On February 25, 2022, a message surfaced on a darknet website operated by the cybercriminal group Conti, expressing support for Russia’s invasion of Ukraine, initiated the previous day by Russian President Vladimir Putin. This development marked a turning point for Conti, one of the most active ransomware groups in recent history.
For 18 months leading up to this, Conti had launched cyberattacks targeting businesses, educational institutions, and hospitals, reportedly amassing over $180 million in ransom payments in 2021. In May 2022, the US Department of State announced a $15 million reward for information leading to the identification or arrest of Conti members, underlining the threat posed by this group.
Ransomware has significantly evolved since its early days in the late 1980s. Contemporary ransomware operates under a model known as Ransomware-as-a-Service (RaaS), functioning like a business. Conti, for instance, rented out its ransomware infrastructure, managed victim negotiations, handled ransom payments, and laundered the proceeds. The group was believed to take around a 30% cut of these payments, reinvesting a portion into their operations.
According to the US Financial Crimes Enforcement Network, RaaS activities generated about $590 million in the first half of 2021. Conti was the most profitable of these groups during this period, with earnings roughly double that of its nearest competitor, DarkSide. Ransom payments are predominantly made in cryptocurrencies, which are then laundered and converted into traditional currencies.
In the world of cyber-extortion, RaaS groups not only encrypt victim data but also engage in double extortion by threatening to leak sensitive information. These groups work with ‘affiliates’ – external cybercriminals who collaborate but are not formal members. This network enables RaaS groups to target a vast number of victims. However, this system can have vulnerabilities, as seen in 2021 when a disgruntled affiliate leaked Conti’s internal documents.
Alongside the development of RaaS, malware sophistication has increased. A notable example was the law enforcement action against the Emotet botnet in 2021, once considered the most dangerous malware. Botnets like Emotet spread via phishing emails and can control large networks of infected devices. The takedown of Emotet temporarily reduced ransomware activities, but the botnet reemerged months later, with some speculation about Conti’s involvement in its revival.
The unraveling of Conti began two days after its declaration of support for the Russian invasion. A Twitter account, @ContiLeaks, started releasing internal communications of the group. The source of this leak remains unclear, but it led to what has been called the ‘Panama Papers of ransomware’. Subsequently, Conti’s structured and business-like operations began to crumble. Despite ongoing attacks, including against Costa Rican state networks, Conti’s websites were offline by May 19, 2022.
The reasons behind Conti’s shutdown are subject to speculation. Some suggest that potential victims were wary of violating sanctions against Russia. The demise of Conti illustrates the transient nature of ransomware groups; they often disband, reorganize, or rebrand, making the fight against them akin to a continuous game of whack-a-mole. While Conti’s chapter in the ransomware saga has closed, the broader narrative of ransomware continues to evolve.
Catch the latest in supply chain news on The Supply Chain Report. Visit ADAMftd.com for free international trade tools.
#ContiRansomware #RansomwareAsAService #RaaS #CyberCrime #DarknetCyberCriminals #ContiLeaks #CyberExtortion #RansomwareEvolution #EmotetBotnet #CryptocurrencyRansom #FinancialCrimesEnforcementNetwork #CyberSecurity #RansomwareHistory #DoubleExtortion #CryptoLaundering #CyberAttack #CyberThreats #RussiaUkraineConflict #CyberCriminalOperations #ContiShutdown #CybersecurityThreats #MalwareSophistication #BotnetTakedown #CyberCrimeGroups #CyberDefense #OnlineCriminals
