Conti Group Investigations: An Analysis of the Russian Ransomware Group’s Finances

Part 1: Conti Group’s Financial Structure and Transaction History

This is the first part of a three-part investigative series on the Russian based Ransomware-as-a-Service (RaaS) group Conti.

Each blog in the series, and our in-depth downloadable reports, focus on different aspects of Conti Group.

The three parts of this series include:
Part 1: Conti Group’s Financial Structure and Transaction History
Part 2: Conti Group’s Organisational Structure, HR and Recruitment Processes
Part 3: The Risks Conti Group Pose to the Australian Market

Who are Conti Group?

Conti Group is a Russian Federation based Ransomware-as-a-Service (RaaS) group that is the source of a broad range of ransomware attacks, many of which have been focused on “Big Game Hunting”, looking for large payouts. The group allow affiliates to rent access to its infrastructure to launch attacks.

In late February 2022, the cyber security community began circulating leaks provided by an assessed Ukrainian national. The leaked data outlined internal communications and Conti operations between 29 Jan 2021 and 27 Feb 2022.

Our WorldStack intelligence team have analysed these chat logs, resulting in this three-part series on the Conti Group.

Key Findings on Conti Group’s Financial Structure and Transaction History:

  • In late February 2022, the internal chat logs of the Conti ransomware group were disclosed to the world’s media and security researchers. The leak was assessed to be in retaliation to the group’s public display of support for the Russian Federation’s invasion of Ukraine.
  • The Conti ransomware group are shown to be a multi-layered organisation that operates like a company that hires and dismisses contractors and salaried employees alike.
  • Conti employees can negotiate a salary for the completion of tasks. The salary paid in bitcoin (BTC) varies between 0.021 and 0.0022 BTC (circa $1,150 AUD).
  • Conti Group uses the Binance cryptocurrency exchange platform for conducting its bitcoin transactions.
  • Insight into the daily taskings of the group, exposing operational details of Conti’s workflow and revealing how they make and receive payments via Bitcoin (BTC).
  • Tumbling and “shell wallets” conceal and funnel bitcoin transactions.
  • Conti Group used a drag and drop style messaging and file sharing application hosted on Russian Federation networks for tasking.
  • Conti Group has spent over $8.1 million Australian dollars on tooling, services, and salaries.
  • Assessment on the Conti Group “name and shame” blog demonstrates that medium to large service and manufacturing companies represent the sector most impacted by the Conti Group’s attacks. Companies based in the United States of America were the most targeted entities, followed by Germany and Canada.
  • Australia falls well outside the top 4 countries behind other European countries such as Italy and Switzerland.

Download the full report

Download our full report, Part 1: Conti Group’s Financial Structure and Transaction History, and learn about the above key findings, background and research of Conti’s use of cryptocurrency, details of their total revenue (estimated at more than US $2.7 billion) and an analysis of their salary and payment transactions.

Download the report

Read more and sign up for updates

Read Part 2: Conti Group’s Organisational Structure, HR and Recruitment.

Enter your email below and we’ll let you know when part 3 of the Conti Group series is available for download.