Google: Initial Access Broker "Exotic Lily" Uses Spear Phishing For Both Conti And Diavol Ransomware Gangs

Exploiting security weakness, vulnerabilities and spear phishing are tools of initial access brokers. These brokers work with many ransomware groups to shorten the time to get in and efficiently to penetrate an organization with ransomware. Google reported on “Exotic Lily” that specialized in spear phishing. Highly recommended to provide continuous training and simulated phishing to your users. Both are needed to mobilize them as your last line of defense

“Google’s Threat Analysis Group (TAG) researchers reported on the operations of cybercriminal operation named “Exotic Lily” that specializes in providing initial access through spear phishing for both Conti and the Diavol ransomware groups. Like other groups they are highly organized with specialized operations, often employing many workers.”

Full-Time Phishing Business

Threatpost also noted, “while bug exploitation is part of its work as noted, Exotic Lily’s main business operation is to use these spoofed email accounts to send spear-phishing emails. They often purport to be a business proposal, such as seeking to outsource a software-development project or an information-security service.”

“One unique aspect of the group’s method is to engage in more follow-up communications with targets than most cybercriminals behind phishing campaigns typically do, researchers observed. This activity includes operators’ attempting to schedule a meeting to discuss a project’s design or requirements or engaging in other communication to gain affinity and trust, they said.”

“In its final attack stage, Exotic Lily uploads an ultimate payload to a public file-sharing service such as TransferNow, TransferXL, WeTransfer or OneDrive, and then uses a built-in email notification feature to share the file with the target.”

Threatpost summary

Read the full Google Blog