Feds Post $10 Million Reward for Conti Ransomware Actors

Business Continuity Management / Disaster Recovery
Critical Infrastructure Security

2nd $5m reward for conviction of precise or potential Conti incident members

Rewards Posted For Conti Leaders, Owners, Operators, Affiliates. (Source: U.S. State Department)

The U.S. State Department is offering rewards of up to $10 million for information that leads to the identification or location of members of any individual who holds a key leadership position in the Conti ransomware variant transnational organized crime group.

See Also: Live Webinar | Remote Employees & the Great Resignation: How Are You Managing Insider Threats?

The Department of State is providing a second reward of as much as $5 million for info that results in the arrest or conviction of anybody in any nation who needs to take part or did take part in a Conti variant ransomware incident, based on a news launch.

“The Conti leak web site listed a median of 43 victims monthly in 2021,”hitting a peak of 95 final November earlier than easing off for the winter holidays,” Secureworks says in a weblog post. The group’s actions seem to have resumed in earnest in February, and it has continued to submit new victims regardless of the leak of its enterprise info in late February.

The State Department says that the Conti ransomware group has been accountable for a whole bunch of ransomware incidents over the previous two years.

“The FBI estimates that as of January 2022, there had been over 1,000 victims of assaults related to Conti ransomware with sufferer payouts exceeding $150,000,000, making the Conti Ransomware variant the most expensive pressure of ransomware ever documented,” based on the division.

The reward cash will come from the State Department’s Transnational Organized Crime Rewards Program.

There’s a extra expansive description of the brand new rewards on the State Department’s Rewards for Justice website, which is mostly targeted on stopping terrorism.

Conti’s Recent Activity

In April 2022, the group perpetrated a ransomware incident towards the Government of Costa Rica that severely impacted the nation’s overseas commerce by disrupting its customs and taxes platforms.

The focused businesses embody the Ministry of Finance; the Ministry of Science, Innovation, Technology and Telecommunications; the Instituto Meteorológico Nacional; the Radiográfica Costarricense ; and a Caja Costarricense de Seguro Social portal. Paola Vega Castillo, the top of MICITT, confirmed this listing in a press convention held in Costa Rica.

Conti had demanded a $10 million ransom from the Costa Rican authorities, however since no negotiations had been initiated, the group started leaking information it exfiltrated throughout the assault, based on its darkish web site.

According to Castillo, within the case of MICITT, solely “modification of the contents of the online web page” was carried out and no proof of data being extracted was discovered. But within the case of the IMN and RACSA a “technique of extracting electronic mail archives” was detected, and the CCSS confirmed that its human assets portal had been focused, she says.

In the submit revealed by the ransomware group on its title and disgrace web site “Conti News,” the group says that it has gained entry to about 800 servers from which practically 1TB price of knowledge has been exfiltrated, together with 900GB of Tax Administration Portal databases, within the MSSQL mdf format, and 100GB of inside paperwork containing full names and electronic mail addresses of these within the Ministry of Finance.

Conti later added to the identical submit that it had entry to 2 different electronic mail server information of two extra Costa Rican entities. The group additionally claimed to have carried out a lot of backdoors in numerous public ministries and personal firms and pledged to proceed to assault the ministries of Costa Rica till its authorities paid them.

Widening Attack Surface?

Apart from the latest assaults, the group was noticed sharpening its abilities, based on analysis from Trellix, which says the Russian ransomware group has now turned its consideration to ESXi hypervisors with its Linux-based variant.

“On April 4, 2022, we detected a pattern uploaded, which triggered our threat-hunting guidelines. Upon additional investigation, we decided the file is a Conti variant compiled for the Linux working system focusing on ESXi servers. Although the ESXi model of Conti will not be new and has already been mentioned, that is the primary public pattern we’ve seen within the wild,” the researchers say.

Following the leak of a number of years’ price of inside messages and Conti’s playbook in 2021, the researchers at Trellix have offered a technical evaluation of the not too long ago detected Linux variant of Conti ransomware, in a technical blog.


Related Posts