Conti Ransomware Groups Using Callback Phishing to Gain Access to Victims’ Networks

Three groups that split from the Conti ransomware operation are primarily gaining access to victims’ networks using callback phishing tactics, according to cybersecurity firm AdvIntel.

Callback phishing involves making initial contact with targeted employees in an organization via email. They are advised about a pressing issue that needs to be resolved by telephone. The phone line is manned by the threat actor and social engineering tactics are used to trick the victim into disclosing their credentials or downloading a malicious file.

This method of phishing has previously been used by the Ryuk ransomware operation, which was rebranded as the Conti RaaS. The Conti ransomware operation has now been shut down but, according to AdvIntel, at least three groups of former Conti Raas members are now using callback phishing for gaining initial access to victims’ networks. The groups are tracked as Silent Ransom, Quantum, and Roy/Zeon.

In this campaign, spam emails are sent that advise the recipients that a subscription for a product they are subscribing to will soon be renewed and they will be charged. To cancel the bogus subscription, it is necessary to call the number provided. According to AdvIntel, two of the companies impersonated in this campaign are the language learning platform, Duolingo, and the online education platform, MasterClass.

When the call is made to the provided number, the threat actor attempts to trick the user into starting a ZoHo remote access session; however, that solution is under the control of the threat actor. A second individual then uses the remote access session to determine how to breach the network while the user is distracted by the first threat actor. This method of attack is advantageous over other phishing tactics as the emails that initiate the attack are benign and contain no malicious content, so they are unlikely to be detected as malicious by an email security solution.

The phishing method, dubbed BazarCall, has been adopted by the Silent Ransom group, which is known to take attacked at least 94 organizations since the split from Conti. Quantum also uses BazarCall, albeit a custom version, in which a much broader range of brands is impersonated, including the cybersecurity firm CrowdStrike. Roy/Zeon imitates more brands still, including Parcel International, Sygnal Partners, iWired, Edifecs, and EZLynx.

AdvIntel warns that other threat groups may also adopt this tactic due to the difficulty of detecting and blocking the attack. “As threat actors have realized the potentialities of weaponized social engineering tactics, it is likely that these phishing operations will only continue to become more elaborate, detailed, and difficult to parse from legitimate communications as time goes on.”

Agari has recently reported that while phishing attacks have increased by 6% since Q1, 2021, hybrid phishing campaigns such as callback phishing have increased by 625%.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of