APN News

Conti’s Inside Operations Revealed: Employees think they are Working for a Legal High-Tech Company

After analyzing leaked documents, Check Point Research (CPR) gives new details on the inside-operations of Conti, the notorious Russian ransomware group. Conti is structured like a high-technology company, with clear management, finance, and HR functions. Conti recruits not only from underground, but legitimate sources, borrowing CV pools without permission. Some employees at Conti have no clue that they are part of a cybercriminal operation. CPR has also learned that Conti has future plans for a crypto exchange and a darknet social network.

Check Point Research (CPR) has gained new details into the inside-operations of Conti ransomware group. Conti is a ransomware-as-a-service (RaaS) group, which allows affiliates to rent access to its infrastructure to launch attacks. Industry experts have said Conti is based in Russia and may have ties to Russian intelligence. Conti has been blamed for ransomware attacks targeting dozens of businesses, including clothing giant Fat Face and Shutterfly, as well as critical infrastructure, like the Irish healthcare service and other first-responders networks.

On February 27 of this year, a cache of chat logs belonging to the Conti were leaked online at the hands of an alleged insider, who claimed to have objected to the group’s support for the Russian invasion of Ukraine. CPR analyzed the leaked files, learning that the ransomware groups operate like a large technology company. Conti has an HR department, a hiring process, offline office premises, salaries, and bonus payments.

Details of Conti’s Inside-Operations

    Conti operates like a technology company

        Hierarchical and defined structure

  1. team leaders who report to upper management
  1. Main groups observed: HR, coders, testers, crypters, sysadmins, reverse engineers, offensive team, OSINT Specialists and Negotiation Staff
  1. CPR identified the main people involved with their names: Stern (big boss), Bentley (technical lead), Mango (manager of general questions), Buza (technical manager), Target (manager responsible for coders and their products), Veron aka Mors (focal point of the group’s operations with Emotet).

        Work in a physical office in Russia

  1. the Conti group holds several physical offices. These are curated by “Target”, Stern’s partner and effective head of office operations, who is also responsible for the wage fund, office technical equipment, the Conti hiring process and personnel training. During 2020, offline offices were mainly used by testers, offensive teams and negotiators; Target mentions 2 offices dedicated to operators who are speaking directly with victim representatives.
  1. In August 2020, an additional office was opened for sysadmins and programmers, under the purview of “Professor, who is responsible for the whole technical process of securing a victim infection.
  1. Members of Conti’s negotiating team (including OSINT specialists) are paid by commissions, calculated as a percentage of the paid ransom amount that ranges from 0.5% to 1%. Coders and some of the managers are paid a salary in bitcoin, transferred once or twice a month.
  1. Conti employees are not protected by their local labor boards, and so have to endure some practices that typical tech employees are exempt from, such as being fined for underperforming
  1. While fines are mostly used as an established tool in the coder department, they are sporadically employed on manager whims in other departments — for example, in IT and DevOps, where one person responsible for depositing money was fined $100 for a missed payment:

    Talent is recruited from both legitimate and underground sources 

    Some Conti employees don’t know they are even part of a cybercriminal operation

    Conti is actively discussing future plans: crypto exchange and a darknet social network

Quote: Lotem Finkelsteen, Head of Threat Intelligence and Research, at Check Point Research:

“For the first time, we have a glass door to a group that has been known to be the face of ransomware. Conti acts like a high-tech company. We see hundreds of employees in a hierarchy of managers. We see an HR function, with people responsible for different departments. Alarmingly, we have evidence that not all the employees are fully aware that they are part of a cybercrime group. In other words, Conti has able to recruit professionals from legitimate sources. These employees think they are working for an ad company, when in fact they are working for a notorious ransomware group. Some of these employees find out the truth and they decide to stay, revealing that the Conti management team has developed a process for retaining employees. It’s clear to us that Conti has developed an internal culture to develop profits, as well as fining employees for undesirable behavior. We also see that Conti has offices in Russia. Our publication presents findings of the inner-working and culture of Conti.”

Exit mobile version