This report investigates the potential collaboration or interaction between two Russian cybercriminal gangs, Conti and Ryuk, which were active in the ransomware scene from 2018 to 2022.
Ryuk, suspected to be a Russia-based criminal organization, operated from August 2018 to late 2020, while Conti was active from February 2020 to January 2022. Both groups are believed to have shared code and operational procedures.
We used data from ransomwh.re, a crowdsourced ransomware payment tracker, to analyze the on-chain activities of these groups. The data includes 26 total Ryuk addresses and 108 Conti wallets.
The analysis found one direct connection between Conti 8 (3NDuGtL) and Ryuk 4 (1Kx9TT7), suggesting potential collaboration or shared resources between the two groups.
We also identified nine CEX hot wallets and 20 CEX customer wallets related to Conti, indicating the group's extensive use of centralized exchanges for their operations.
There is significant complexityinof attributing specific wallets to the Russia-based team versus other groups that deployed Ryuk variants, due to the structure of ransomware-as-a-service (RaaS) groups and the use of affiliate wallets.
While there are some connections between the two groups, further investigation is needed to definitively establish a direct link or shared resources between Conti and Ryuk.
This is the second report in a two part series where we examined two of the most prolific Russian ransomware gangs, Ryuk and Conti. The threat intelligence community, whose analysts focus on identifying and attributing cyber attacks to hacking groups, have long suspected that the Ryuk and Conti ransomware gangs either operated together or were extensions of each other through a core team of people. Threat intelligence analysts from across the industry drew these conclusions based on shared code and operational procedures between both groups. This led us to question whether these areas of overlap extended to the two groups with regard to their on-chain activity as well. This report will focus on the background and on-chain history of the Ryuk group and compare it with the conclusions drawn in our previous report focused on the Conti group.
Let's first recall the observations we made about this group in the previous report:
Ryuk is known to have operated between August 2018 and late 2020, while Conti operated from February 2020 to January 2022. Neither group is currently operating in anything recognizable as their original form.
Ryuk is suspected of being a Russia-based criminal organization.
The group is thought to be a precursor to the Conti ransomware gang due to overlap in the code used in both ransomware packages and similarities in their operational structures.
A wallet (1MuBnT2) identified in the Conti analysis was activated in 2017, currently maintains a balance 15.43 BTC, and provided us with our entry point for analyzing potential overlap for wallets known to belong to both groups based their shared timelines.
Ryuk is a ransomware-as-a-service (RaaS) group that is most well known for targeting large organizations, including major newspapers, hospitals, non-governmental organizations, and U.S. school districts, counties and cities. Because of the group’s proclivity for targeting high-profile organizations, they have long been considered a “big game hunter” in the threat intelligence industry. There are additional reasons for this, the most notable being:
The group’s ransomware made up about 20% of global ransomware infections during its primary period of operations.
The group’s suspected relationship with the Russian state and their alleged encouragement to target Russia’s adversaries.
The group's ransoms were frequently ten times more than those of other ransomware variants during the same time period. The average ransom demand was approximately $750,000, however, larger targets saw ransoms in the multi-millions.
The Ryuk ransomware was originally attributed to the prolific North Korean advanced persistent threat (APT) codenamed Lazarus. Early theories claimed overlap existed between the Ryuk ransomware code and the code for the Lazarus developed Hermes ransomware. This theory was eventually thrown out after several technical indicators led researchers to conclude the group was based out of Russia.
The Ryuk ransomware was ultimately believed to have been operated by the GRIM SPIDER APT, a splinter group of the WIZARD SPIDER APT. As highlighted in our previous report, the same hacking groups can be assigned different names as a result of threat intelligence researchers not coordinating a standardized naming convention for hacking campaigns. Ryuk is another name for the group also tracked as GRIM SPIDER, though it more specifically refers to the ransomware campaign deployed by the group in the given timeframe. Since Ryuk is a RaaS structured campaign, a combination of the members of the core teams behind GRIM SPIDER, and possibly WIZARD SPIDER, would presumably be running the campaigns. For this reason readers should assume when we reference Ryuk in this report that it is likely interchangeable with these other groups names at times.
