[BreachExchange] Conti Group Spent $6m on Salaries, Tools and Services in a Year

[Terrell Byrd]

https://www.infosecurity-magazine.com/news/conti-group-6m-salaries-tools/

The infamous Conti ransomware collective spent millions on ‘business’
expenses last year and even tried to develop its own digital currency,
according to a new report.

Security vendor BreachQuest analyzed the recent leak of the pro-Russia
group’s internal chat logs by a Ukrainian researcher, revealing fascinating
details of its operations.

Headed up by an individual named “Stern,” the group has an HR and
recruitment lead, someone in charge of its data leak blog, a training
specialist and a blockchain lead, as well as individuals in charge of an A,
B and C team. Each of these alphabetized teams contains developers, pen
testers, OSINT, admins, QA and reverse engineer experts, the report claimed.

Turnover of employees is high as per any criminal organization, although
they are well compensated in Bitcoin. An estimated 485 individuals have
gone through the Conti system, although this figure also includes potential
candidates who have declined roles, as well as victims.

The criminal gang spent millions on remuneration and other internal
outgoings, hinting at the huge profits it makes.

BreachQuest said it extracted 255 Bitcoin wallets and focused on those
linked to “organizational” spending.

“They are few transactions made to these Bitcoin wallets. Many of them had
less than three payments in total. These wallets act like shell companies
and one-off payments to other Bitcoin wallets are made because they
disguise transactions, so it does not stand out from the norm,” the report
explained.

“Studying the leaks, we see that Conti has spent an estimated $6m on
employee salary, tooling, and professional services from January 2021 to
February 2022.”

As of June 2021, the group has also been fast-tracking a project to build a
new altcoin in the Rust programming language, according to the report.

The news comes as the US government warns organizations of a potential
spike in ransomware activity following crippling sanctions against Russia.

The Treasury’s Financial Crimes Enforcement Network (FinCEN) also urged all
financial institutions to remain on the lookout for attempts by state
actors and oligarchs to evade such sanctions via convertible virtual
currency (CVC).

“Although we have not seen widespread evasion of our sanctions using
methods such as cryptocurrency, prompt reporting of suspicious activity
contributes to our national security and our efforts to support Ukraine and
its people,” said acting director Him Das.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220310/f8f4c79c/attachment.html>