The operators of the Conti ransomware have earned at least $25.5 million from attacks and subsequent ransoms carried out since July 2021, Swiss security firm Prodaft said in a report today.
The company said it worked with blockchain analysis firm Elliptic to track more than 500 bitcoin the Conti gang had collected over the past five months in 113 cryptocurrency addresses.
Prodaft and Elliptic said they identified several transactions that split $6.2 million of the Conti profits and sent them to what they called a “consolidation wallet.”
“In August 2021, 0.07 bitcoin was sent from this cluster to a prominent exchange known to be used by ransomware groups. Aside from this, Conti have not attempted to cash out or exchange any of the bitcoin they have received into this cluster. Blockchain activity indicates that the remaining 123.06 bitcoin is currently held in an unhosted wallet.”
In addition, researchers said they also tracked ransom payments as the Conti gang distributed the profits to its partners. Known as “affiliates,” these are criminal groups who perform intrusions into companies, install the Conti ransomware, and then get a cut from the ransom payment at the end.
“One cluster was identified which has received payments from both Conti and DarkSide, which may indicate that an individual has worked as an affiliate for both of these groups,” the researchers said, confirming other past reports highlighting that some affiliates jump ship from one ransomware program to another when drawn with larger cuts or better encryption tools.
The discovery of the consolidation wallet is good news, as this could be targeted in a future law enforcement action and have authorities seize a large chunk of a gang’s profits, as the DOJ has done this month with one of REvil’s affiliates.
However, Prodaft points out that while the Conti gang itself runs a consolidation wallet, its affiliates do not appear to do so, and they usually launder their profits through shady exchanges, coin swaps, privacy-enhancing wallets like Wasabi, and via Russian-language darknet market Hydra.
First-ever Conti estimates
But the estimated $25.5 million earnings are just that, an estimation, and the Conti gang is believed to have earned much more over this period, and its history, dating back to August 2020.
However, the figure is also the first and only estimation of Conti’s profits made until today.
Research into tracking ransom payments and the threat actor’s wallets has been done before for other gangs, and this type of research has often helped inform authorities about today’s most dangerous groups, which has often led to law enforcement crackdowns.
Past research and profit estimations for other ransomware gangs include:
Darkside – $90 million between October 2020 and May 2021.Maze/Egregor – $75 millionRyuk – $150 million (Conti is considered a rebrand/continuation of the Ryuk operation)REvil – $123 million in 2020Netwalker – $25 million between March and July 2020
After the shutdowns of ransomware operations like Avaddon, REvil, Darkside, and BlackMatter, the Conti gang, along with the LockBit group, have become the most active ransomware-as-a-service (RaaS) platforms today, which explains the attention the group is now getting from both security firms and US cybersecurity agencies—with CISA issuing a security alert about the group’s heightened activity in September.
The post Conti gang has made at least $25.5 million since July 2021 appeared first on The Record by Recorded Future.
Source: Read More (The Record by Recorded Future)