Both GRIM and WIZARD SPIDER are also believed to be Russian criminal gangs known for targeting “big game” victims. There has been speculation over the years that Russian criminal groups like the ones named here don't work directly with the Russian state but are given free reign to target Russia’s adversaries without state interference as long as they don’t target the Russian government. Other’s speculated that the Russian state knowingly allowed the groups to piggy-back on the country’s infrastructure in order to target Russia’s adversaries. The history of these groups' targets strongly suggest this was likely the case at the time.
As already mentioned, Ryuk is a RaaS campaign. There are competing theories as to the exact structure of the group, though some threat intelligence researchers claim Ryuk is structured similarly to Conti. Recall from our previous report that Conti had a core team structure that would only take on affiliates who applied and were accepted by the group. Ryuk is believed to operate in the same way. However, other researchers suggest that the group was also found selling the Ryuk code in hacker forums and on the dark web. This likely led to a variety of Ryuk variants with enhanced capabilities. Other assessments suggest this shift is responsible for Ryuk’s code changing over time and being attributable to groups unrelated to Ryuk/WIZARD SPIDER. This shift became visible to observers in late 2021.
It is more than likely that a combination of the above scenarios is true over the lifetime of the Russia-based Ryuk campaigns. That said, it’s important to point out – as we did in the first report – that this complicates analysis of on-chain activity for a number of reasons:
Affiliate structured RaaS groups make it difficult to distinguish between affiliates and core team wallets with verifiable certainty
Attributing specific wallets to the Russia-based team vs. other groups that deployed Ryuk variants depends on the data collection methods of the original database creator (ransomwhe.re). To our knowledge this distinction was not made by Ransomwhere.
Reporting on these variant shifts occurred around nine months after WIZARD SPIDER-related Ryuk campaigns reportedly stopped based on the timeline for the data we started with
We will keep these issues in mind as we move into analyzing on-chain activity. While there is little we can do to control for these hurdles we can be sure to highlight discrepancies they may cause moving forward and how they are taken into consideration in our overall assessment.
Before we dive into the on-chain activity of our sample Ryuk wallets, let's refer back to the network map of the Conti wallets that we produced for this first report in this series.
Segment of the Conti wallet tracing graph where wallet 1MuBnT2 is located. Wallets included in the highlighted area include transactions with net flows towards this wallet. Source: CertiK
All of the Conti wallets in our sample were activated and abandoned within the known timeframe of Conti’s operations. There was just one exception: wallet 1MuBnT2. Wallet 1MuBnT2 is notable as it was apparently created before the Conti group began operating under that name. The group started operations around February 2020 according to threat intelligence reporters, not 2017 when this wallet was activated. This overlaps with the timeline in which Ryuk is known to have operated from August 2018 to early 2020.
In order to look for any crossover activity between Conti and Ryuk, we collected all of the wallets in the highlighted area in the graph above and conducted transaction tracing across the sample of Ryuk wallets we also collected from ransomwhe.re.
The data used to start this project was sourced from ransomwh.re, a crowdsourced ransomware payment tracker. The data includes 26 total Ryuk addresses with one BTC address per individual incident date reported. We used this set of addresses and the addresses affiliated with wallet 1MuBnT2 to start our on-chain research. The self-reported nature of the Ransomwhere data will be important to keep in mind as we draw conclusions from this activity; however, the Ransomwhere team does address the measures they take to maintain the integrity of their data:
While it's impossible to verify with complete certainty that a report is accurate, we aim to utilize the wisdom of the crowds to prevent abuse. All reports are required to include a screenshot of the ransomware payment demand, and will be reviewed before being displayed. Addresses with more than one report from different sources will be given priority, and all elements of all reports will be publicly available. We will remove reports if we believe they are untruthful.
To maintain analytical continuity in this research effort, the data we sourced for Ryuk will only include reported data from Ransomwhere. We will note if addresses gathered in this in analysis can be verified through additional sources.
