Russia-based Conti raked in $77m in 21 months from ransomware

Between June 2021 to March this year, Conti held at least 1,953 bitcoins -- or more than $77 million -- in the form of ransom payments or transfers from outside parties.
17 May 2022

Russia-based Conti raked US$77m in 21 months just from ransomware attacks. (Photo by Kirill KUDRYAVTSEV / AFP)

  • There are fears that Conti will ramp up ransomware attacks if Russia’s economy is weighed down further by Western sanctions
  • In that 21-month period, Conti had 645 digital wallets containing a total of 2,321 bitcoins — making them worth over US$90m
  • When accounting for overlaps and other factors, Conti held at least 1,953 bitcoins — or more than US$77 million — in the form of ransom payments or transfers from outside parties

In 2021 alone, ransomware attacks doubled to about 623 million instances globally, according to US cybersecurity company SonicWall. That is a 105% increase year-over-year, and various analyses and experts have highlighted that Russia-linked hackers are responsible for the majority of it. A recent finding showed a glimpse into the severity of the situation whereby Conti, one of the most notorious ransomware syndicates associated with Russia, generated a staggering US$77 million from attacks within just 21 months.

Conti emerged in 2020 and grew into one of the biggest ransomware organizations in the world. Threat intelligence company Cyberin’s security researcher Shmuel Gihon in the Internet Crime Report 2021 estimated that the group has around 350 members who collectively have made some US$2.7 billion in cryptocurrency in just two years.

In a more recent and shocking revelation by Nikkei Asia in collaboration with Tokyo-based cybersecurity firm Mitsui Bussan Secure Directions’ senior malware analyst Takashi Yoshikawa, it was found that the leading ransomware syndicate with close ties to Russia is likely responsible for cyberattacks that generated about US$77 million between June 2021 and March 2022.

“The group quickly shifted funds through an intricate web of crypto asset accounts to evade capture. The organization even enlists a team to handle public relations and personnel affairs, just like a large corporation,” Nikkei said in a report, summarizing how Conti functions. To top it off, 824 businesses or approximately 20% that have publicly disclosed being victimized by ransomware said they have been hit by Conti, Singaporean analytics platform DarkTracer’s data shows. 

In February this year, Conti put out a statement in support of Russia’s invasion of Ukraine, which led members supporting the Kyiv government to retaliate by leaking internal chat logs. Nikkei said the dumped data, spanning a period between June 2020 and March 2021, contained about 170,000 messages written entirely in Russian totalling 1.18 million characters.

What did the messages reveal about the ransomware attacks by Conti?

Nikkei went through the exchanges with Yoshikawa, providing a behind-the-scenes look at Conti’s criminal operations. Basically, Conti had 645 digital wallets containing a total of 2,321 bitcoins, making them worth over US$90 million at the time the chat logs were leaked. “When accounting for overlaps and other factors, Conti held at least 1,953 bitcoins — or more than US$77 million — in the form of ransom payments or transfers from outside parties,” Nikkei said.

It was also discovered that the wallet with the most deposits received about US$23 million between September and November 2020, over the course of multiple transfers, each approaching a sum of US$8 million. Later, those funds were disbursed to multiple wallets. “The funds were moved within a short timespan to ward off investigators tracing ransom payments, with the aim of converting the assets into cash at exchanges or on the dark web,” Yoshikawa told Nikkei.

To top it off, there are some cases where members came on board with no idea that they were involved in criminal activities. In fact, Conti went to the extent of setting up an underground business offering compensation for skill sets that help the group carry out ransomware or any other attacks.

On the other side of the spectrum, the US is eager to gather information on Conti that the administration offered a reward of up to US$15 million for any details on the Russia-based Conti ransomware group.