All in a day's work: Google details Exotic Lily access broker for ransomware gangs

Image: Google

Google’s Threat Analysis Group has detailed a group it has labelled as Exotic Lily that breached a target and sold off the gained access.

The preferred method for gaining targets is spear phishing, with the group sending around 5,000 emails a day, and setting up similar domains with different TLDs — such as using for users — in an effort to fool those on the receiving end.

It also began with fake personas, but recently started ripping publicly available data from sites like RocketReach and CrunchBase to impersonate users.

The group also used public file-sharing sites including TransferNow, TransferXL, WeTransfer, or OneDrive to pass payloads onto users and make it harder for defenders to detect, since the sites are legitimate.

“Investigating this group’s activity, we determined they are an initial access broker who appear to be working with the Russian cyber crime gang known as Fin12 (Mandiant, FireEye) / Wizard Spider (CrowdStrike),” Google said.

“Exotic Lily is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol.”

The group also appears to maintain a high degree of work-life balance, as Google

Read More: