conti Empires

good morning everybody um I'm uh very happy to see uh everybody here and uh glad to uh be here at in New York City uh I live in Milwaukee Wisconsin so for me it's a pleasant uh change of pace uh and uh today I'm gonna be talking about very interesting topic uh actually talking today on two topics uh to knowing I'm gonna talk about pen testing but today we're going to talk about threat intelligence and the reason uh why we're going to talk about threat intelligence is to really cover probably one of the most interesting events over the past couple years uh of emergence of the ransomware uh uh gang gangs uh merger of uh multiple games and then uh

unprecedented leak of the data um that uh was out there and now oat was probably over the past year and it was a bit probably uh 14 months heard about uh Conti leaks and additional information so I'm going to talk about this I'm going to talk about our insight into the games that were called turkmat and Conti the story is actually interesting but uh the reason why I'm going to talk tell you what about about who we are what we do is uh to give you an idea of how threat intelligence uh can help Society how threat intelligence can understand and prevent cyber crime uh threat intelligence to me is not only about finding signals it's about social

engineering its ability to find uh the needle in a haystack you would see the exploration of certain uh cyber gangs and ransomware gangs starts with social engineering it does not start with anything else then we're going to be talking about technology and the the way that bad guys use technology the way they misuse it and the mistakes they make so we learn more about them and the last component of thread until audience is artificial intelligence right now over the past six months we talk about shared GPT other artificial intelligence components but let me assure you that this is just a scratch of the surface the threat intelligence is based on uh artificial intelligence learning models

that can detect uh cyber crimes uh and stop cyber crimes before humans become aware and bring this to surface much faster because of signaling so we'll take a short Journey today about uh talk about this but first couple introductions of certain terms uh I'm gonna use a number of different terms today um for the game it's one single game that we uh now know as Conti but the history of it is amate was a delivery infection mechanism sending out lots of phishing emails uh into people's mailboxes operated by part of the Turk birth Empire trickbot empire is just data harvesting abuse of that data and moving this into next stage which was the ransomware components initially it

was the Reich ransomware but when the riot ransomware family uh stopped working properly and became became very detectable the uh same game went to County Conti was a ransomware gang on its own but soon trigbot and Conti merged into one group initially operating separately the reason why I'm telling you all about this is that they kind of keep in mind that it's a part of one game that started separately but then uh kind of uh gathered all together into one effective unfortunately very effective game so uh what's me what to talk about uh discovering first how we came about knowing how to get into the gang like the trickbot and it's a much more difficult to get inside the game on the

social engineering side we see the EO effect of the game on many different levels but we see it as victims and doing forensics does not get you any closer to the bad guys who actually commit these crimes so how do you uh get inside the game well you start figuring out who is where who's talking about uh certain things on the dark web and to do that we have uh analysts we have dozens of analysts who spend their entire days on the dark web talking to the bad guys we are very very social good social Engineers uh I am not a terrible social engineer so um if you meet me in the hallway after this I can show you lots

of uh text tips and tricks on how to uh do uh even practical hypnotices uh of the bad guys over the chat but um to start with you start with very very low you see a couple interesting trends of really bad guys that do reshaping uh using stolen credit cards to buy goods and they uh received that to Russia to other uh areas where they can sell these goods for profit uh some people start abandoning that business in 2017 uh in 2018. we found it you know kind of unusual because the business was profitable and it was not uh in terrible shape nobody shot it down the bad guys just gave it away or just completely

shut down why what happened so once you start um um figuring it out and talking to the people you figure out that uh amethyst and trick about gang we're heavily recruiting from 2016 to 2019 and they recruited other bad guys who abandoned their businesses because the trickbot uh was unfortunately much more profitable the bad guys could make a hundred thousand dollars overnight with a very successful ransomware attack and that's uh on a single Target uh part of a larger game so we noticed that some people abandoned business and when we start talking to them they told us uh Hey There is a big secret we can actually get in uh on the ground level to this great game and really uh for a

