Back to all stories
Blogs
Case Study
On-Chain Ransomware - The Conti Group: Part One
7/18/2023

The Conti Group is a notorious ransomware gang that has left a trail of chaos in its wake. This report pulls back the curtain on Conti's operations, revealing a complex web of deception, financial gain, and potential connections to other criminal groups. Join us as we delve into the murky world of ransomware and explore the inner workings of one of its most infamous players.

On-Chain Ransomware - The Conti Group: Part One

TL;DR

  • The Conti Group, a notorious ransomware gang that is now defunct, was speculated by many in the threat intelligence community to be a continuation of successful elements from the also defunct Ryuk ransomware gang. This speculation was based on the significant overlap observed in both groups' code and operations.

  • An analysis of Conti's operating structure and fund movements using Bitcoin has revealed another potential area of overlap between the two groups.

  • Wallets attributed to Conti were found to be active outside of Conti's known operational timeframes, and these periods of activity significantly coincide with the operational timeline of Ryuk.

  • This report examines the overlap between the operations of the Conti and Ryuk groups, providing a deeper understanding of their activities and potential interactions.

  • A detailed investigation into Ryuk's activities will follow this report to further identify any possible interactions between the two groups.

Background

Cyber attacks targeting individuals and organizations have been prevalent since the widespread adoption of computers in homes and offices. As more people and more devices connect to the internet, cyber attacks will become an increasing concern due to their unpredictability and increasing scale. The motivations behind cyber attacks are diverse, influenced by factors such as the attacker's objectives and the value of the targets. Attacks can broadly categorized according to these motivations into three types: political, financial, and personal.

Politically motivated attacks most often include hackers targeting governments, governments targeting other governments, or governments targeting the civilians of adversaries.

Personally motivated attacks can include a range of different types attacks, but most are driven by personal desire to cause a target tangible or intangible harm. This can include incidents such as insider threats, disruption of an employer’s systems, or intellectual property theft.

Most other cyber attacks can be described as criminally motivated, meaning an attacker’s primary aim is to benefit (usually financially) from exploiting a target. The Web3 community is well-acquainted with these criminally motivated hacks and attacks, as such incidents occur almost daily. While many of these attacks, such as exit scams and flash loan exploits, are easily identifiable, ransomware stands out as the most prolific type of cyber attack leveraging Web3 infrastructure.

In 2021, the total impact of ransomware campaigns was estimated at over $20 billion. By comparison, cryptocurrency scams in the same year were estimated to total approximately $1.3 billion in funds lost. The discrepancy between the two likely stems from ransomware operators targeting all industries, including schools, hospitals, private businesses, government agencies, cities, and critical infrastructure, while crypto scams are an largely a internal community issue. These are fundamentally different types of criminal activity, but framing both in dollar terms helps provide a sense of scale between the two.

Although the frequency of ransomware attacks appears to be decreasing, the costs associated with these attacks remain high. At the same time, most ransomware campaigns appear to come from repeat offenders. Using the on-chain tools at our disposal could help us make sense of these groups activities and their operational continuity. CertiK regularly monitors the online information space for activities and wallets related to bad actors that can pose risks to the community and our customers. We are constantly expanding our internal compliance and wallet tracing tools with this data. For this reason, we want to produce a two part series looking at the two of the most successful ransomware groups and whether their Bitcoin transactions provide any additional clues as to the ongoing risks they pose.

What is the Conti Group?

A Note on Ransomware Groups and Their Structure

Before we get into a discussion of the Conti group it is important to note that ransomware campaigns and groups have differing structures. While some ransomware gangs operate as groups of hackers motivated by financial gain working together against identified targets, others are structured more like organized businesses. You may be familiar with the term “Software-as-a-Service” or “SaaS,” used to describe companies that provide cloud-based applications used over the internet often as subscription style services. Ransomware gangs frequently emulate this business model by distributing their own ransomware through Ransomware-as-a-Service (RaaS) structures. These can take many forms but often look like one-off malware purchases, royalty-based structures, or employer/employee type relationships between hackers and the ransomware providers. Conti provided a RaaS service using the employer/employee style affiliate structure.

