You’ve almost certainly seen and heard the word Conti in the context of cybercrime.
Conti is the name of a well-known ransomware gang – more precisely, what’s known as a ransomware-as-a-service (RaaS) gang, where the ransomware code, and the blackmail demands, and the receipt of extortion payments from desperate victims are handled by a core team…
…while the attacks themselves are orchestrated by a loosely-knit “team” of affiliates who are typically recruited not for their malware coding abilities, but for their phishing, social engineering and network intrusion skills.
Indeed, we know exactly the sort of “skills”, if that’s an acceptable word to use here, that RaaS operators look for in their affiliates.
About two years ago, the REvil ransomware gang put up a cool $1,000,000 as front money in an underground hacker-recruiting forum, trying to entice new affiliates to join their cybercriminal capers.
Affiliates typically seem to earn about 70% of any blackmail money that’s ultimately extorted by the gang from any victims they attack, which is a significant incentive not only to go in hard, but to go in broad and deep as well, attacking and infecting entire networks in one go.
The attackers often also choose a deliberately difficult time for the company they’re attacking, such as in the early hours of a weekend norning.
The more completely a victim’s network gets derailed and disrupted, the more likely it is that they’ll end up stuck with paying to unlock their precious data and get the business operating again.
As REvil made clear when they spendtthat $1 million “marketing” budget online, the core RaaS crew was looking for:
Teams that already have experience and skills in penetration testing, working with msf / cs / koadic, nas / tape, hyper-v and analogues of the listed software and devices.
As you can imagine, the REvil gang had a special interest in technologies such as NAS (networked attached storage), backup tape and Hyper-V (Microsoft’s virtualisation platform) because disrupting any existing backups during an attack, and “unlocking” virtual servers so they can be encrypted along with everything else, makes it harder than ever for victims to recover on their own.
If you suffer a file-scrambling attack only to discover that the criminals trashed or encrypted all your backups first, then your primary route to self-recovery might well already be destroyed.
Strained affiliations
Of course, the symbiotic relationships between the core members of a RaaS gang and the affiliates they rely upon can easily become strained.
The Conti crew, notably, suffered ructions within the ranks just over a year ago, with something of a mutiny amongst the affilates:
Yes, of course they recruit suckers and divide the money among themselves, and the boys are fed with what they will let them know when the victim pays.
As we pointed out at the time, the implication was that at least some affiliates in the Conti ransomware crew were not being paid 70% of the actual ransom amount caollected, but 70% of an imaginary but lower number reported to them by the core Conti crew.
One of the disgruntled affiliates leaked a substantial Conti-crew-related archive file entitled Мануали для работяг и софт.rar
(Operating manuals and software).
Turn on your chums
Well, the United States has just upped the ante once more, officially and publicly offering a reward of “up to $10 million” under the single-word headline Conti:
First detected in 2019, Conti ransomware has been used to conduct more than 1,000 ransomware operations targeting U.S. and international critical infrastructure, such as law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities. These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the United States.
Conti operators typically steal victims’ files and encrypt the servers and workstations in an effort to force a ransom payment from the victim. The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely, with some ransom demands being as high as $25 million.
The payment is available under a global US anti-crime and anti-terrorism initiative known as Rewards for Justice (RfJ), administered by the US Diplomatic Service on behalf of the US Department of State (the government body that many English-speaking countries refer to as “Foreign Affairs” or “the Foreign Ministry”).
The RfJ program dates back nearly 40 years, during which time it claims to have paid out about $250 million to more than 125 different people worldwide, which reflects mean average payouts of about $2,000,000 about three times each year.
Although this suggests that any individual whistleblower in the Conti saga is unlikely to net the whole $10 million on their own, there’s still plenty of reward money ready for the taking.
In fact, RfJ has promoted its $10 million anti-cybercrime reward before, under a general description:
[The RfJ program] is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).
This time, though, the US Department of State has expressed an explicit interested in five individuals, though they’re only known by their underground names at the moment: Dandis, Professor, Reshaev, Target, and Tramp.
Their mugshots are similarly uncertain, with the RfJ page showing the following image:
Only one snapshot shows an alleged perpetator, though it’s not clear whether he’s meant to be one of the five threat actors listed above, or simply a player in the broader gang with an unknown nickname and role:
There’s a curious hat (a party piece, perhaps?) featuring a red star; a shirt with a largely-obscured logo (can you extrapolate the word?); a beer mug in the background; an empty-looking drink in a clear glass bottle (beer, by its size and shape?); an unseen instrumentalist (playing a balalaika, by its tuning pegs?) in the foreground; and a patterned curtain tied back in front of a venetian-style blind in the background.
Any commenters care to guess what’s going on in that picture?