A group of ransomware hackers used a variety of techniques to try breaching hundreds of companies last year, exploiting a vulnerability in Microsoft Corp.’s Windows and using artificial intelligence technology to create fake LinkedIn profiles, Alphabet Inc.’s Google found.
The group, which Google refers to as Exotic Lily in research published Thursday, is known as an initial access broker. Such groups specialize at breaking into corporate computer networks and then providing that access to other cybercriminal syndicates that deploy malware that locks computers and demands a ransom.
The findings help illuminate the ransomware-as-a-service model, a cybercriminal business strategy in which different hacking groups pool their resources to extort victims and then split the proceeds.
The Exotic Lily group sent over 5,000 malicious emails a day, Google observed, to as many as 650 organizations around the world, often leveraging a flaw in MSHTML, a proprietary browser engine for Windows. Microsoft issued a security fix for the Windows vulnerability in late 2021. Google did not identify victims by name.
“Up until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and health care, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus,” Google said in a blog post.
Google also observed that Exotic Lily is associated with notorious Russian-speaking ransomware group Conti. That group, accused of using digital extortion to reap $200 million in 2021, is currently in turmoil after a suspected insider leaked a trove of internal chat logs, revealing hackers’ tactics to the public.
What makes Exotic Lily unique, according to Google, is the level of human interaction behind each of its attacks. Creating fake LinkedIn profiles to add legitimacy to the group’s malicious emails requires an extra level of effort.
One of the fake LinkedIn profiles cited by Google was a fictitious Amazon.com Inc. employee who appeared to be located in the UK. The hackers sometimes used a publicly available service to generate a fake profile picture using artificial intelligence.
“A breakdown of the actor’s communication activity shows the operators are working a fairly typical 9-to-5 job, with very little activity during the weekends,” Google said in its blog post. “Distribution of the actor’s working hours suggest they might be working from a Central or an Eastern Europe time zone.”