Ransomware organizations have evolved into sophisticated operations whose highly coordinated actors can extort millions of dollars in a single attack. Stories in the news we read do not even begin to cover the complexity of this form of highly organized crime.
Using Crystal’s data, they use innovative methodologies to trace the pathways of ransom payments, unveiling a staggering sum of over $80 million in payments linked to Conti and its predecessor.
This sum dwarfs the prior calculations in the public domain, emphasizing the gravity of their threat.
This research paper expands the analysis of a dataset spotlighting 666 meticulously categorized Bitcoin addresses entwined with Conti and 75 Bitcoin addresses attributed to probable ransom transactions.
The researchers used money laundering risk levels provided by Crystal to group exchanges into three categories: low, medium, and high risk. Consistent with the hypothesis that most money originates from victim payments, most money originates from low-risk exchanges or the unlabeled cluster.
Conti is an extortion group discovered in early 2020, and it has since been used by criminals to attack organizations worldwide. In February 2022, a pro-Ukrainian insider leaked over 12 months of internal communications from the group. On 27 February 2022, a cache of internal chat logs belonging to Conti were leaked online thanks to an apparent insider, who claimed to have objected to the group’s support for the Russian invasion of Ukraine.
The leak was shared with VX-Underground, a malware research group that collects malware samples and data. The leaked data set has about 400 files containing tens of thousands of Conti group internal chat logs in their native Russian language. The files hold about a year’s worth of messages dating back to January 2021, some six months after the group first formed in mid-2020.
Ransomware was present in about 70% of malware breaches in the previous year.
Approximately two in five ransomware incidents used desktop-sharing software and involved a confidentiality compromise, while slightly fewer (35%) leveraged email as an attack tool. An essential cause of ransomware’s growth is the shift toward commercialization of cybercrime. The most prolific cybercriminal groups have undergone significant changes in operations to scale efforts and maximize revenue.
In some instances, reporting has shown these groups incorporating divisions previously associated with legitimate corporations, including HR departments with recruiters, finance, accounting, and even negotiators to coordinate ransom payment. Beyond these structures, the most significant trend has been the shift to ransomware as a Service (RaaS), which has seen groups lease out malware to affiliates who conduct intrusions and share profits with the developers.
In the paper “Money over Morals,” researchers leveraged leaked chat messages to provide an in-depth empirical analysis of Conti, one of the largest ransomware groups.
By analyzing these chat messages, researchers painted a picture of Conti’s operations as highly profitable, from profit structures to employee recruitment and roles. Using Cristal’s data, researchers could present novel methodologies to trace ransom payments, identifying over $80 million in ransom payments paid to Conti and its predecessor – over five times as much as in previous public datasets.
The authors published a dataset of 666 labeled Bitcoin addresses related to Conti and 75 Bitcoin addresses of likely ransom payments. Future work can leverage this case study to trace – and ultimately counteract – ransomware activity more effectively.
Next, the researchers considered the sources and funds from wallets in the leaked dataset, shown in Figure 3. They used money laundering risk levels provided by Crystal to group exchanges into three categories: low, medium, and high risk. Consistent with the hypothesis that most money originates from victim payments, most money originates from low-risk exchanges or the unlabeled cluster.
Source: Money over Morals figure 3.
Through analysis of Crystal data, potential financial links between Conti and other ransomware groups, such as Ryuk were found.
The authors also suggest that it is likely that individuals financially associated with Conti were involved in the hack of the Japan-based crypto exchange Liquid on 19 August 2021. Several previously unreported victims of Conti were identified in the chat logs, including details of ransom payments made by the victims. Questions over the ethics of ransom payments remain, as there is not yet any regulation by US or EU regulators to prohibit ransom payments. Analysis in this study uses both leaked data, public blockchain data, and an annotated set of Bitcoin addresses from Crystal.
The researchers manually annotated all 666 Bitcoin addresses present in the leak according to their function (e.g., salary or reimbursement) which they publicly published. After annotating, they then used on-chain transaction data to analyze Conti’s bottom line, including estimated gross revenue, operating cost, salary per role, cash-out techniques, and relation to other cybercrime activity (like dark web marketplaces).
As a part of the analysis, they developed a methodology to identify ransom payments based on common proceed splitting behavior, which they then used to identify $83.9 million in new likely payments.
The chat logs also contained information on the different roles and responsibilities of Conti. They assessed team composition from the chats, as well as the primary users based on interactions within the chat logs.
Money over Morals also provides an analysis of Conti’s employee recruitment process and the challenges managers faced with employees who did not know the illicit background of their employer.
The Money over Morals study of Conti Group investigates the structure of modern Ransomware as a Service group. This study is the first comprehensive crypto-economic analysis of the Conti leaks, based on the annotation of cryptocurrency addresses present in the leaks, on-chain analysis of cryptocurrency payments, and qualitative business assessment based on user conversations.
To discover how blockchain analytics tools can help investigate ransomware or to learn more about Crystal’s initiative for universities, please get in touch.