Insights from Black Hat 2024: Relationships Matter (if you are an eCrime group)

by Dalya Manatova on 2024-08-10

BlackHat , eCrime , Social Networks

At this year's (2024) Black Hat conference, we had the opportunity to share our latest research titled "Relationships Matter: Reconstructing the Organizational and Social Structure of a Ransomware Gang." This talk delved into the methodology to study the social and organizational dynamics of one of the most profitable cybercriminal organizations to date, the Conti ransomware operator, offering a perspective on how, nowadays, eCrime scales up its illegal business by leveraging social capital. We argued that threat modeling should consider the business nature of eCrime organizations; just like the weather, it is part of planning and business decision-making.

Jean and Dalya on Stage at BlackHat 2024 before the talk

Understanding Cybercrime as Organized Social Systems

We talked about the latest trends in modern eCrime forums, such as the demand for “boring jobs” required in the eCrime community, as well as standardized and organized eCrime that seeks resilience to adversities it faces, such as security defense mechanisms and law enforcement operations. eCrime groups scale up to become organizations that sell commodities and, therefore, require certain organizational characteristics to excel in their management.

Our research approached this issue from a novel angle, utilizing a combination of classic economic, network science, and organization theories to dissect the organizational and social structures within the group. By analyzing leaked chat logs, we show that we can uncover the deep-seated hierarchies, relationships, and operational processes that contribute to the group's dynamics.

Key Takeaways: The Organizational Dynamics of eCrime

Through our talk, we highlighted several key takeaways:

Resilience: As we start treating eCrime as a business-like enterprise, we can refer to organizational science theories that tell us the characteristics of an organized group that help build resilience. The major five are established communication structures or certain hierarchies, specialized division of labor, shared rules and norms, aligned goals, and strong relationships. Conti has shown signs of certain resilience as a collective of individuals existing under different names and operations for at least ten years.

Cultural and Social Dynamics of eCrime: Cultural background and shared political and economic goals foster trust and cooperation within the group, as these are aligned goals and norms. Shared motivations and political alignment are evident in leaked chats, and in some cases, the discussions can inform future targets. Cases of humorous discussion show that the group’s members support the political ideology related to Russia’s invasion of Ukraine, although some messages reveal hesitation in this new (for the group) official alignment with the state. Such nuanced analysis is possible with fluency in Russian and can be missed by machine translation, which does not capture certain tones and humor linguistic element.

Social Network Analysis of eCrime: Using social network analysis, we see that eCrime communities are scale-free and are significantly connected across diverse types of crime (even physical), even if they have become organized groups. However, the high clustering coefficient of less connected members of Conti hints us to explore the more nuanced operational dynamics of the group, where few members are mostly connected to the entire network of the organization, and presumably are leaders and managers, but the work is done by the less connected members that have their own relationships networks.

Relationships and Roles: Every organization of people will have growing relationships between members. And cybercriminals are people too. As most of them work over remote distances, their textual communications reveal not operational details, but also, we can model their relationships. Our categorization of textual communications—whether mentoring, hierarchical, or friendship-based—is based on discourse analysis where we annotate messages based on the intention of the message and linguistic markers it carries, such as informal addressing, hedging, apologetic tone or even signs of respect. This enables us to map the textual communication patterns to relationships type, which in turn can show the network of relationships in such a group. This insight into internal dynamics can shine light for understanding how such groups adapt and survive in the face of external pressures. And subsequently, help better understand subcommunities within Conti and the emergence of new groups.

Why This Matters

The implications of our research extend beyond Conti, offering broader insights into how eCrime is organized in groups. By applying tools traditionally used in the analysis of legal businesses to the world of cybercrime, we provide a more nuanced understanding of these threats. Our findings suggest that disrupting such organizations requires a deep understanding of their internal structure and the relationships that sustain them.

Conclusion: A Call to Action

Our research underscores the importance of viewing eCrime not just as a technological threat, but as a business with its own culture, structure, and social dynamics. By understanding these human factors, we can better anticipate and disrupt the activities of such groups. We hope our presentation at Black Hat inspires further exploration into the organizational aspects of eCrime, leading to more effective strategies in threat modeling and in combating these persistent threats.

For those interested in a deeper dive into our research, components of our research have been published in academic venues such as WACCO and APWG, and we continue to develop new insights into this critical area of cybersecurity.