Ransomware group Conti is one of the most aggressive attackers in the industry. Between 2020 and 2022, the group claimed more than 850 victims, including enterprises and governments. Security company Group-IB analyzed Conti’s modus operandi in a new report.

Conti appeared on the radar in February 2020. Several security researchers came across ransomware files with .conti extensions. The malware works as usual: files are locked and victims must pay ransom to regain access. The group is anything but usual: Conti is one of the most aggressive attackers in the industry. Its members made more than 850 victims in a period of two years, including eight Dutch housing associations.

Two years is a relatively long time. Many ransomware groups are broken up after a few months. The crime form is just as lucrative as it is risky. An attacker has to reveal himself in order to be successful. Cryptominers can run undetected in the background for months, but ransomware doesn’t have that luxury. The income model revolves around ransom payments. Victims only pay under pressure. A ransomware group must step out of the shadows.

Despite being in the spotlight for two years, Conti’s members have largely managed to retain their anonymity. The group is being investigated by several authorities and security companies, including Group-IB. This company develops an extended detection and response platform. The platform secures the environments of organizations. Information plays a key role. Group-IB collects data on attackers to counter their methods. As a result, the company has intimate knowledge of ransomware groups. A new reveals how Conti operates.

Conti

In some periods, the ransomware group attacks at lightning speed. Between 17 November 2021 and 20 December 2021, Conti claimed 40 victims worldwide, ranging from the US to the Netherlands and Belgium. The group operates in a highly disciplined manner. According to Group-IB, the members are likely to be active in several time zones. Through shift work, Conti operates 14 hours a day, without holidays, except for weekends and New Year.

In addition to enterprises, the ransomware group attacks governments. In 2022, Conti set its sights on the state of Costa Rica. As a result, the government announced an official crisis. The group speaks Russian, but does not attack Russian companies. According to Group-IB, that’s an unwritten rule among Russian ransomware groups.

The organization is highly professional. Conti works with an HR, R&D and OSINT department. Teams have team leaders, the head is a CEO and members are paid with salaries. The CEO directs teams, just like a legitimate organization. For instance, technical group members are ordered to analyze changes in Windows patches.

Conti’s increased activity and the data leak suggest that ransomware is no longer a game between average malware developers, but an illicit RaaS industry that gives jobs to thousands of cybercriminals worldwide with various specializations”, shared Ivan Pisarev, Head of Dynamic Malware Analysis Team at Group-IB’s Threat Intelligence department.