Check Point Research (CPR) has revealed new details into the inside operations of Conti ransomware group.
Conti is a ransomware-as-a-service (RaaS) group, which allows affiliates to rent access to its infrastructure to launch attacks.
Lotem Finkelsteen, Head of Threat Intelligence and Research, at Check Point Research said, “For the first time, we have a glass door to a group that has been known to be the face of ransomware. Conti acts like a high-tech company. We see hundreds of employees in a hierarchy of managers. We see an HR function, with people responsible for different departments. Alarmingly, we have evidence that not all the employees are fully aware that they are part of a cybercrime group. In other words, Conti has been able to recruit professionals from legitimate sources. These employees think they are working for an ad company, when in fact they are working for a notorious ransomware group. Some of these employees find out the truth and they decide to stay, revealing that the Conti management team has developed a process for retaining employees. It’s clear to us that Conti has developed an internal culture to develop profits, as well as fining employees for undesirable behavior. We also see that Conti has offices in Russia. Our publication presents findings of the inner-working and culture of Conti.”
Industry experts have said Conti is based in Russia and may have ties to Russian intelligence. Conti has been blamed for ransomware attacks targeting dozens of businesses, including clothing giant Fat Face and Shutterfly, as well as critical infrastructures, like the Irish healthcare service and other first-responder’s networks.
On February 27 of this year, a cache of chat logs belonging to the Conti was leaked online at the hands of an alleged insider, who claimed to have objected to the group’s support for the Russian invasion of Ukraine.
CPR analyzed the leaked files, learning that the ransomware groups operate as a large technology company. Conti has an HR department, a hiring process, offline office premises, salaries and bonus payments.