On average, a member of the Conti ransomware group earns a salary of $1,800 per month. A rather small number, given the success of the cybercriminal group.
On Wednesday, Secureworks released its findings, based on the group’s internal discussions that were leaked earlier this month and have been honed in on by cybersecurity researchers ever since.
Average $750,000 ransom demanded
These exchanges were posted online after Conti, identified as Gold Ulrick by Secureworks, declared his public support for Russia’s invasion of Ukraine, a dispute that is currently ongoing.
Conti is a prolific ransomware group, believed to be of Russian origin, which has claimed hundreds of victims worldwide. The group infiltrates corporate networks, whether on its own or by purchasing initial access on underground forums, steals data, encrypts networks and then demands a ransom. Victims who refuse to pay may have their information leaked online.
The average ransom demanded by Conti is around $750,000, but depending on the size and annual turnover of the victim, the amount can be much higher, sometimes reaching millions of dollars.
An ordinary daily life
Check Point researchers have already scoured Conti’s exchanges and highlighted a rather mundane day-to-day life, comparable to that of a typical software development company.
We thus find an organization offering to choose between telecommuting, hybrid work or in the office, performance evaluations, bonuses and a hiring process for coders, testers, system administrators and human resources.
While new members are interviewed, not all are told they are applying to work with a criminal organization, as some “employee” posts have revealed. However, when the truth comes out, they may be offered far higher wages than the local average to stay.
An attractive salary
According to Secureworks’ analysis of logs, containing 160,000 messages exchanged between nearly 500 individuals between January 2020 and March 2022, 81 people were involved in the group, with an average salary of $1,800 per month.
Group leader Stern summarizes the amounts of wages paid (translation from Russian). Image: Secureworks.
It is estimated that the average Russian household earns $540 per month. The “pay” offered by cybercriminal groups could therefore be a major draw – although the main operators are likely to take a much larger slice of the pie. In addition, the fall in the value of the ruble, due to international sanctions, could encourage other people to enter this market.
Interconnected cybercriminal groups
Additionally, Secureworks uncovered leaks between Conti’s “designated leader”, nicknamed “Stern”, and other cybercriminal groups. Stern makes “key organizational decisions, distributes salaries, manages crises, and interacts with other malicious groups.” Analysts suspect that he also holds a leading position within the Gold Ulrick group (Trickbot/BazarLoader).
Secureworks has also found connections with cybercrime groups Gold Crestwood (Emotet), Gold Mystic (LockBit), and Gold Swathmore (IcedID), although these may be communications and/or collaborations only.
“The chats reveal a mature cybercriminal ecosystem made up of cybercriminal groups demonstrating collaboration and mutual support,” the researchers say. “Members of previously thought to be separate groups frequently collaborate and communicate with members of other malicious groups. This interconnectedness shows the motivations and relationships of these groups. It highlights their ingenuity and ability to leverage subject matter expertise within groups. »
On March 20, an anonymous researcher – believed to be from Ukraine – also released a recent version of Conti’s ransomware source code. The code was uploaded to VirusTotal for use by cybersecurity defense teams, but it could also be adapted for use by malicious actors.
Source: ZDNet.com