top of page

Countermeasures and observability key to defending against attackers trying to buy security products

The leak of Conti ransomware's internal chat logs revealed the attackers tried to buy security software so they could figure out how to bypass it and avoid detection

Written by Craig Jones

March 04, 2022

This week a Ukrainian security researcher leaked multiple years of chat logs and files from the Conti group. Conti is a ransomware group that Sophos has been following closely for a number of years. On Feb 28, we reported on a Conti attack targeting a healthcare provider.

In those chat logs we see mention of how the Conti group tried, and failed, to purchase licenses of Sophos Intercept X (or “Endpoint Security”). According to the chat, they were doing this so they could test their latest malware to see if Sophos’ products would detect it.

This is a common strategy among malware developers and groups: they acquire or steal as much security software as they can in order to test if they can effectively evade it. This practice is seen across the security industry, and Sophos takes precautions to mitigate the risk in its product development and operations.

What’s interesting here is that the chat logs show that Conti’s attempts to bypass Sophos products were unsuccessful and that, as a result, they attempted to acquire a licence in order to gain further access for their tests.


Getting access to security products

To begin with, we can see that the Conti group signed up for a free trial, which is available online. You may be asking yourself, “Why don’t you block them from getting a trial account?” The answer is straightforward: any kind of blocking could inadvertently prohibit legitimate users, and these “testers” supply us with intelligence that better helps us to defend our consumers and partners.

Next, we can see that on May 27, 2020, the Conti group attempted to upgrade their free trial by purchasing the full product.

They tried to do so under the guise of a fictitious company called DocSoft, which purported to be based in Kyiv, Ukraine. One of our countermeasures for this type of activity was activated: we flagged the account as suspicious and, with our chan