ransomware gang that uh has its roots into 2015-2016 cyber criminal uh groups and they were just extinguished last year six years of operation it's quite a bit of History quite a bit of profit so we were able to get introduced into the trig but uh game through many different channels but it really started with a couple very basic channels abandoning um their all businesses and then um once we were in uh we started suggesting uh the gang members hey I know this person this person is great and this person is great as well so we actually were able to bring in other aliases other personas into the game also referring to them as you know very

trust producers but how do you stay within the game without really committing any crimes and really uh trying to uh learn about everything but not really doing anything bad and we hadn't done anything bad well there is a really easy trick you talk big but you do nothing if somebody says hey can you help me with this no no I'm busy with another bad thing um or um we come up with agenda saying hey we are building out this great new thing and then when somebody takes down some infrastructure on law enforcement saying hey they just took down everything we had so we were able to run circles around these guys build connections get into more of Observer role uh in order

to figure out what's going on but one of our first encounters once we got access to part of our infrastructure was uh uh sheriff's office in Vigo County Indiana it's a very very small Sheriff's Office I think I've been into Terre Hall which is the part of Indiana where this is but um this little Sheriff's Office was taken over by uh the uh this by uh third bot of virus so we on the May 28th we detect this infection we're actually seeing the components of their ad infrastructure showing up within turricbot panels and we are seeing that the infrastructure we see uh their uh jail cell cameras uh being infected and uh booking PCS and Mayors computers

shares computers all fun stuff um you know so we need to reach out immediately we make three attempts to reach out to these guys uh as they just ignored uh when we reached out through trusted uh third party they ignore them as well finally made a phone call uh to uh one of uh uh reporters saying hey uh there is a ransomware attack about happened in Vigo County Indiana And the reporter makes a phone call uh to the Vigo County and they tell them everything is under control we got it thank you for uh letting us all thank you very much that happens within the first two days then unfortunately uh three months later uh or two months

later uh we read in the news that Vigo County Sheriff's Office did pay Ransom uh to trickbot so um this began um a very long very tenuous uh process of monitoring the game uh letting uh people know uh that they've been Bridge come is no government institutions I would say that a great thanks to U.S Secret Service that work with us for many months and years on this and took a lot of information uh from us stopping a lot of cybercrime a lot of things but disseminated through our networks but uh our uh law enforcement was integral part for this as well so how uh how do we progress further how do we get in uh much further within the

game uh there are lots of different ways uh but I'm gonna teach you one of the most interesting ways that we've seen uh first of all uh one thousand one best idea uh to uh for present for your girlfriend um we really saw that one uh cyber criminal was uh nearly uh full access to the trickbot infrastructure uh at least reporting part uh decided to go for option 537. um he gave his uh girlfriend access to trickbot to buy herself something nice from stolen funds then Russia they maybe it's okay for them to do these things please don't give your significant other presence like this uh but uh definitely seen an interesting change because uh

this young lady um turned out to be very entrepreneurial and very very curious so um she asked a lot of questions and she was not very shy about sharing that information with others so as we uh made friends with uh her boyfriend he said hey I I gave my girlfriend access and uh he introduced us uh our personas to her and she asked us a lot of questions and she gave us a lot of access no idea what upsec is thank you uh but um that definitely uh you know she gave us uh information that we need to know so she would ask us visually hey what this is and and takes a screenshot of uh her system well we tell her you

know no idea you know I don't know but she actually shows parts of infrastructure parts of Logan's and when um her boyfriend was busy uh she would ask for help and she like hey you know here's my login details uh to my virtual machine can can you help us help us out yes we did uh so we logged in we got information um it's very curious that this young lady used Stone funds from the victims uh to buy uh things like uh squeegees uh for her car uh figure out how um uh things to remove uh scratches from the bumper of a car of her boyfriend that she scratched uh things for toenail fungus other girl things uh but

um nevertheless uh she was actually very informative and the server actually became one of the most interesting early stage uh access points for us uh to get more information out of this so she would show information and keep actually relatively good accounting of abuse devices uh that you probably can't see here but it's just a list of abuse devices uh the access she got and what she did was that if she was able to catch things out use a credit card I'm gonna pass it to somebody else uh well that was uh nice and good for uh stolen information access to uh the botnet uh data but what happens next well now uh she is uh uh trying to make

bigger box uh you know maybe buy more expensive nicer things so now she uh was introduced further into the game into their jabber server and the jabber server administrator actually went through great pins explaining her visually uh thank you very much um for uh how to log into the jabber server and uh giving her uh very important information like you know uh her password quote is in Russian cat and her password is uh you know it's fancy it got the uppercase uh number a special character it's a good password use it um so uh quote uh had the password uh password and the admin for the jobber server uh had much more complicated password because he had number one uh at

the end of his uh password that says password uh so uh we were able to assert uh admin rights within this jabber server um for number of uh years uh from 2019 until the last days of the county game uh we had visibility into uh uh most if not all Communications within the game that were not encrypted we were able to get inside of their most critical Communications using this and other techniques what uh we call County leagues was said to be an exclusive product for hold security for my company uh that was uh delivered to us every single day as the data was streaming through the Java servers we had a different opportunity from uh a lot of

folks that are here uh who heard about this and when the bridge became public at the uh on I believe February 27th of 2022 everybody starts reading the data who could read in the translate who could good but we had this opportunity to interact with this data we read this on this data every single day as it was happening preventing the breaches that they discussed you can see in the chats that a lot of things that they were planning to do didn't pan out but uh a lot of them due to our work and ability to intercept that not only that we had a great opportunity to use this data as conversation points when you read

history you cannot change history but when you are seeing uh today's or yesterday's news you can use that knowledge to talk and ask additional questions you can manipulate the bad guys uh into disclosing more information by having the inside track so what we know as a county leaks was a great tool for our Discovery I'm not going to spend too much time about uh talking about this uh there are lots of parts of County leagues that were not uh um released yet uh the person who is called Conti leaker is a friend of mine uh his uh name his identity will remain private until he uh deems uh to disclose his uh himself with his identity but

more about the operations the operations uh continued and with more visibility more based in we were able to see every single aspect of of this gig as it was evolving so we talked initially about amethyst and amate was a phishing campaign the management panels for these fishing campaigns they were sending out uh tens of thousands if not hundreds of thousands emails on daily basis and they kept statistics they would have uh the knockback servers the infection servers the payload uh modifiers and they kept very uh scrupulous details of how the infection rates are going if the fraction rate is too low if the clicks rate is not working they would change the email campaigns they would change

the infection agents so this was extremely complex component um that that's happening but within uh the ransomware gang um the big part is ransomware itself so how do you keep everything straight how do you keep all the communication straight there were uh tens of thousands of victims um ransomed during that time and how would you use uh even communication components now as ransomware unfortunately evolved there are panels for ransomware negotiations back then there were no panels they were just simple email components and protonmail Anonymous email server was uh de facto uh main component for communication between uh the uh ransomware guys and their victims but how do you keep track of so many victims and so many

protonmail accounts well um the nice guys at uh that were really harvesting all that information there were asked us to keep an eye on their operations we said that we will and then as soon as they gave us information today it's too much work uh but uh 10 000 uh plus uh protonmail accounts were used uh for um the ransomware harvesting each account will have a complex password each account would be unique and you cannot aggregate that information all in one so you would be gathering all this data through scripts into one place to see if somebody sent you a new email uh from that perspective watching ten thousand accounts was a job of two uh

cyber criminals within the Iraq being and once the account is activated meaning if uh that runs over attack is happening now there has to be a negotiation account assigned to it the strain of ransomware so it would be like a t2-245 so it would be type of uh rents where and that encrypted uh Target um it would be assigned to an email address and this email address would be used for negotiations even having this much information didn't help uh much uh to us or even to law enforcement uh even though you know how the bad guy is negotiating it's not like this account but have a password decryption Keys unfortunately it was extremely difficult and uh very few

cases we were able to obtain the uh decryption Keys uh for the victims ahead of time but from the perspective of seeing negotiations seeing some of the internal components but then that gang we knew uh how to assist certain victims we knew how to press uh the bad guys and we knew their breaking points as well but having all this information turned out to be not very useful uh even from the legal perspective entering any of these email accounts is a trespass protonmail uh are the owners yes for certain uh portion of time they were asked to enter those accounts but when that permission was revoked uh law enforcement cannot enter it we can't enter it uh without uh warrants or

without legal reasons so unfortunately not much can be done about these accounts um and uh quite a few of those were used for offshore Ransom negotiations I'm going to give you an interesting story about how the bad guys perceived uh the ransomware attacks how would they were uh handling them and how the bad guy's minds work Believe It or Not uh the ransomware um cyber crime the type of cyber crime is based on Honor's system the bad guys have to be brutally honest with their victims what they call customers uh and they're paying customers and bad customers for them the reason why ransomware is a crime of honor is that the bad guys always need to be

transparent and they cannot ever lie the reason why victims pay is that because the ransomware gang never lies to them if they say that we're gonna release data they will release data if they're gonna destroy the decryption keys they will destroy decryption keys if the victim pays they would never put them into uh double jeopardy they would not extort them so the victim knows that if they pee they're going to get their stuff back so this is a part of the game this is part of the game as well uh Russians unfortunately been became very very transparent very honest about these things uh the Cyber criminals in China in North Korea and other places sometimes they'll cross the victims but

Russians consider this to be a a crime of Honor they actually get very offended uh and uh to a point of physical violence if somebody would suggest that they don't deliver on that promise if you think about this you would understand that how important the consistency for that crime is so I'm going to give you an example of something like this um in uh 2019 good news and bad news for Riot this is in the Russian but I don't think you would be able to read it even if you could read the Russian because it's uh the size of the screen nevertheless um this is communication from uh one zeroic bosses to the group saying that

uh one of the cyber security firms uh found as uh weakness where in some cases the decryptor forayak would not decrypt certain very very large files one terabyte plus files would not be decrypted um using their decrypter and they call it bad news they say that this is bad news because it's a bug the reason why it's a bug is that it stops the delivery of the promise the promise to decrypt so they take very scrupulously and tell us terrible news um uh that there is a bug but uh good news is a there is a fix we rolled out the fix all new ransomware going to be was that fixed and second we went

through the history and no files were really subject to that bug to the best of our knowledge so the bad guys see good news as ability to fix that software it's almost a real software development um to this degree and from that perspective you need to get into their minds how set the bad guys uh on committing certain cyber crops in uh with time of covet um we've seen a number of different uh cyber gangs especially ransomware gains uh taking um uh moratoriums on attacking uh hospitals they said that they don't want to be responsible for both for people's death and they didn't want to uh cause any more trouble um and some gangs were really on set on

this others uh took a much more offensive actions um so let me give you a little bit of background story uh uh we start uh at the end of August of uh 2020 uh with U.S cyber command taking perhaps its first public offensive operation and that was against a trickbot game they start uh slowly but then much more forcefully toward the end of uh September polluting data Within trickbot by sending wrong signals from different subnets from different IP spaces uh because uh we were harvesting data on hourly basis from the panel and we were seeing okay not only by the device name not only by information but also by IP Origins and all of a sudden you start seeing uh

thousands eventually 2.7 million new entries inside of a trickbot uh panels uh delivering information from all kinds of subnet government subnets major corporate subnets and stuff like that when we start looking at the data more specifically there was nothing interesting that was U.S cyber command attack secondarily Microsoft uh petitioned courts based on IP addresses over C2 components

infrastructure Microsoft petition course take down uh part of that infrastructure not only the United States but all around the world unfortunately um uh this was only wounding the Beast it was not uh really destroying the game and unfortunately uh this just made the bad guys angrier within hours of the trickbot infrastructure becoming inoperable because of these takedowns trick but uh gang members uh uh Stern and mango uh turn into uh another large uh data broker uh called aggressor aggressor is another Russian uh threat actor who uh gathers a lot of stolen data now he's selling uh stowing credentials now before he was actually selling botnet modes accessing having access to huge uh botnets uh such as

