Google Blows Lid Off Conti, Diavol Ransomware Access-Broker Ops

Researchers have exposed the work of Exotic Lily, a full-time cybercriminal initial-access group that uses phishing to infiltrate organizations’ networks for further malicious activity.

Google’s Threat Analysis Group (TAG) has provided a rare look inside the operations of a cybercriminal dubbed “Exotic Lily,” that appears to serve as an initial-access broker for both Conti and Diavol ransomware gangs.

Researchers’ analysis exposes the business-like approach the group takes to brokering initial access into organizations’ networks through a range of tactics so its partners can engage in further malicious activity.

While ransomware actors tend to get most of the attention, they can’t do their dirty work without first gaining access to an organization’s network. This is often the job of what are called initial-access brokers (IABs), or “the opportunistic locksmiths of the security world,” as Google TAG calls them in a blog post published Thursday.

“It’s a full-time job,” Google TAG researchers Vlad Stolyarov and Benoit Sevens wrote in the post. “These groups specialize in breaching a target in order to open the doors — or the Windows — to the malicious actor with the highest bid.”

Google TAG first encountered Exotic Lily last September, when the group

Read More: