Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Conti ransomware operations made at least $25.5 million since July 2021

Researchers revealed that Conti ransomware operators earned at least $25.5 million from ransom payments since July 2021. A study conducted by Swiss security firm Prodaft with the support of blockchain analysis firm Elliptic revealed that the operators of the Conti ransomware have earned at least $25.5 million from attacks and subsequent ransoms carried out since […]

Conti ransomware

Researchers revealed that Conti ransomware operators earned at least $25.5 million from ransom payments since July 2021.

A study conducted by Swiss security firm Prodaft with the support of blockchain analysis firm Elliptic revealed that the operators of the Conti ransomware have earned at least $25.5 million from attacks and subsequent ransoms carried out since July 2021.

Conti ransomware operators run a private Ransomware-as-a-Service (RaaS), the malware appeared in the threat landscape at the end of December 2019 and was distributed through TrickBot infections. Experts speculate the operators are members of a Russia-based cybercrime group known as Wizard Spider.

Since August 2020, the group has launched its leak site to threaten its victim to release the stolen data.

The experts analyzed 113 wallets associated with Conti ransomware operations that were involved in transactions for more than 500 bitcoin. The researchers identified several transactions that split $6.2 million of the Conti profits and transferred them to a “consolidation wallet.”

“113 bitcoin addresses were identified by Prodaft during this investigation. 100 of these addresses related to a single ransomware attack in which the victim requested to pay Conti in 100 separate transactions in order to hide the payment from tax and audit authorities.” reads the report published by the experts. “As a result, the addresses identified during this research are believed to be connected to 14 separate ransomware incidents. 50% of these attacks resulted in a payment to Conti.”

The consolidation cluster was first active in December 2017 when it received one incoming payment of 1.8 bitcoin. After this time, the consolidation cluster remained dormant until mid-2021. In August 2021, ransomware operators sent 0.07 bitcoin from this cluster to a prominent exchange known to be used by ransomware groups.

Consolidation wallets are essential components for ransomware operations, they are the main target of law enforcement actions.

The Conti gang has never attempted to cash out or exchange any of the bitcoin they have received into the consolidation cluster. The Blockchain analysis revealed that the remaining 123.06 bitcoin (around $6.2 million) is currently held in an unhosted wallet.

Elliptic experts also analyzed the transactions associated with Conti affiliates. One cluster identified by the researchers received payments from both Conti and DarkSide, a circumstance that suggests that a threat actor was affiliated to both groups.

The study also highlights the sophisticated money-laundering operation implemented by Conti affiliates. Some
affiliate funds have not yet been moved from the wallets due to the pressure of law enforcement, in other cases the threat actors used multiple services, including exchanges, coin swaps, privacy enhancing wallets including Wasabi, and the Russian-language darknet marketplace Hydra.

“Researching the addresses identified by Prodaft and the incoming payments to the consolidation cluster indicates that since July 2021, Conti has received over 500 bitcoin in ransomware payments, valued at over $25.5 million, of which $6.2 million has been sent to the Conti consolidation cluster.” continues the report.

Conti ransomware

Anyway, the above figures are only the tip of the iceberg. Experts believe that the Conti ransomware operation has earned much more over this period.

“This research indicates that identifying individuals associated with Conti through following the flow of funds is likely to be challenging, particularly given Conti’s sophisticated money laundering techniques and use of services such as Wasabi wallet. Furthermore, whilst services including exchanges implement KYC policies, it is possible that groups such as Conti deposit and withdraw from these services in small amounts, which do not trigger KYC requirements.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Cyclone)

[adrotate banner=”5″]

[adrotate banner=”13″]