Conti’s History

Conti entered the ransomware scene sometime around February 2020. Consensus in the threat intelligence community believed the core team behind the group was made up of Russia-based actors. As their popularity grew so did their affiliate base which helped the group expand globally. In their first year of operations the group successfully breached over 150 organizations and expanded from there through early 2022. The affiliates had to apply to work with the group and were only paid if they were able to successfully compromise a target network. In late summer 2021, Conti had its organization and attack structures leaked after many affiliates complained that they were not being paid enough. This was likely the turning point for the group in terms of its reputation and continuing operations. The leaker claimed they did not dump more sensitive documents that would have threatened the security of their operations. However, affiliate trust in the group’s leadership was clearly becoming tenuous. In February 2022, the Conti group publicly expressed its support of Russia in its war against Ukraine. This allegedly caused an even larger rift between the group’s leaders and their affiliates as many of the affiliates were not Russian and opposed the war. This eventually led to the a large drop in the group’s activity.

Conti’s Relation to Other Ransomware Groups

A unique quirk of the threat intelligence industry is that any single advanced persistent threat (APT) group is often given numerous and often interchangeable names. This is often the result of threat intelligence firms taking different analytical approaches to incident analysis and having no incentive to coordinate efforts on attribution. Groups end up with numerous names when different companies identify differing parts or overlapping elements of the same incidents or campaigns. The result is that many APT groups like Conti could overlap with groups of a different name. This is all to say that by the time Conti ceased operating, threat intelligence industry leaders speculated that the Conti group may be related to the Ryuk ransomware gang. Bleeping Computer claimed Conti may be the successor to Ryuk due to overlap in the code used by both groups and their distribution techniques. Other security researchers suggest the groups could be independent entities that coordinated with each other only in select cases.

Ryuk and Conti, at least as known under these names, are no longer active. Ryuk was active from 2018 to January 2020, and Conti from February 2020 to 2022. We believe it's worth investigating if on-chain activity can support the thesis proposed by threat intelligence experts. If both groups shared elements of their operations it is probable they also shared some of the cryptocurrency infrastructure that facilitated their ransomware operations, especially if certain members of each group’s core team were involved in the transition from Ryuk to Conti.

In this report, we will first analyze the on-chain activity during Conti’s years of operation. A follow-up report will delve into Ryuk's activities. This report will focus on potential areas of interest for overlap, while the second report will focus on Ryuk’s on-chain activity and if any crossover can be found between the two.

What Does Conti’s On-Chain Activity Look Like?

How We Sourced Our Data

We sourced the initial data for this project from ransomwh.re, a crowdsourced ransomware payment tracker. The data set includes 28 addresses, with one BTC address corresponding to each reported incident date. We used this set of addresses to start our on-chain wallet tracing efforts. The self-reported nature of the Ransomwhere data will be important to keep in mind in as we draw conclusions from this activity; however, the Ransomwhere team does address the measures they take to maintain the integrity of their data:

9c604d36-238b-4788-b09c-53a6764734ed Ransomwhere’s disclaimer on self-reported data and their data validation process. Source: Ransomwh.re

To maintain analytical continuity in this research effort, the data we will look at for Conti and Ryuk will only include reported data from Ransomwhere. We will note if addresses gathered in this in analysis can be verified through additional sources.

What Does Our Data Look Like?

We started this project with 28 addresses and collected an additional 2843 addresses through transaction tracing. Most of these connections were traced through outbound transactions, though in areas of interest we traced some inbound wallets as well. Tracing inbound transactions should eventually lead anyone investigating a ransomware case to a large number of victim wallets. These aren’t particularly useful for our purposes as they will appear as isolated one directional nodes, but they can give us a sense of where ransom consolidation wallets exist. though it is worth noting that in the cases where we deeply explored some inbound transactions, we could not reach a logical end point in the wallet chain. The number of potential wallets associated with this both ransomware groups could feasibly be over 10,000 if we were able to collect all potential Conti/Ryuk and victim wallets in our sample. This would likely make our sample too noisy when our intention is to explore shared fund movements or wallet use between Conti and Ryuk. The final sample total is a decent compromise between what potentially exists and what we could collect in order to make reasonable assessments.

Having established the final sample size, it's also important to consider the structure of the Conti ransomware gang that we described earlier. The nature of Conti’s affiliate structure creates a situation where we cannot distinguish between wallets operated by the Conti core team and those of its affiliates. This will almost certainly make it difficult to discern where any potential overlap between Conti and Ryuk would occur. Presumably the core teams of the groups would operate their royalties and personal wallets separately from their affiliates. If the Conti RaaS is the continuation of Ryuk under a new name or new leadership, being able to distinguish between affiliate and core team wallets would critical to drawing this conclusion.

