Conti are a ransomware group who have been hitting the headlines in recent months, but you might have heard of them before – they’ve been in the public eye since 2020. Their operation is known as Ransomware-as-a-Service (RaaS), and they specialise in double extortion, otherwise known as pay-now-or-get-breached. They’ll hack their victims’ networks and steal data before encrypting it, threatening to make it public unless a ransom is paid. The gang doesn’t work alone - they’re believed to be linked to the Russian-speaking cyber crime organisation known as Wizard Spider.

 What is Conti?

Information on the group is sparse due to their secrecy and the turnover of its members, so it’s unknown how many individuals are in Conti. It’s believed that there’s a hierarchy to the group, with the most senior member, known by the aliases of Stern and Demon, acting as the CEO. Below Stern/Demon is Conti’s General Manager, who goes by Mango, and the two are in constant communication. Working underneath these two are teams of cyber criminals. The number of teams isn’t known, but the largest team is believed to include between 60 and 100 individuals. Conti are always recruiting new members – either from legitimate job recruitment websites or from hacker forums. Programmers who join them can earn $1,500 (£1,222) to $2,000 (£1,630) a month, as well as receive a share of Conti’s ransom profits.

Conti has long been suspected of working for or with the Russian government. This was confirmed during the Russian invasion of Ukraine, which began in February this year, as Conti declared their support of Russia, and threatened to deploy retaliatory measures if any cyber attacks were launched against the country. As a result of Conti’s allegiance with the Russian government, an anonymous insider (who supported Ukraine) leaked approximately 60,000 messages from internal chat logs, source code and other files used by Conti. These have provided almost all of the information currently known about the group and its inner workings.

What have they done?

Some of Conti’s known targets have included international brands and government agencies, such as: the Scottish Environment Protection Agency (SEPA), Fat Face, Ireland’s Health Service Executive, the Waikato District Health Board in New Zealand, Shutterfly, and KP Snacks. Their most recent attack was on the country of Costa Rica – Conti hit multiple government bodies, and on Sunday the 8th of May, the recently-appointed President of Costa Rica, Rodrigo Chaves Robles, was forced to declare a national emergency. The attack began in April, when Conti claimed that they’d stolen 672GB of data from government agencies. On the 8th of May, Conti’s data leak site was updated to state they’d leaked 97% of the stolen data – they’d demanded a $10 million (£8,156,700) ransom, which the Costa Rican government was unwilling to pay.

 It's believed that prior to January 2022, the Conti ransomware group had targeted over a thousand organisations and extorted over $150 million (£122,350,500) in ransom payments from their victims. With this in mind, the U.S. Department of State is now offering a reward for any information that could help identify and locate any members of the group. They’re offering up to $10 million (£8,156,700) for any information on high-ranking members, and an additional $5 million (£4,078,350) for information that leads to the conviction of individuals who have participated in any of Conti’s ransomware attacks. 

What can be done to stop them?

The question that cyber security and law enforcement organisations from around the world - especially from countries that are in the FVEY (Five Eyes) intelligence alliance – should be asking themselves, as they ramp up their efforts to stop or even slow down Conti, is “Will this be enough to stop such an incredible force within the cyber community?”

Cyber criminals will be looking for endpoints to get into your network, and one of the best ways of preventing data breaches is to make sure all of your operating systems, software, and firmware are as up-to-date as possible. In order to do that, you should always download patches and updates as soon as they’re released. Cyber security education is also important, and one of the best strategies you can implement to improve your organisation’s cyber defences. You should take care to ensure your staff know what kinds of links and emails they should be watching out for, and ensure they know what to do in the event of a data breach.

With the right knowledge and security tools, you can protect your information from data breaches, and we can help you take the right steps to secure your networks. At Cyber Security Associates, we offer a wide range of services for businesses looking to strengthen their defences, including training and educational courses – get in touch with us today to find out how we can help.