Jack CableMay 5, 2023

Excited to share new research with Ian Gray, Ben Brown, Vlad Cuiujuclu and Damon McCoy.

This is the first in-depth peer-reviewed research into the Conti leaks. We mapped over $80 million in new payments to Conti.

Read the paper: https://arxiv.org/abs/2304.11681

Some takeaways 🧵

Money Over Morals: A Business Analysis of Conti Ransomware

Ransomware operations have evolved from relatively unsophisticated threat actors into highly coordinated cybercrime syndicates that regularly extort millions of dollars in a single attack. Despite dominating headlines and crippling businesses across the globe, there is relatively little in-depth research into the modern structure and economics of ransomware operations. In this paper, we leverage leaked chat messages to provide an in-depth empirical analysis of Conti, one of the largest ransomware groups. By analyzing these chat messages, we construct a picture of Conti's operations as a highly-profitable business, from profit structures to employee recruitment and roles. We present novel methodologies to trace ransom payments, identifying over $80 million in likely ransom payments to Conti and its predecessor -- over five times as much as in previous public datasets. As part of our work, we publish a dataset of 666 labeled Bitcoin addresses related to Conti and an additional 75 Bitcoin addresses of likely ransom payments. Future work can leverage this case study to more effectively trace -- and ultimately counteract -- ransomware activity.

arXiv.org
Show threadJack CableMay 5, 2023
This paper was published as part of the APWG Symposium on Electronic Crime Research, for which we received the best paper award. https://twitter.com/APWG/status/1598755273228812293?s=20
APWG on Twitter

“#eCrime22 Best Award Paper: ¨Money Over Morals: A Business Analysis of Conti #Ransomware¨! Congrats, Ian W. Gray, Jack Cable, Vlad Cuiujuclu, Benjamin Brown and Damon McCoy, on your hard work and outstanding #research that won you this award! @nyuniversity @Flashpoint @UMich”

Twitter
Show threadJack CableMay 5, 2023
In February 2022, over 168,000 internal chat messages of the Conti ransomware group were leaked. Conti is one of the most prominent ransomware groups of all time. We sought to build a picture of Conti's (quite profitable) business based on on-chain analysis of Bitcoin payments.
Show threadJack CableMay 5, 2023

To do so, we manually annotated all 666 Bitcoin addresses present in the leaks based on message context (our team included a native Russian speaker).

We tag addresses as either a salary, reimbursement, or ransom payment address.

Show threadJack CableMay 5, 2023
We then used Crystal Blockchain to track destinations and origins of payments. Notably, a large portion of salary payments went to "low risk exchanges" -- exchanges that adhere to Know Your Customer requirements, which may present an opportunity to identify ransomware affiliates.
Show threadJack CableMay 5, 2023
Given the public nature of Bitcoin and that Conti rarely used mixers, this gave an opportunity to track back victim payments. Since salary payments almost always originate from victim payments, we leveraged Blockchain data to identify victim payments based on 3 criteria:
Show threadJack CableMay 5, 2023
An address:
1. Sent money (directly or indirectly) to an address in the leaked dataset
2. Exhibited splitting behavior consistent with documented affiliate splits.
3. Had received more than 99% of its funds from a low risk exchange, where victims would most likely send money from
Show threadJack CableMay 5, 2023
We validated this criteria with the
Ransomwhere dataset (https://ransomwhe.re), where 17 of 32 known Conti payment addresses exhibited splitting behavior with affiliates. Others have also documented Conti's splitting behavior: https://elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months
Ransomwhere

Ransomwhere is the open, crowdsourced ransomware payment tracker.

Show threadJack Cable
We ultimately identified over $80M in new victim payments to Conti -- over five times as much in previous public datasets. We have published this data at https://github.com/cablej/conti-payments and on https://ransomwhe.re.
GitHub - cablej/conti-payments

Contribute to cablej/conti-payments development by creating an account on GitHub.

GitHub
May 5, 2023 at 5:24pmWeb
Show threadJack CableMay 5, 2023
This allowed us to construct a balance sheet for Conti. While this likely doesn't encapsulate all payments, it gives us a good sense of Conti's profitability.
Show threadJack CableMay 5, 2023
We also built a picture of Conti's org chat and recruitment structure. Conti operated much like any other business, with robust HR teams, recruitment strategies, and management.
Show threadJack CableMay 5, 2023

There's a lot more in the paper, which you should read! https://arxiv.org/pdf/2304.11681.pdf

And thanks to tremendous collaborators Ian Gray, Ben Brown, Vlad Cuiujuclu and Damon McCoy on the paper, and to Crystal Blockchain for providing access for academic research.