raccoon he was able to load uh trigbot uh agents payloads uh onto uh more than 100 000 devices in days following this takedown so tripod game was never really down they were infecting and continuing their game uh and uh the full ransomware operation resumes within two weeks so in early October gain goes down two weeks later they're back full strengths and they're angry they lost much of uh momentum they lost much of their victims they uh got a lot of their data ruined so they were not very happy about us on uh October 21st we were monitoring a lot of cobalt strike servers uh used by uh pen testers from the turkmot gang uh and the Reich gangs uh moving uh

laterally within corporate Networks and we are see starting to see a large number of medical institutions within this uh these cobal strike servers it was extremely unusual but then on October 26th uh The trickbot Operators uh within the jobber Channel say very very scary thing they got access according to them to 428 U.S hospitals Medical Systems and Clinics they claimed that uh this access was uh already actionable and they expected uh they targeted specifically us as retaliation for uh U.S actions against them and they would expect panic they use expletives in their writings really expecting uh us tobacco I can tell you that from October 21st and for the next two weeks I probably got total uh you know uh two hours of

sleep every night average because of our attempts to stop uh that tax also want to uh think uh mandian uh now part of Google um who uh whose teams uh also work around the clock um trying to prevent uh attacks and encryption I think we prevented that in our Collective effort more than half of the victims uh attacks some of them were on stages of lateral uh movements some of them on stages over early stages of encryption but the bad guys lost most of the momentum unfortunately couple major hospitals were impacted in that really uh you know big loss for the community especially in times of covet uh this obviously got a lot of attention

from the community and uh uh FBI along with uh international law enforcement uh goes and uh tries to do an amate uh take down emeted is a infection agent as we talked about so we are seeing the uh take down efforts uh in uh uh January of uh 2021 and that's a good thing um uh Dima uh uh or Dima cheap um up one of the operators administrators of amate uh uh uh botnet actually leaves src.tard.gz on in the root of one of the servers uh so so you know you should look for these files on the bad guys servers apparently uh but uh he leaves this file in the law enforcement gets it much of the infrastructure

was actually gathered from this including uh Dima uh Chiefs information uh Morse who is uh the Cyber criminal in charge of uh uh amateur operation and Stern who is in charge of uh throat operation know that uh Dima is uh doomed you know they know that the data was leaked and they leaving the much of the infrastructure um of amitat uh to be taken down they know that uh law enforcement is coming they're not doing anything to one uh demon from uh on arrest they're not doing much to stop any of these uh attacks or uh arrests and uh in the midst of it there is a threat actor that is quite uh pertinent it was an a game called taker ticker is

one of the most interesting people that we interacted with because uh the the guy is extremely paranoid but extremely technically capable uh we talked to him um on and off on many different levels uh even until recently but uh he um we at the time we were feeding his paranoia he uh is extremely uh Pronto paranoia living in Moscow we uh put ideas saying hey you know things uh big things are coming and taker is uh extremely intelligent person uh he actually hacks um amate himself uh gets root on one of the servers and comes into Stern and says hey look what I can do I'm good enough I'm smart enough and then taker gets covered

um given a lot of paranoid that we put in he is afraid to go to a doctor but he eventually goes to the doctor and he is being placed in the moscow's hospital for typical three days he's feeling fine but they keep him for 10 days and when he tries to leave Dr tells him he will get arrested if he leaves so this all feeds the guy's paranoia his house is never in danger but his mental health unfortunately um you know well at least it was stopping him from doing bad things with all that said we actually seeing um how takers afraid of things when he leaves the hospital and he gives a full account of how he was uh living Hospital

looking left and right for any uh uh Russian law enforcement to grab him and drag him to uh prison and nothing happens he does not take public transportation he works for our to his apartment he um sits one floor below his apartment looking for Ambush then he goes up one floors it's Ronald hour then he walks into his apartment waiting for somebody to Spring out and like scream surprise or you under arrest or something like that so um you know he uh you know once he makes it to his home he reaches out to stern and gives him the first warning of bad things to come which uh unfortunately didn't stop the game but stop some of