The best way to visualize this data is with a network graph, the elements of which are fairly straightforward. Nodes represent wallets and edges (connecting lines) represent the directional flow of funds. Transaction amounts are included in the data but will only be referenced as needed. Node size is weighted by the number of inbound and outbound transactions. Red indicates a very active wallet and blue indicates a less active wallet. Red nodes very clearly operate as wallet consolidation hubs, as evidenced by the many hub-and-spoke clusters.

There are also some basic assumptions we can make about this type of graph and data:

  • A small number of these wallets almost certainly belong to exchanges and are used to on- or off-ramp funds

  • Many wallets were likely used a single time just to consolidate funds and complicate transaction tracing efforts

94f249d9-ef72-45c6-b246-fd6237546a8e Sample of Conti wallets displayed according to directional interaction with other wallets

Several notable patterns stand out in the structure of this graph. First, funds appear to mostly move from the outermost node clusters towards hubs in the center. Various segments of the graph (i.e. the bottom left corner) show funds moving towards and away from the center; however, further inspection suggests funds were being looped out to tertiary wallets and rerouted towards the hub wallets in the center. This is likely an attempt at chain peeling – a common tactic for obfuscating funds using Bitcoin. Chain peeling involves distributing small amounts of unspent Bitcoin across multiple new addresses in an attempt to hide the connection back to the original address that can be tied to illicit activity.

Below is an example of what chain peeling looks like from our previous investigations into the FTX exploiter.

1a202579-d698-4865-ae1e-9c8eb0bd3c34 An example of chain peeling processes used to obscure funds on the Bitcoin network

Second, four wallets in the center of the graph appear to be structurally important connection points to all other sections of the graph. These wallets include 1NDyJtN, bc1qqxf, and bc1qm34. All of these wallets appear to belong to the same large centralized exchange (CEX). An additional wallet (bc1qx65) in this area also displays the characteristics of a CEX hot wallet, however, it is not immediately clear who it belongs to. These wallets are highlighted below:

d3275abf-0d12-4a52-b130-c0199b71fa31 Location of CEX hot wallets found in the center of the graph

It would seem the Conti group most likely leveraged multiple CEXs for their operations. It is not surprising that we see CEXs coalesce in the center of a graph like this. We would expect Conti affiliate ransoms and royalties collected by the core team to make their way to CEXs with international on/off-ramps. Given the limited number of CEXs that provide these types of services, it’s understandable why they stand out in this way. We will keep this is mind when we further examine Ryuk activity to see if we can confirm if both groups leveraged the same platforms to a similar degree.

Other Notable Trends and Outliers

Part of our initial data collection effort included logging the total remaining BTC present in the original 28 wallets, in addition to the final wallet transaction data for inbound and outbound wallets. This subsequently gave us a date range for Conti’s activity from January 2018 to December 2021. To be clear, this range primarily indicates when the wallets available from Ransomwhere were abandoned or last used, but not when those wallets were activated.

Of the 28 original addresses examined, 27 had their final outbound wallet activity registered some time in 2021. The remaining outlier wallet (1MuBnT2) was the only wallet whose most recent transaction was inbound and it was the only wallet whose outbound activity ceased before 2021. The inbound transaction occurred on 20 January, 2022 for $413,734 making the current balance of of the wallet 15.43 BTC. The wallet was created and initially funded in 2017.

One independent investigator on Twitter suggests this was Conti’s cold wallet.

81ed2ad7-c08e-4b3c-8b6d-f1c44a4a8d2b (1) @RakeshKrish12 suggesting wallet 1MuBnT2 is a Conti cold wallet

This is a distinct possibility as the wallet hasn’t been active since 20 January, 2022 though the term “cold wallet” is a bit misleading here. The wallet was used for a single outbound transaction making it a “hot wallet” based on how the term is readily understood in the Web3 community. We can likely assume that the funds in this wallet have a higher potential to move in the future rather than not. That said, there are some possibilities to keep in mind for why such a large amount of funds are sitting idle here. Keep in mind the last transaction for wallet 1MuBnT2 occurred one month prior to Russia’s invasion of Ukraine and Conti’s subsequent falling out with its affiliates:

  1. The wallet could be affiliated with the Conti core team as its creation predates the known operating period of Conti RaaS campaigns.

