Ransomware Gang Extorted 725 BTC in One Attack, On-Chain Sleuths Find
By combining chat logs leaked in February with subsequent analysis of blockchain data, researchers have gleaned new insights about the infamous Conti ransomware gang.
The gang used over-the-counter (OTC) brokers in Russia to cash out crypto extorted from victims and to pay members for their work, according to a CoinDesk review of the leaked chats.
At least one U.S. hospital attacked by the Conti ransomware during the coronavirus pandemic paid the ransom, the hackers’ inner communications show.
Ransom payouts to the gang may have been as high as 725 BTC and more, according to an analysis by Crystal Blockchain released Tuesday.
New wallets Conti used have been located, Crystal said.
In February, a hacker leaked a notorious ransomware gang’s chat logs, offering a rare peek inside the everyday operations of this criminal business and cryptocurrency’s vital role in it. But blockchain data helps paint a fuller picture.
The leaked messages showed the Conti hackers had more victims than previously reported. They also revealed that some of those organizations paid to get their IT systems back, and that the gang had ties to another infamous cybercriminal ring, known as Ryuk. Perhaps most importantly, the cache revealed Conti’s previously unknown bitcoin (BTC) wallet addresses.
That served as a jumping-off point for on-chain sleuths to fill in more pieces of the puzzle. For example, blockchain data shows at least one of the U.S. hospitals attacked during the pandemic might have paid ransom to the Conti hackers.
CoinDesk reviewed the Conti members’ leaked messages and analyzed the hackers’ crypto wallets and transactions with help from the on-chain analytics firm Crystal Blockchain. The exercise underscored an enduring paradox of crypto: While an ungated network with unblockable transactions is highly useful for criminals, the public ledger leaves a trail of crumbs for law enforcement and researchers to find later.
Hackers get hacked
Ransomware gangs are a menace born of the cyber age. While the devastation they spread in corporations is sometimes visible and tangible (remember the gas shortage provoked by the Colonial Pipeline attack last year?), their identities and the way they operate remain mostly concealed.
Now, the curtain has parted slightly as an indirect result of the war in Ukraine.
On Feb. 25, the Conti group declared its allegiance to the Russian government following the invasion of Ukraine. On its official website, Conti threatened to retaliate against the West in response to potential cyber attacks against Russia. This cyber saber-rattling appears to have provoked the leaks, which appeared in several places.
A Ukrainian security researcher who obtained access to the group’s IT infrastructure leaked the messages that accumulated on the gang’s internal Jabber/XMPP server from 2020 to 2021 to journalists and security researchers, according to CNN. Other media reports suggested the leak was made by a disgruntled Ukrainian member of the Conti gang. The archived messaged were published by a Twitter account dedicated to researching malware strains, known as @vxunderground.
“Conti ransomware group previously put out a message siding with the Russian government. Today a Conti member has begun leaking data with the message ‘F**k the Russian government, Glory to Ukraine!’" tweeted @vxunderground.
The leaked communications of the Conti gang offers some visibility into how different ransomware strains can be related.
According to Conti’s messages, the group has been working with various ransomware strains and groups operating those strains: members mention working with Ryuk, Trikbot and Maze ransomware. According to the messages, Conti members not only ran their own ransomware business but also provided tools and services for other hacker groups.
For example, on June 23, 2020, the group’s leader, nicknamed Stern, tells a lower-level manager known as Target, in Russian: “Ryuk is going to get back from vacation soon. He will take all the bots that we have. For him, we need 5k companies.” (It’s not clear from the preceding and following messages which companies Stern meant.)
The messages also left a financial trace of this partnership: a bitcoin transaction between the Conti and Ryuk gangs, mentioned by Crystal Blockchain in a March blog post.
In September 2019, one of the bitcoin wallets associated with Conti sent 26.25 BTC (worth about $200,000 at the time) to a wallet associated with Ryuk, blockchain data shows.
“Payment information contained in the leaked chats strongly supports this connection and that Conti likely tried to contact Ryuk,” Crystal said in a blog post. “We also observed that Ryuk sent payments directly to a Conti wallet that was mentioned in the chat history several times; this suggests affiliation and some degree of operational coordination between these two groups.”