the activities Stern sees amethyst takedown as opportunity to put taker in charge so we are seeing real uh hackers intrigues internally as the bad guys are trying to fight for control of different components this is where uh Stern puts uh the leader of a turkmot puts his person in charge of amitat's infrastructure and eventually uh pushes out the leader of emeted into retirement so with all these breaches we are seeing the change in the trekbot Empire it's beginning of the downfall in uh uh June of 2021 we get introduced to this young young lady uh this is the uh this is uh Russian but she never lived in Russia uh she was born in rustov uh

uh on Dawn and she became a failed uh cyber criminal um she had no clues about operation Security in uh for uh before Soviet Union um uh dissolved she moves to Riga and from Riga uh where she gets her education she moves to Amsterdam she becomes a very uh interesting uh very uh prophylic uh uh developer breaking a lot of gender and age barriers she writes quite heavily in social media that she achieved a lot uh by being a woman uh and of a certain age that she felt that she was older um beyond all her friends and family saying hey you it's not yours so she actually becomes developer she is good developer she works on C uh C plus plus

development components for legitimate company in Amsterdam um then in mid 2010s she moved service her family to um South America and uh uh country of Suriname uh but she is still developing code she's still uh working uh and hoping to become best developer ever according to her in 2019 she gets uh recruited by UM the trick about gang they find her basically on a job site and they offer her job the this lady becomes part of the gang and she still has no idea of operational security she knows nothing about it um she initially uses uh uh her name alavite her real name until somebody on the trick about gang says you know is this really your name she's like yeah

like change a change of so she changes it to Max Max is her husband's name so um uh she um always uh in in Russian language um uh the uh pronouns are very uh defining as you uh speak so you can't say mean sentences without defining your gender um so she was always writes as a feminine even though there are other gang members who are women who write as as masculine so she never tries who she is where she is and stuff like that she never talks about her age but um she definitely uh shows uh who she is very prominently and then um she overshares quite a bit even flirts with some of the guys

but the reason why she gets caught is that um again lack of understanding what the upsack is oh and um Christmas uh Eve of 2019 she actually infects herself with a trickbot agent so she becomes a part of the trick but botnet and we get all the good stuff from uh her computer literally like everything that she was logging into everything she was doing uh becomes part of uh trickbot uh stolen information and that that doesn't go unnoticed but uh uh three weeks later uh another cyber security researcher uh reports on Twitter that um uh she actually uses her uh own domain that she advertises her development services.nl uh uh Netherlands to deliver uh trig about payloads

it does not get any more simple so our law enforcement uh picks up the scent immediately um there is a warrant of arrest I believe uh in uh issued in August of uh 2020 but uh in February of uh 2021 she actually gets arrested in Florida and uh uh transferred I believe to Ohio well what what happens uh our beta is actually a good developer she's a friendly person uh and according to the bad guys she was very cost effective uh as a person who wrote um code that became a basis of ransom for me companies uh they think she was making lots of money no uh alavita was uh making per month fifteen hundred

dollars that was her monthly salary she never asked for more she was very happy so she was one of the victims of the crime but uh uh from the perspective of human uh the heads of truck but decided to help her these actual screenshots of uh mingo's uh second increment of trickbot phone um trying to reach out to lawyers in uh New York about helping our veteran and once they start reaching out they also uh tried to reach out to real lawyers to defend her and then um exposing some of the resources if you look very carefully it actually gives uh mango with second command trig about again uh his own Brothers uh address and

business uh but besides that uh when they actually reach out uh to lawyers Laura sebo it's going to cost uh 120 000 to get them started on the case and uh the bad guy said well poor hour tough luck so they kind of abandoned any support and help for this lady who I consider to be as much of a criminal as a victim of the crime uh but 2021 was supposed to be a year transformation uh the uh relations between United States and uh uh Russia deteriorated and the game was really feeling that uh they would be completely punished and free for their operations they have two offices physical offices in Moscow they uh build