  2. The wallet handlers' lost the keys to the wallet when the group dissolved.

  3. Wallet 1MuBnT2 was a staging wallet for fund transfers to CEX wallet 1NDyJtN which became unavailable for off-ramping funds in early 2022. This timeline coincides with Western sanctions against Russia in which some Western governments targeted CEXs allegedly in violation of those sanctions in April 2022. In this instance, these fund could be held in this wallet because they didn’t have anywhere else to go at that time.

Unfortunately, there is not yet sufficient evidence to determine if anyone of the above three scenarios are definitively true. However, we may be able to make a determination on this in part two of this report based on the information presented below.

As mentioned above, wallet 1MuBnT2 is also notable as it was seemingly created before the group began operating under the Conti name. We highlighted in the Background section of this report that this group was thought to have started operations around February 2020 according to threat intelligence experts, not 2017. This makes wallet 1MuBnT2 an outlier as the remaining wallets in our original sample post-date the creation date of the wallet, and it also overlaps with the timeline in which Ryuk is known to have operated (August 2018 - late 2019/early 2020).

Wallet 1MuBnT2 is located here on our network graph:

2fe8eff5-a1db-4b47-8669-3b6941373f97 Segment of the Conti wallet tracing graph where wallet 1MuBnT2 is located. Wallets included in the highlighted area include transactions with net flows towards this wallet

All of the nodes included in the white box are the nodes whose directionality show clear flows to wallet 1MuBnT2. This set of wallets likely includes a number of victim wallets as the wallet set was the primary set produced through inbound transaction tracing. This also reinforces the directionality of these transaction flows, which mean all nodes captured in the white box in the graph above were consolidating funds in the direction of 1MuBnT2. Of this highlighted set, only wallet 1MuBnT2 has funds remaining. A quick check of the hub nodes in this highlighted area also confirms our suspicions that the major wallets in this section became active as far back as April 2017. This means the highlighted area also represents the portion of addresses that most likely have overlap with potential Ryuk wallets in terms of both groups' operational periods.

With this data in hand we now have a new point from where we can launch further research into any potential overlap in Ryuk and Conti funding infrastructure.

What Can We Learn From This?

Based on the on-chain evidence available we can draw several conclusions that have a high likelihood of being true:

  • The Conti group used complex fund distribution tactics across thousands of wallets to obfuscate the source of funds from it’s ransomware operations

  • The group interacted with at least four CEX accounts, which likely belonged to a single centralized exchange.

Criminals using many wallets to make fund tracing more complicated, and using large CEXs for on/off ramping funds, will likely remain expected constants as far as illicit activity in Web3 go. However, it is important to highlight that much has changed in terms of regulation, enforcement, and CEX operations since the time period analyzed in this report. It is yet to be seen how the finalization of these changes will influence the way malicious actors use Web3 to engage in criminal activity in the future.

We can hypothesize other conclusions about Conti specific activities, though more evidence is needed to confirm them:

  • The group likely used chain peeling techniques to obscure the source of funds on their way to a centralized exchange

  • Wallet 1MuBnT2 is likely a consolidation wallet from which funds were likely not moved due to conditions related to the dissolution of the Conti group, though the specifics remain unclear

  • It is possible that wallet 1MuBnT2 is affiliated with a member of the core team from Conti and not an affiliate due the length of time the wallet has been active

Finally, recall the original thesis for this report. Speculation posits that the Conti ransomware group was the heir to the Ryuk ransomware group. This determination, though not 100% certain, was based on both groups appearing to share ransomware code and operational methods. We wondered if this shared infrastructure may also include both group's Bitcoin wallets. While we can’t make that determination yet, we can go into researching the second half of this report having confirmed that:

  1. Known Conti wallets operated at time prior to the group’s official formation and during a period that precedes and overlaps with Ryuk’s primary years of operation

  2. A group of wallets affiliated with 1MuBnT2 also operated during this time period and will provide greater coverage when looking for overlap

Stay tuned for part two.

CertiK produces a variety of independent research examining how bad actors exploit Web3 ecosystems, both to improve the general knowledge of the community and to better serve our customers through our compliance products. If you have questions about the data used in this investigation as it relates to your own work or operations, please reach out to us.