Our samples started with 26 Ryuk wallets and 108 Conti wallets collected from the highlighted portion of the graph above. Tracing between these two pairs produced an additional 3,051 wallets affiliated with both groups. The 108 Conti wallet sample included wallets whose usage periods ranged from late 2015 to as recently as June 2023. With the exception of one wallet (1AzUuRw), all the wallets activated in 2015 and 2023 appear to be CEX hot wallets. The 26 Ryuk wallets include an operational timeline from 2018 to late January 2022 and all appear to be self-custody wallets. One Ryuk wallet (bc1qlnz) happened to be a significant outlier and was activated in March 2023. We will explore this wallet more later in the outlier section. The distribution of these wallets over time by their activation date juxtaposed with the campaign timelines for both groups is represented in the chart below:
Chart: Distribution of group wallets by wallet creation dates with campaign timelines. Source: CertiK
There are a couple things to highlight about this chart. First, there are about four times more Conti affiliated wallets represented here than Ryuk wallets. This comes from using a larger sample of Conti wallets collected from our first report and having a smaller Ryuk sample to use when beginning our analysis here. If we identify any major date discrepancies, like a significant number of Ryuk adjacent wallets being activated pre-2018, they will be highlighted.
Second, the distribution of Conti affiliated wallets extends well beyond its defined ransomware campaign timeline between 2020 and 2022. The Conti affiliated wallets from 2015 and 2023 are confirmed large CEX hot wallets; however, many of the Conti affiliated wallets from before their pre-operational period between 2017-2020 are a mix of CEX hot wallets and CEX customer wallets. Of the original 108 wallets, 29 fall into these categories. It could also be the case that affiliate wallets captured in our transaction tracing methods make up a large portion of the remaining wallets, though we are unable to provide additional a specific breakdown on this.
It’s also important to point out that within the context of ransomware, where ransoms paid out total tens of billions of dollars, it can be difficult to distinguish between a smaller hot wallet for an exchange and central ransom consolidation wallets. While taking into account transaction and fund volume for each of these 29 wallets, we estimate that nine are hot CEX wallets and the remaining 20 are CEX customer wallets.
As with our previous report, most transaction tracing was conducted through outbound tracing, though one inbound wallet hop was applied to each of the 134 original wallets to ensure there were no potential inbound interactions connecting both groups. This series of inbound tracings does in fact connect the Ryuk and Conti wallet samples together. This is displayed the network graph further down. This could indicate several things:
There is significant overlap in terms of the chronology and use of the Conti and Ryuk wallets outside their respective campaign timeframes
Some of these connections occur through CEX hot wallets, which does not confirm a direct connection between the groups
Some of these connections may occur through self-custody wallets and/or CEX customer wallets which would indicate a more direct connection or shared ownership of wallets used by either group
The 3,051 wallets traced in this analysis are represented in the network graph below. Connecting lines (edges) indicate transaction direction and connections between wallets are represented by circles (nodes). Wallets with higher transaction activity are marked with larger red colored nodes. There are similar, expected, patterns in this graph that we also highlighted in the previous report as well. For example, the graph has several distinct tertiary hub structures that appear to suggest directional transaction flow toward a high activity central web. As before, this is likely indicative of the victim → affiliates → core team → off-ramp process we identified in the previous report.
Second, nodes that serve as major junctions between the tertiary structures are most likely CEX deposit or customer owned wallets. This theory appears to play out here. A unique feature of analyzing crypto transaction data is that most illicitly sourced funds eventually have to gravitate towards centralized institutions that convert those funds to fiat. Transaction that are routed this way can make it appear on face that there is overlap between both groups' activities when in in reality their operations are mostly separate, but both groups are using the same CEX to offramp funds.
The graph below shows all 3,051 of our wallets without any analytical annotation:
Graph: All connections between the 3,051 Conti and Ryuk wallets gathered in the course of this analysis.
For reference, 11 of our 26 Ryuk wallets did not connect to the primary body of the network graph. While there is still a possibility that these wallets could connect further down the transaction chain, that is unlikely given the number of wallets included in this sample. The 11 wallets that are disconnected from the remaining wallets in the sample are outlined below:
Graph: Ryuk wallets that were disconnected from the main graph structure.
Wallet 1MuBnT2 served as our primary entry point for conducting this analysis. It was the only wallet in the Conti sample with a activity time range that overlapped with Ryuk’s years of operation. Inbound tracing on this wallet produced the 108 Conti wallets, many with similar activity ranges that were then used in this report. This wallet only has one outbound transaction to two different wallets, 1KhGoDA and 137Q44Y. Both wallets continue sending funds away from 1MuBnT2 to other parts of the network. These wallets are highlighted in the graph below:
Graph: The location of the 1MuBnT2 Conti cold wallet identified in the previous report in relation to the rest of the network.
