On 25 February 2022, a message appeared on a darknet website run by the cybercriminal syndicate known as Conti. The message pledged allegiance and support for the full-scale Russian invasion of Ukraine, announced by Russian President Vladimir Putin the day before. This short and simple show of support for Russia was the beginning of the end of one of the most prolific ransomware groups in recent years.

Over the previous 18 months, Conti had rampaged across the internet, conducting cyberattacks against businesses, educational institutions and hospitals. In 2021, it was estimated that Conti accumulated over US$180 million in payouts. In May 2022, the US Department of State offered a US$15 million reward for information leading to the identification or conviction of Conti members.

Ransomware has come a long way since a floppy disk carrying the so-called AIDS trojan arrived in the mail during the late 1980s, with a demand of US$189 to decrypt. Today, this malware comes in the form of Ransomware-as-a-Service (RaaS), which operates as a business. Conti would rent its ransomware infrastructure, which could include an executable (the file used to deliver the ransomware), they would handle victim negotiations and payment, and launder the ransom payment. For this service, Conti asked for a percentage of the payment, thought to be around 30 per cent, a portion of which was reinvested in infrastructure, the tools of the trade and staff, before the cycle would start again.

RaaS has become so effective that, according to the US Financial Crimes Enforcement Network, criminal groups earned US$590 million in the first half of 2021. During that same period, Conti was the most successful ransomware strain. Throughout 2021, Conti extorted around double its nearest competitor DarkSide, infamous for its attack on Colonial Pipeline in the US in May 2021. Ransomware payments are almost entirely made in cryptocurrency. Once the payment is made, the money is laundered through a number of techniques and cashed out into fiat currency, for example dollars, euros or roubles.

Cyber-extortion

Within the cybercriminal world, RaaS groups extort their victims and even practice double extortion, which involves locking down and encrypting systems, and seeking out and exfiltrating sensitive data. This means they can charge not only for the decrypter key to unlock the systems, but demand another payment to refrain from leaking the sensitive data.

RaaS groups work with ‘affiliates’, cybercriminals who are not directly part of the RaaS structure but work alongside it. Affiliates allow RaaS groups to expand temporarily, hitting hundreds if not thousands of victims yearly. Using affiliates provides flexibility, dynamism and higher profits, but is also a vulnerability. In 2021, a disgruntled affiliate leaked a cache of internal Conti documents, including the group’s tactics, techniques and procedures, citing poor pay as the reason behind the leak.

Alongside the professionalization of ransomware, malware has also become more sophisticated. In 2021, Ukrainian cyber police released a video of an apartment raid, part of a wider law enforcement action called Operation Ladybird. The targets were those behind Emotet, a botnet once dubbed the ‘king of malware’. Malware spreads through phishing emails and can lead to an army of millions of zombie devices, controlled by the steady hand of bot-herders operating command-and-control servers. These botnets provide criminals access to already infected devices, becoming the unlocked gate for cybercriminals to walk through. When Emotet was taken down, ransomware attacks dipped, until the botnet suddenly returned ten months later. It has been speculated that Conti was behind the resurrection of Emotet.

Whack-a-mole

Two days after Conti pledged their support for the Russian invasion of Ukraine, things began to unravel for the group. A Twitter profile with the handle @ContiLeaks started leaking the ransomware group’s internal communication. Although there are conflicting reports on who was behind the leak – perhaps a Ukrainian security researcher or an affiliate against the war – the over 100 000 leaked files were dubbed the ‘Panama Papers of ransomware’. Over the coming months, Conti’s methodical and business-like approach disintegrated, although attacks continued, including on the networks of the Costa Rican state.

But on 19 May 2022, Conti’s websites were no longer working. It has been argued that following Russia’s invasion of Ukraine, potential victims feared violating sanctions imposed on Russia by the US and Europe. Although we will likely never know the true reasons behind Conti’s shutdown, fighting ransomware groups is like a constant game of whack-a-mole; for every destroyed group, another takes its place. They splinter, rebuild and rebrand. Ransomware did not start with Conti – and will not end with them.