The US government is offering up to $15 million for information about key leaders of the notorious Conti ransomware group and any individual participating in an attack using a variant of Conti’s malware.
In its notice issued May 6, the US Department of State said the Conti ransomware variant was the costliest strain of ransomware on record, noting that as of January, there were more than 1,000 victims of attack that involved Conti ransomware, with payouts surpassing $150 million.
The State Department also noted an attack on the government of Costa Rica in April that disrupted its customs and tax platforms, hurting foreign trade.
The Conti attacks focused on multiple Costa Rican government agencies and led the country’s recently installed president, Rodrigo Chaves, on May 8 to declare a state of emergency.
The reward illustrates the US’ efforts to drive a global response to the ongoing problem of ransomware and shows the country’s “commitment to protecting potential ransomware victims around the world from exploitation by cyber criminals,” State Department spokesman Ned Price said in a statement. “We look to partner with nations willing to bring justice for those victims affected by ransomware.”
The reach of the Russia-linked Conti operation is long. The group a year ago attacked Ireland’s Health Service Executive (HSE) and demanded $20 million in ransom. The country refused to pay the money and said it could spend five times that to recover from the attack.
According to a report from consulting firm PWC, the harmful attack occurred after a single user clicked on a malicious file attached to a phishing email, a common method in ransomware and other attacks.
Conti has made similar attacks elsewhere, including in New Zealand, where it targeted dozens of hospitals, and in the United States, taking aim at law enforcement agencies, city and towns, and emergency medical services.
The US government has issued warnings about Conti for the best part of a year. The FBI in May 2021 sent out an alert about the ransomware, saying it was responsible for more than 400 attacks at the time, with 290 of those occurring in the United States.
“Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransomware payment from the victim,” the FBI wrote. “The ransom letter instructs victims to contact the actors through an online portal to complete the transaction.”
Conti, like other ransomware groups, is incentivizing victims to pay the ransomware by using other extortion methods, including threatening to sell or publish the exfiltrated data. Others also threaten to wipe the files clean by erasing or overwriting the data. One recent group, which is behind the Onyx ransomware operation, is overwriting files larger than 2MB, so victims won’t be able to recover any of the data via a decryption key from the attacker. This has led to cybersecurity firms warning against paying the ransom.
Conti has not been without its own problems. In August 2021, an unhappy affiliate leaked training information from Conti that included a manual on deploying its tools and various help documents.
More recently, the group suffered blowback when it publicly threw its support behind Russia in its unprovoked invasion of Ukraine and threatened to retaliate for any cyberattacks or international sanctions on Russia.
A person suspected to be a Ukrainian member of the group hacked a server used by Conti and began to leak large amounts of data about the gangs inner workings, including what appeared to be a year’s worth of chat logs from Twitter.
Using the information, threat intelligence researchers were able to piece together information such as passwords, nicknames and how the group decided on targets. They also got a glimpse into the corporate-like operations of the gang, including the organizational structure and the working schedules of the bad actors involved.
In its alert, the State Department offered a reward of up to $10 million for information about the identification and location of key leadership in the Conti gang and up to $5 million for information leading to the arrest and conviction of individuals in any country participating or trying to participate in a Conti ransomware incident.
It’s not the first time the State Department has taken this route. In the fall the agency offered a $10 million reward for information that led to the identification and arrests of members of the Darkside and REvil ransomware groups.
Like REvil, Conti is a ransomware-as-a-service (RaaS) operator, in that they develop the code and make it available on the market for others to use, enabling less-skilled operators to more easily launch sophisticated ransomware attacks. ®