This will be highlighted more clearly in the next section, but these wallets sit too far from the location of our Ryuk wallets to have any meaningful connections that could be used as evidence of interaction between the groups. They only provide additional detail on their place in the Conti-heavy sections of the graph. However, this is not to say that there isn’t some notable behavior by these wallets.
Inbound tracing on 1KhGoDA produced nothing notable outside its connection to 1MuBnT2. However, inbound tracing on 137Q44Y produced two very interesting wallets as inputs. One of these wallets (3JjPf13) was a CEX deposit wallet that has been inactive since January 13, 2022. The other wallet (13xAfzw) was activated on November 27, 2017 and went inactive on February 17, 2022. In that time there was only one outbound transaction – on December 26, 2017 – after which the wallet went inactive until October 28, 2020. Between October and February the wallet received five inbound transactions totaling 24.9 BTC before going dark again.
What originally made wallet 1MuBnT2 notable was its high remaining BTC balance and its lack of outbound activity around the time the Russo-Ukrainian War began. 13xAfzw also became inactive a week prior to the start of the war. Recall from our Conti report that Conti’s drawdown in activity is speculated to have occurred partially due to its support of Russia’s invasion at a time when many of affiliates opposed it. As we speculated in the last report concerning 1MuBnT2, wallet 13xAfzw is also likely a staging wallet where funds were consolidated prior to a potential off-ramping. The 13xAfzw wallet's only outbound transaction was a transfer to 137Q44Y, one of the two wallets (also 1KhGoDA) to receive funds from 1MuBnT2.
Analysis of the transactions downstream from 1KhGoDA and 137Q44Y only showed peelings patterns that did not immediately lead to any identifiable CEX held accounts. It is also important to point out that the wallet activity patterns represented in our network graph only represent transfers in 2017 and should not be assumed to be the presumed path if fund movements ever occur in the future. As we stated in our previous report, the timing of these wallets going dark around the time Conti operations were ending likely means these wallets, for now, are just examples of stuck funds. We still cannot explain why wallets created in 2017 that almost certainly belong to the Conti group exist so far outside of its known operational timeline.
We mentioned that our analysis of the Conti crossover wallets produced nine CEX hot wallets and 20 CEX customer wallets. Three CEXs are present in this sample and are notated by CEX 1, 2, and 3. Wallets containing -C after the CEX designation are customer wallets held by that CEX. All of these wallets appear as central red nodes.
Graph: All identifiable Conti sample related CEX hot/deposit and customer held wallets in our wallet sample.
These wallets make up a good deal of the nodes in the middle of the graph and are used to move funds throughout the network. There are only three areas outside high CEX concentration areas. These are found in the upper right hand corner and the bottom of the chart. One of these regions is most likely where we will find our Ryuk wallets. After mapping our Ryuk wallets in the same way we see that the bottom of the chart contains the majority of the wallets from our original sample.
Graph: All Ryuk sample wallets connected to the main structure of the graph.
At first glance it appears as if there are no direct connections between the wallets we highlighted in the first graph and the ones highlighted here. The wallets that lie between our Ryuk wallets and the known Conti related CEX wallets are confirmed to be outbound Ryuk wallet transactions that connect to the core body of the structure, likely through peeling wallets or other CEX held wallets. In order to confirm any sort of meaningful crossover we would need to find either direct connections between a Conti wallet from our sample and our Ryuk wallets, or a connection between our Ryuk wallets and a Conti owned CEX wallet. Any connections with CEX deposit wallets would not be considered a direct connection between groups. In order to confirm our thesis for these reports we would need to see direct connections, or close to direct, that cross this line drawn on the graph below.
Graph: A threshold indicating where direct connections between Conti and Ryuk wallets would have to occur to confirm shared wallet resources between both groups.
Our analysis found one direct connection that meets this threshold between Conti 8 (3NDuGtL) and Ryuk 4 (1Kx9TT7), and one additional connection with two wallets (37Vy2uj & 1J37CY8) separating Ryuk 12 (14hVKm7) and CEX 3-C (1Gx7qmY). These wallets are highlighted below:
Graph: Wallets found to connect directly across our defined threshold, or within at least two hops of each other.