Read also: DarkSide Hackers' Bitcoin Stash Tracked
Earlier, cybersecurity researchers pointed at a possible connection between the operators of Ryuk and Conti ransomware because the malware contained similar pieces of code. However, financial connections between the Ryuk and Conti attackers hadn’t been revealed before.
Advanced Intel's Vitali Kremez told Bleeping Computer the ransomware strain Conti uses has been changing hands many times over several years, starting as Hermes in 2017. Then it was supposedly purchased by other hackers and turned into Ryuk (possibly named after a Japanese manga character). Then, the group “splintered, re-branded or decided to transition to the ‘Conti’ name, which appears to be based off the code from Ryuk version 2,” Bleeping Computer wrote.
Conti operated during the coronavirus pandemic and attacked health care organizations worldwide, more than half of which were located in the U.S., according to the FBI. Cybersecurity experts have long suspected Conti’s connection to the Russian state, along with many other ransomware gangs.
Ryuk is known for hacking The New York Times and The Wall Street Journal’s publishing facilities in 2018, as well as several other companies. Both Ryuk and Conti used a variant of AES-256 encryption to encrypt victims’ files and extort ransom for decryption keys.
The leaked messages also shine light on the breadth of companies successfully attacked, many of which had not been previously reported.
Minnesota-based Ridgeview Medical Center was famously attacked in 2020, the first year of the pandemic, along with a range of other U.S. health care organizations, by the Ryuk and Trickbot malware strains. The Conti group was, apparently, behind those attacks, too: The members talk about successfully hacking into Ridgeview’s network and encrypting the data the medical center needed to operate.
According to Crystal, a transaction on Oct. 30, 2020, is most likely the 301 BTC payment (over $4 million at the time) Ridgeview sent to Conti as a ransom.
A day earlier, on Oct. 29, Conti members Target and Stern mentioned that Ridgeview was ready to pay $2 million, or 151 BTC; however, Conti’s supposed partner, the organizer of the attack, “wanted 300 BTC.”
Later, according to the chat logs, the hackers prevailed, and on Oct. 30, 301 BTC were sent from an address attributed to the Gemini crypto exchange to a wallet that appears to be indirectly related to another wallet, which Conti members mentioned in the chats as a payment address for extortion, according to Crystal.
Ridgeview did not return CoinDesk’s request for comment by press time.
It’s worth remembering that blockchain analysis to a certain extent is based on assumptions, and the attribution of a blockchain address to a certain real-life entity almost never is 100% precise. However, Crystal said it is quite confident in this one.
“The methodology we used was to look for related transactions that were at the same value of the ransom demand and discussed in the group,” said Crystal’s director of blockchain intelligence, Nick Smart. He added that Crystal had “90% confidence” the transaction was the ransom payment in question, given its timing, amount and connection to the earlier reported Conti wallets.
There were other, even larger payments the criminal group managed to gather.
The largest ransom an unidentified victim company paid to Conti, according to the chat logs, was 725 BTC, Crystal found. That chunk of bitcoin, equivalent to about $8 million at the time, was paid by the Chicago-based employment marketplace CareerBuilder, Crystal said, as the company was mentioned in the chats related to the 725 BTC payout.
The receiver of that payment could have been this bitcoin wallet, Crystal told CoinDesk. On Oct. 10, 2020, the address received 725 BTC and immediately sent it on, to another address not associated with any crypto service, on-chain data shows. There were no other transactions involving the address, except these two.
CareerBuilder did not respond CoinDesk's request for comment.
According to the leaked messages, there might have been around 30 previously unreported victims of Conti, including Xerox (XRX), the iconic photocopier maker, Crystal said. Xerox was known to have been hacked by a ransomware gang in 2020; however, cybersecurity experts linked the hack to the Maze gang.
It’s not clear from the chat logs whether Xerox paid the ransom. In 2020, customer support-related data from Xerox was leaked, suggesting the company refused to pay the ransom and saw its internal data leaked as a punishment, ZDNet reported. Xerox declined to comment for this story.
Some other attacks at the same time were definitely successful.
In particular, Conti members discuss attacks on Canadian pool manufacturer Softub and several U.S.-based companies: transportation company Piper Logistics, chain retailer Sam’s Furniture, outdoor equipment maker Clarus and cash handler Loomis.
Softub Director of Operations Tom Lalonde told CoinDesk in an email the company had its data saved in cloud-based backups so it didn’t pay the ransom.
