During the past two years, it seems that Conti, a Russian-based cybercriminal organization, has been imposed as one of the most profitable in the entire Ransomware-as-a-Service (RaaS) ecosystem.
Chainalysis estimates that the cyber gang grossed the largest profits in 2021 in the RaaS industry: $180 million extorted. In Europe alone, according to cyber criminals’ online postings to extort money from victims, Conti claimed the largest number of breaches in 2021 among cybercrime groups: 147.
Groups like Conti base their business model on offering their clients actual ransomware kits, which include tools for executing and managing the attack and as well as confidential victim’s information, a platform for managing the entire negotiation, in exchange, in the end, for a share of the ransom obtained.
The creation of such a business model has led to an incremental lowering of the technical barriers required to launch a ransomware attack, increasing their frequency and thus increasing the risk of experiencing this threat to businesses.
Most RaaS cyber gangs use common attack vectors, such as phishing, exploiting unprotected web applications, or that lack multi-factor authentication, and all the classic methods used for maintaining access once gained, such as using Cobalt Strike or PowerShell. Attack strategies such as the latter are not particularly sophisticated, but they have an extremely high success rate.
Another strategy increasingly used by Conti and other ransomware cybergangs is the use of double extortion: the attackers hold the victim’s data hostage and demand a ransom both to get access to the data back and to maintain the confidentiality of the data and prevent it from being published online if the requested amount is not paid.
But there are also some unique aspects to Conti’s operations:
According to Wired Uk, it emerges that “Conti’s operation resembles that of many companies around the world. The organization has several departments, from human resources to administration, from programmers to researchers. It has policies that guide cyber criminals in developing code and shares best practices for avoiding law enforcement.” Guerredirete notes that the mere fact that the role of human resources manager “is clearly defined and assigned is a major leap forward for organizations of this type.”
The most successful ransomware cybergangs frequently invest a lot of time creating and maintaining some semblance of “professionalism” to facilitate extortion payments from victims. They want to establish a fantastic reputation for offering top-notch “customer service” and follow through on their assurance that the victim’s files would be unencrypted if they pay the ransom (and they will not appear on a leaked website). However, according to a report by Palo Alto Networks Unit 42, there are multiple cases where victims either did not get their data back or suffered a data leak after paying the ransom to Conti. Confirming that Conti’s affiliates operate without a “code of honor” are the recorded attacks on hospitals and emergency services (the heaviest being the one on the Irish Health Service in 2021, with damage estimated at 100 million euros).
Focus: Russia-Ukraine conflict and Conti’s internal leak
On Feb. 25, 2022, just after Russia began its invasion of Ukraine, Conti posted a Telegram announcement confirming its support for the Kremlin and threatening anyone who was in a different position. Only a few hours later and the message was rectified and scaled back, but that was not enough to stop the ripple effect caused by that statement in time. Although the cyber gang has its roots in Russia, it is nowadays branched all over the world, and a Ukrainian component of Conti’s members responded to the pro-Moscow stance by posting 13 months of internal information on Twitter and Telegram: 60 thousand messages exchanged between group members, 150 bitcoin wallets, usernames, and IP addresses.
Author: Giovanni Recchi