Let's look at these wallets and see if we can better understand these connections.
This wallet is most likely a customer owned wallet on a CEX. We draw this conclusion based on the number of transactions for this wallet and value of funds that have been deposited over the course of its use. The wallet was first used on September 21, 2018 and its last transaction occurred on 21 February, 2023. The account conducted around 1,500 transactions moving a total value of approximately $60 million. If this wallet was a CEX owned deposit or hot wallet, we should see consistent and higher activity in general, as well as links between it and other nodes in our network graph. The fact that it has very few connections in our graph suggests this is not the case.
Also, recall that ransom demands from these groups were up to ten times higher than that of other groups at the time. The entire Conti enterprise was estimated to have collected $180 million through its activities and those of its affiliates. This means only 33% of those funds would have had to move through this wallet to account for the volume we see.
Finally, if this wallet was a CEX hot or deposit wallet we likely wouldn’t see the wallet's activity spike at the same time as Conti’s operations and then dramatically fall in such a short period of time. Identifying this wallet as a customer held CEX wallet seem like a reasonable assessment in light of these facts. This activity is highlighted below:
Graph: 3NDuGtL wallet activity over time. Source: Arkham Intelligence
As previously mentioned, it does not appear that any Ryuk wallets used in our original sample are CEX held wallets. All appear to be self-custody, though this is not to say that other wallets collected through our tracing process are not CEX held wallets. They likely exist, but we were unable to identify any within the scope of this analysis.
This wallet was first used on January 12, 2018 and its last transaction was on 28 December, 2018 with the total funds deposited reaching approximately $6 million. It received 5 BTC from wallet 3NDuGtL on December 22, 2018. Despite this wallet being live for nearly a full year, all of the transaction activity occurred in December 2018. The wallet received funds from 3NDuGtL just prior to forwarding those funds to other Ryuk affiliated wallets. In the span of one month, all $6 million was moved in and out of this wallet across 16 transactions.
Graph: Ryuk wallet 1Kx9TT7 activity showing the wallet’s short period of usage despite being active for one year. Source: Arkham Intelligence
A short-lived wallet which was initialized on December 2, 2017 and sent its final transaction occurred on January 23, 2018. Only $1,300 passed through this wallet during this timeframe.
This wallet appears to be a CEX hot wallet that is no longer in use. It conducted over 6,000 transactions moving nearly $1.5 billion in funds. The wallet has not been active since October 2021. This finding likely makes these connections less significant than initially thought.
This wallet also appears to be a CEX-owned hot wallet. The wallet has also been dormant since October 2021, though notably there is still $1,200 remaining in the wallet. It is surprising that a CEX would leave funds dormant in a wallet that appears to no longer be in use.
This wallet was only active for a single day in mid-September 2018. It moved approximately $300,000 before being abandoned.
Despite these four wallets initially appearing to be points of additional crossover between the Conti and Ryuk wallet sets, it is clear that they do not meet the required threshold to establish a concrete link. Two wallets clearly belong to two CEXs.
We previously mentioned wallet 1AzUuRw as a unique outlier because it was activated on October 2, 2017 and its final transaction occurred on April 11, 2023. However, as the wallet was not sourced from Ransomwhere it can’t be tied back to a specific incident.
We also mentioned a Ryuk outlier wallet (bc1qlnz) that was first used on March 23, 2023, with its latest transaction coming on April 3. This wallet was originally sourced from Ransomwhere so unless it was a misreported address we have to assume it's associated with an incident. However, Ransomwhere doesn’t provide incident dates or additional ransom note details in their publicly available data so we can’t make a further determination as to why this wallet was reported as a Ryuk wallet five years after their operational period.
It’s also important to remember that there competing theories on the trajectory of Ryuk campaigns after variants of the malware with significant changes appeared. In theory, so long as this ransomware is available for download or purchase somewhere online, the Ryuk brand could feasibly continue well into the future while having zero association with the core team.
