Conti Group Spent $6m on Salaries, Tools and Services in a Year

The infamous Conti ransomware collective spent millions on ‘business’ expenses last year and even tried to develop its own digital currency, according to a new report.

Security vendor BreachQuest analyzed the recent leak of the pro-Russia group’s internal chat logs by a Ukrainian researcher, revealing fascinating details of its operations.

Headed up by an individual named “Stern,” the group has an HR and recruitment lead, someone in charge of its data leak blog, a training specialist and a blockchain lead, as well as individuals in charge of an A, B and C team. Each of these alphabetized teams contains developers, pen testers, OSINT, admins, QA and reverse engineer experts, the report claimed.

Turnover of employees is high as per any criminal organization, although they are well compensated in Bitcoin. An estimated 485 individuals have gone through the Conti system, although this figure also includes potential candidates who have declined roles, as well as victims.

The criminal gang spent millions on remuneration and other internal outgoings, hinting at the huge profits it makes.

BreachQuest said it extracted 255 Bitcoin wallets and focused on those linked to “organizational” spending.

“They are few transactions made to these Bitcoin wallets. Many of them had less than three payments in total. These wallets act like shell companies and one-off payments to other Bitcoin wallets are made because they disguise transactions, so it does not stand out from the norm,” the report explained.

“Studying the leaks, we see that Conti has spent an estimated $6m on employee salary, tooling, and professional services from January 2021 to February 2022.”

As of June 2021, the group has also been fast-tracking a project to build a new altcoin in the Rust programming language, according to the report.

The news comes as the US government warns organizations of a potential spike in ransomware activity following crippling sanctions against Russia.

The Treasury’s Financial Crimes Enforcement Network (FinCEN) also urged all financial institutions to remain on the lookout for attempts by state actors and oligarchs to evade such sanctions via convertible virtual currency (CVC).

“Although we have not seen widespread evasion of our sanctions using methods such as cryptocurrency, prompt reporting of suspicious activity contributes to our national security and our efforts to support Ukraine and its people,” said acting director Him Das.

What’s Hot on Infosecurity Magazine?