A study conducted by Swiss security firm Prodaft with the support of blockchain analysis firm Elliptic revealed that the operators of the Conti ransomware have earned at least $25.5 million from attacks and subsequent ransoms carried out since July 2021.
Conti ransomware operators run a private Ransomware-as-a-Service (RaaS), the malware appeared in the threat landscape at the end of December 2019 and was distributed through TrickBot infections. Experts speculate the operators are members of a Russia-based cybercrime group known as Wizard Spider.
Since August 2020, the group has launched its leak site to threaten its victim to release the stolen data.
The experts analyzed 113 wallets associated with Conti ransomware operations that were involved in transactions for more than 500 bitcoin. The researchers identified several transactions that split $6.2 million of the Conti profits and transferred them to a “consolidation wallet.”
“113 bitcoin addresses were identified by Prodaft during this investigation. 100 of these addresses related to a single ransomware attack in which the victim requested to pay Conti in 100 separate transactions in order to hide the payment from tax and audit authorities.” reads the report published by the experts. “As a result, the addresses identified during this research are believed to be connected to 14 separate ransomware incidents. 50% of these attacks resulted in a payment to Conti.”
The consolidation cluster was first active in December 2017 when it received one incoming payment of 1.8 bitcoin. After this time, the consolidation cluster remained dormant until mid-2021. In August 2021, ransomware operators sent 0.07 bitcoin from this cluster to a prominent exchange known to be used by ransomware groups.
Consolidation wallets are essential components for ransomware operations, they are the main target of law enforcement actions.
The Conti gang has never attempted to cash out or exchange any of the bitcoin they have received into the consolidation cluster. The Blockchain analysis revealed that the remaining 123.06 bitcoin (around $6.2 million) is currently held in an unhosted wallet.
Elliptic experts also analyzed the transactions associated with Conti affiliates. One cluster identified by the researchers received payments from both Conti and DarkSide, a circumstance that suggests that a threat actor was affiliated to both groups.
The study also highlights the sophisticated money-laundering operation implemented by Conti affiliates. Some
affiliate funds have not yet been moved from the wallets due to the pressure of law enforcement, in other cases the threat actors used multiple services, including exchanges, coin swaps, privacy enhancing wallets including Wasabi, and the Russian-language darknet marketplace Hydra.
“Researching the addresses identified by Prodaft and the incoming payments to the consolidation cluster indicates that since July 2021, Conti has received over 500 bitcoin in ransomware payments, valued at over $25.5 million, of which $6.2 million has been sent to the Conti consolidation cluster.” continues the report.
Anyway, the above figures are only the tip of the iceberg. Experts believe that the Conti ransomware operation has earned much more over this period.
“This research indicates that identifying individuals associated with Conti through following the flow of funds is likely to be challenging, particularly given Conti’s sophisticated money laundering techniques and use of services such as Wasabi wallet. Furthermore, whilst services including exchanges implement KYC policies, it is possible that groups such as Conti deposit and withdraw from these services in small amounts, which do not trigger KYC requirements.” concludes the report.
(SecurityAffairs – hacking, Operation Cyclone)