When we started this research project we saw an opportunity to use a big data approach to on-chain analysis to contribute to the security community’s collective knowledge on the Ryuk and Conti ransomware groups. It stands to reason that two groups that share code and operational knowledge might also share the Web3 infrastructure – such as mixers and exchanges – required to run these campaigns. But can we actually draw that conclusion based on what we know? Unfortunately not.
Identifying criminal wallet owners is a difficult task, especially when analyzing a sample as large as ours, which totaled over 5,000 unique wallets across both reports. Dealing with this many individual data points, particularly as they relate to ransomware, presents some unique challenges for this type of analysis:
Distinguishing between victim/affiliate/core team wallets is difficult and relies on hard-to-prove assumptions about wallets of origin, node centrality, and transaction flows which are further purposefully muddied by the groups in question
The fluid nature of these groups, particularly those using the Ryuk name, makes it even more difficult to distinguish between campaign “founders” and non-affiliate retail hackers. It’s unclear how many of these groups diluted our sample.
The presence of many CEX hot wallets makes it difficult to confirm suspected relationships across groups due to their naturally high interconnectedness. This is exacerbated by the size of our wallets samples.
Bearing these issues in mind, we can conclude several things with various levels of certainty. First, both groups created wallets outside their known periods of operation. Some of these wallets were active prior to each groups' campaign periods, while others remained dormant for months, or in some cases years, prior to being used during their known operational periods. Some of this activity is likely to be a result of when specific victims pay their ransoms, though this doesn’t explain what the early wallets were being used for if the groups had yet to start their campaigns.
Second, despite the relatively significant overlapping evidence of wallet creation by both groups prior to their known operational periods, a single direct connection between Conti wallet 3NDuGtL (traced) and Ryuk wallet 1Kx9TT7 (reported) is not enough evidence to attribute wallet activity to group interactivity with the same degree of certainty that the threat intelligence industry can with their data. Other analyses can take advantage of packet data, malware signatures, and data from other incidents. In our analysis, we've focused on the on-chain links between the two groups.
This is not to say that the connection itself is unworthy of consideration, though it does raise other questions. The transaction from 3NDuGtL was outbound to 1Kx9TT7. This seems strange as this significantly predates Conti’s operational period by several years. It could be the case that this is also a Ryuk or non-Conti owned wallet produced through our transaction tracing. As we can’t make a specific determination about this at this time we can only suggest that this should cast additional doubts the nature of the connection between these wallets.
Third, as is true for most criminals in Web3, both groups used some combination of self-custody and CEX wallets to obscure the source of their funds. Notably, the CEXs we were able to identify in the Conti data all differed from those in the Ryuk data. There are a couple of possible explanations for this:
The CEXs exist across both data sets, but we were unable to identify their crossover due to the wallet sample being too large. We also did not include the CEX wallets from the Conti report in our wallet sample for this report. We did want to run outbound analysis on these wallets from the start as it would have diluted are sample with wallets unrelated to Ryuk or Conti.
The CEXs in the Conti report were traced through Ransomwhere sourced Conti wallets only known to be active during their 2020-2022 operational timeline. The use of different CEXs over different periods of time could be part of an obfuscation strategy that we were not able to clearly identify.
Government attempts at disrupting or seizing ransomware related funds likely forced operators to diversify the CEXs they used, with special consideration for the legal jurisdiction exchanges operated in. This analysis identified exchanges that operate globally and several based in the US and UK.
The presence of CEX deposit wallets in our data is inherently limiting, though also not surprising. These basic realities of crypto-based criminal activity prevent us from using these network connection points as strong evidence in support of our thesis. There is a real possibility that transfers between both groups in 2017 and 2018 exist in more complex transaction chains involving CEX activity that we were unable to identify. However, the data we were able to collect does not provide a clear indication of this and should be thus be considered inconclusive.
Taking all of these variables into account, we can’t conclude with any degree of certainty that the Conti and Ryuk groups directly shared Web3 infrastructure before or after their known campaign timelines. However, it is clear that some type of connection exists as evidenced by the one direct connection identified. What remains unclear is how deep the connections between both groups goes through CEX hot wallets.
CertiK produces a variety of independent research reports examining how bad actors exploit Web3 ecosystems, both to improve the general knowledge of the community and to better serve our customers through our compliance products. If you have questions about the data used in this investigation as it relates to your own work or operations, please reach out to us.