full infrastructure with administrators they spent two billion rubles between April and August of 2021 that's 25 million dollars for expenditures think about the company any company that would spend 25 million dollars for expenditure on anything to grow well the ransomware gang spent that much money to become better bigger and uh they were in process of 20 hiring 200 plus uh developers and Panthers they had three people in HR actually going through interviews and they went through so many interviews with them that uh and this interview is not that easy so some of our Panthers really had tough time passing this uh they also in 2021 spend time intimidating other gang members getting the best rants over threat

actors under their roof otherwise they scare them with doxing or even with uh physical violence uh and uh the game even goes as far as actually uh offering money to buy one of the major Russian language uh dark web forums 10 million dollars or so uh trying to buy these forums to have this as their base they feel completely above the law operating in Moscow and St Petersburg and they're moving around let's talk a little bit about Conti I already mentioned that they are long-term partners and um uh the person named rashayev uh is uh the main liaison to tripath these uh threat actors again their names appear quite a bit in County leagues um Enigma which is uh ransomware uh that

was supposed to be a succession of Riot developed partially by our Vite uh was supposed to be pushing turkbat out but uh leaking the source code that we had access to uh really destroyed Enigma as the prospective upgrade for right so they unfortunately turned to County and um as uh in 2022 just before the war in Ukraine just before the county leagues the um the bad guys start getting messages uh from the government from internally that it's becoming too hot literally uh three weeks before County leagues most of trickbot and um amateur threat actors exit uh the scene they quit publicly and saying hey we are no longer uh working for the gangs we are out the war breaks out on February

24th of uh 2022 was between Russia and Ukraine and Conti makes a both step uh in the first uh hours of the war supporting the Russian government but uh that's kind of uh you know the big statement from the perspective of of the people within the game they absolutely hated uh Russia they uh saying that they hope that bonfires engulf Red Square uh and uh Kremlin uh was put in a headliner was in the bonfire and and that's that's normal I mean you know um as we work for companies we don't have to agree with our company's uh decisions of uh social values so the this sense was in Conti uh but County leaks emerges as a county group supports

uh Russia uh very brave Ukrainian uh says to me uh that he cannot uh fight with weapons uh he would pick up weapons if need be but he is a cyber security researcher so what he would pick up cyber weapons and he would move forward he discloses uh several years worth of uh uh chatter on the jabber a lot of source code and this really devastates uh the game um the devastation is not only uh by knowledge but also the bad guys were reading what other bad guys saying about them so much of this tension much of the uh game much of their cyber crime was really uh over and this is a deadly ball

to the game the uh gang uh never recovers and there are additional leaks but the show releases information right after that Conti goes on for about uh eight nine months as a game but they don't do much crime this is a screenshot from one of their uh panels they decentralized much better stack UPS uh they only talk to their friends um but they still continue ongoing operations and they uh are working under a branding today turkey Barton County don't exist as a gangs they're members uh some of them retired some of them uh were named in international um uh lawsuits actions and uh others are part of other ransomware gains but this is a story of a game that uh thrived

terrorized people and at the end uh through many different actions through many different efforts the activities were tampered um their information was disclosed most of their identities were identified as well and they're out of business that's a story of the rise and fall of trickbot and Kanti Empire thank you guys foreign

families do you think that part of that uh what is purposeful was that they that hockey games like mentioned a sort of new you know before the weeks happens it would be helpful to Rebrand just um well just imagine that the uh 50 developers and uh they all work what was in one game and that gang is over so they all move uh regrets to a different place uh but at the same time as we saw was in trickbot members of Conti within uh content of our members of Black Cat Alpha V and many others so there was already presence there was already uh interact at the time and uh was Data Brokers and everything else uh it's

already been Diversified um just the actors stopped identifying themselves as Kanti but for five minutes they actually had a Ukrainian speaking uh front for their ransomware trying to show that they're not Russian at all and that didn't work okay [Applause]