However, the attack “did create a whole bunch of problems,” Lalonde said. The company “had a few ransomware attacks during that timeframe,” he added.
Piper Logistics, Sam’s Furniture, Clarus and Loomis did not respond to requests for comment.
In the messages, the Conti members mention attacking 89 companies, most of them based in the U.S., along with a bunch of Canadian, Australian and European corporations. It’s not clear how many of the attacks were successful and led to bitcoin payouts but the scale of operations definitely seems massive, Crystal said in a blog post published on Tuesday.
Conti members even mention plans to infect Pfizer (PFE), the major pharmaceuticals manufacturer and the co-creator of a COVID-19 vaccine, but it’s not clear whether an attack was conducted and, if so, whether it succeeded.
Crystal also said it located several previously unreported wallets the Conti group used, thanks to those wallets being mentioned in the chat logs: a wallet that received 200 BTC from an unidentified victim on Oct. 26, 2020; a wallet that collected payouts from various attacks; a wallet gang members used to manage operational expenses; and others.
According to the leaked chat logs, Conti had some big plans related to crypto and blockchain. For example, the members have been entertaining the idea of creating their own peer-to-peer cryptocurrency marketplace and a smart-contract-based tool for extortion.
The group also discussed disinformation campaigns to dump the prices for smaller cryptocurrencies and might have been involved in the Squid Game-themed exit scam, security researcher Brian Krebs wrote.
But the group’s interactions with crypto, for the most part, have been more mundane and illustrate how exactly crypto works and how it is converted into fiat money in the criminal underworld.
The leaked messages show the group’s everyday operations: Members discuss development of the malicious code, what works and what doesn’t, what payments are due for IT services the group uses and interaction with other criminal groups.
According to the messages reviewed by CoinDesk, Conti members used crypto, among other things, to pay for cloud servers and software licenses. For example, in one message, a member nicknamed Defender is asking Stern to send him $700 in bitcoin to pay for the server the group is using.
Although crypto serves as the main payment method between the group members, most preferred to receive their paychecks in fiat. For that, Conti members used an over-the-counter (OTC) broker, which is a popular method in Russia and Ukraine, where global centralized exchanges historically have been scarce.
In a message to a new member in July 2020, Stern explains how to receive a monthly paycheck: The new recruit should find an OTC desk with a favorable price on the Russian-language OTC aggregator Bestchange.com, create an order to sell bitcoin for a debit card transfer and provide Stern with a deposit address the OTC would generate.
This way, the “employee” would receive money in fiat directly to his debit card, while the boss would spend crypto, essentially using the OTC as a payment processor.
OTCs are also the main channel of the ransom cashouts, chat logs show. In one dialogue, a member named Revers explains how the extorted crypto is sold via OTC brokers: When transferring bitcoin, Conti sends money mules, or the so-called drops, to collect the cash, so that the actual owners of the ill-gotten bitcoin remain incognito.
“For $300K, nobody would go to Russia to look for you,” Revers adds.
Payment for IT products and server usage often requires fiat liquidity, too, and that’s where the crypto-native cyber criminals may face some obstacles paying their bills. In a chat between two members, Strix and Carter, Strix asks how Carter pays for servers via PayPal (PYPL), as OTC brokers only deal with the larger sums than the 7 euros per month Strix needed to pay for using his personal server.
Carter explains that first, he sells crypto on the peer-to-peer market LocalBitcoins for a bank transfer to his debit card, and the card is linked to a PayPal account. The card, he adds, is “phantom,” meaning, it doesn’t belong to him – supposedly, a money mule is used.
The PayPal account is verified, Carter says, raising the question if the PayPal account he’s using also belongs to a money mule, or has been verified using stolen or forged ID documents – a criminal service available and flourishing in the darknet, as a CoinDesk investigation earlier showed.
Read more: For $200, You Can Trade Crypto With a Fake ID
Other than the no-name OTC, Conti also used some known services to cash out ransom money, Crystal said. Conti-associated addresses sent bitcoin to: the now sanctioned Russian OTC Suex; the Hydra darknet marketplace; the RenBTC exchange; and addresses associated with Wasabi, a non-custodial wallet that lets users obfuscate the origins of their funds by merging them with other people’s bitcoin in so-called CoinJoin transactions.
Back to the list