Malware

Conti ransomware operations made at least $25.5 million since July 2021

Researchers revealed that Conti ransomware operators earned at least $25.5 million from ransom payments since July 2021.

A study conducted by Swiss security firm Prodaft with the support of blockchain analysis firm Elliptic revealed that the operators of the Conti ransomware have earned at least $25.5 million from attacks and subsequent ransoms carried out since July 2021.

Conti ransomware operators run a private Ransomware-as-a-Service (RaaS), the malware appeared in the threat landscape at the end of December 2019 and was distributed through TrickBot infections. Experts speculate the operators are members of a Russia-based cybercrime group known as Wizard Spider.

Since August 2020, the group has launched its leak site to threaten its victim to release the stolen data.

The experts analyzed 113 wallets associated with Conti ransomware operations that were involved in transactions for more than 500 bitcoin. The researchers identified several transactions that split $6.2 million of the Conti profits and transferred them to a “consolidation wallet.”

“113 bitcoin addresses were identified by Prodaft during this investigation. 100 of these addresses related to a single ransomware attack in which the victim requested to pay Conti in 100 separate transactions in order to hide the payment from tax and audit authorities.” reads the report published by the experts. “As a result, the addresses identified during this research are believed to be connected to 14 separate ransomware incidents. 50% of these attacks resulted in a payment to Conti.”

The consolidation cluster was first active in December 2017 when it received one incoming payment of 1.8 bitcoin. After this time, the consolidation cluster remained dormant until mid-2021. In August 2021, ransomware operators sent 0.07 bitcoin from this cluster to a prominent exchange known to be used by ransomware groups.

Consolidation wallets are essential components for ransomware operations, they are the main target of law enforcement actions.

The Conti gang has never attempted to cash out or exchange any of the bitcoin they have received into the consolidation cluster. The Blockchain analysis revealed that the remaining 123.06 bitcoin (around $6.2 million) is currently held in an unhosted wallet.

Elliptic experts also analyzed the transactions associated with Conti affiliates. One cluster identified by the researchers received payments from both Conti and DarkSide, a circumstance that suggests that a threat actor was affiliated to both groups.

The study also highlights the sophisticated money-laundering operation implemented by Conti affiliates. Some
affiliate funds have not yet been moved from the wallets due to the pressure of law enforcement, in other cases the threat actors used multiple services, including exchanges, coin swaps, privacy enhancing wallets including Wasabi, and the Russian-language darknet marketplace Hydra.

“Researching the addresses identified by Prodaft and the incoming payments to the consolidation cluster indicates that since July 2021, Conti has received over 500 bitcoin in ransomware payments, valued at over $25.5 million, of which $6.2 million has been sent to the Conti consolidation cluster.” continues the report.

Anyway, the above figures are only the tip of the iceberg. Experts believe that the Conti ransomware operation has earned much more over this period.

“This research indicates that identifying individuals associated with Conti through following the flow of funds is likely to be challenging, particularly given Conti’s sophisticated money laundering techniques and use of services such as Wasabi wallet. Furthermore, whilst services including exchanges implement KYC policies, it is possible that groups such as Conti deposit and withdraw from these services in small amounts, which do not trigger KYC requirements.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Cyclone)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

BadBox rapidly grows, 190,000 Android devices infected

Experts uncovered a botnet of 190,000 Android devices infected by BadBox bot, primarily Yandex smart…

8 hours ago

Romanian national was sentenced to 20 years in prison for his role in NetWalker ransomware attacks

Romanian national was sentenced to 20 years in prison for his role in NetWalker ransomware…

19 hours ago

Sophos fixed critical vulnerabilities in its Firewall product

Sophos fixed three Sophos Firewall flaws that could lead to SQL injection, privileged SSH access…

1 day ago

U.S. CISA adds BeyondTrust software flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds BeyondTrust Privileged Remote Access (PRA) and Remote…

2 days ago

Raccoon Infostealer operator sentenced to 60 months in prison

Raccoon Infostealer operator Mark Sokolovsky was sentenced to 60 months in US prison and ordered…

2 days ago

Mirai botnet targets SSR devices, Juniper Networks warns<gwmw style="display:none;"></gwmw>

Juniper Networks warns that a Mirai botnet is targeting SSR devices with default passwords after…

3 days ago

This website uses cookies.