{"id":18223,"date":"2022-07-01T16:30:00","date_gmt":"2022-07-01T15:30:00","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=18223"},"modified":"2022-07-04T14:46:08","modified_gmt":"2022-07-04T13:46:08","slug":"ransomware-inside-the-former-conti-group","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/07\/ransomware-inside-the-former-conti-group\/","title":{"rendered":"Ransomware: Inside the former CONTI group"},"content":{"rendered":"\n

We recently learned from AdvIntel researcher Yelisey Boguslavskiy that the Russian group Conti shut down its operation, thereby making the brand obsolete.[1] <\/sup><\/a>This announcement comes only a few months after it was the center of attention of the specialized press following the “Conti Leaks<\/strong>“.<\/p>\n

Last February, a Ukrainian researcher released more than 60,000 messages from inside conversations between different members of the group. Through these discussions, several revelations are made about their operations, allowing us to understand the RaaS ecosystem (Ransomware-as-a-Service)<\/em>.<\/p>\n

Through this article, let’s take a look at how a Ransomware platform operates, then let’s question the organizational structure and the benefits generated by former CONTI group.<\/p>\n

\u00a0<\/h1>\n

Ransomware platform ecosystem<\/strong><\/h1>\n

The proliferation of articles on the Ransomware threat over the last few years gives the impression that the sector is flourishing. There are several players involved<\/strong>, and data theft amounts to hundreds of millions of dollars<\/strong> per year. For instance, CERT-Wavestone shared that about 60% of its incident responses in 2021 were for ransomware attacks<\/a>.[2]<\/sup><\/a><\/p>\n

\"\"<\/p>\n

As described in the figure, ransomware platforms do not work alone<\/strong>. It receives help from different service providers<\/strong> or other platforms and offers its services (in the form of ransomware) to different groups of attackers. Finally, the platform can also directly extract data from its victims: individuals, companies, states…<\/p>\n

These platforms have fueled the growth of a RaaS economy. Approximately $5.2 billion of BTC transactions<\/strong> have been identified by the US Treasury with the payment<\/strong> of the most commonly reported ransomware platforms<\/strong>.[3]<\/sup><\/a> This makes it a highly profitable business<\/strong>.<\/p>\n

At the same time, it is also an activity where there is a significant number of established groups<\/strong> of players that seem to frequently appear and disappear and which generally last several months. Behind these multiple platforms usually hide the same individuals. If the CONTI franchise, supposed successor of the Ryuk[4]<\/sup><\/a>,has only survived 2 years, its former members still seem to be active.<\/p>\n

\"\"<\/p>\n

In this fragmented and complex environment, it is difficult to retrieve consistent information on the functioning of the platforms. The internal discord that followed the war in Ukraine and the publication of the Conti Leaks allowed us to investigate the functioning of this secretive group before its dissolution.<\/p>\n

\u00a0<\/h1>\n

Conti enterprise ?<\/strong><\/h1>\n

On February 27th, 2022 we discover the underside of CONTI organization. The disclosures are made within a few days and soon reveal :<\/p>\n