The U.S. State Department is offering up to $15 million in rewards for any information that can help it cracking down on Conti, a Russia-based ransomware group. Conti is reported to have received over $150 million in ransom payments, making it the costliest ransomware variant in history.
The Conti ransomware group has targeted over a thousand organizations, extorting over $150 million in ransoms. Today @StateDept is offering rewards for information on Conti leadership and its affiliates. https://t.co/0RFkLKgK3U
— Ned Price (@StateDeptSpox) May 6, 2022
In a press statement, department spokesperson Ned Price said that the $10 million is for information leading to “the identification and/or location of any individual(s) who hold a key leadership position in the Conti ransomware variant transnational organized crime group.”
In addition, the department will offer $5 million for information that leads to the arrest of any individual that attempts to, or does participate in the Conti ransomware incident.
Conti has been wreaking havoc globally for the past two years, with its orchestrators attacking anything from global entities to governments and even critical services like healthcare. As of January, the FBI estimates that the group had attacked over 1,000 entities who had paid over $150 million in ransom. This makes the Conti ransomware variant the costliest strain of ransomware ever documented.
The $15 million in total reward is offered under the department’s Transnational Organized Crime Rewards Program.
Price commented, “In offering this reward, the United States demonstrates its commitment to protecting potential ransomware victims around the world from exploitation by cyber criminals.”
Conti is a ransomware-as-a-service operation with links to Wizard Spider, a Russian-speaking cybercrime group which has also been behind other variants including Ryuk and TrickBot. According to security experts, it emerged in 2020 and has grown rapidly. One expert, Cyberint’s Shmuel Gihon estimates that in total, the group has raked in $2.7 billion, way above the State Department’s estimate.
The best organized hackers’ collective ever
Aside from being based in Russia with possible links to the FSB, not much else was known about Conti. This all changed in early March when a series of documents leaked revealing its size, operations, leadership and even the source code of its ransomware.
Researchers say it all started with the Russian invasion of Ukraine. Being a Russian group, Conti expressed its support for the Kremlin, and this didn’t sit well with some of its Ukrainian members. Just days after the invasion, a new Twitter account cropped up and started leaking the most secretive details about the organization.
My comments are coming from the bottom of my heart which is breaking over my dear Ukraine and my people. Looking of what is happening to it breaks my heart and sometimes my heart wants to scream.
— conti leaks (@ContiLeaks) March 1, 2022
The most surprising revelation about Conti was just how professionally it’s run. It has a hierarchical management structure with well-defined roles, a finance department that pays salaries, a HR department that hires and fires, team leaders for the smaller units and even a research and development (R&D) department.
Security experts who took a deep dive into the leaks further found that Conti has salaried workers, some of whom are paid in BTC, an employee referral program and even an “employee of the month” who earns half their salary in a bonus payment.
It gets even more interesting with its hiring process. Cyberint found that Conti hires from both the criminal underground as well as legitimate sources such as Russian headhunting firms. As observed by Daniel Krebs, a security expert and a former Washington Post reporter, hiring is crucial since “perhaps unsurprisingly, the turnover, attrition and burnout rate was quite high for low-level Conti employees.”
The most alarming thing about the hiring process is that Conti executives don’t reveal to their potential hires that they are one of the biggest collectives of hackers. Experts found evidence that some of the workers think they work for a legitimate tech firm.
“Alarmingly, we have evidence that not all the employees are fully aware that they are part of a cybercrime group. These employees think they are working for an ad company, when in fact they are working for a notorious ransomware group,” one researcher observed.
The leaks also revealed that Conti is based in Russia, although its physical offices remain a mystery. Researchers believe that this is proof that the group has ties to the Kremlin, or at the very least, the FSB, Russia’s counterintelligence force, formerly known as the KGB.
“Our assumption is that such a huge organization, with physical offices and enormous revenue would not be able to act in Russia without the full approval, or even some cooperation, with Russian intelligence services.”
Watch: CoinGeek New York panel, Investigating criminal activity on the blockchain
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.