Conti: The most dangerous ransomware gang

Privacy news
3 mins
Key with a price tag.

Costa Rica has declared a state of emergency. Numerous large companies and healthcare facilities have suffered. And now the U.S. government is offering 15 million USD as a bounty for information on individuals involved in the ransomware group, called Conti, that has wreaked digital havoc around the world.

What do we know about Conti?

Conti is a ransomware group based in Russia with a penchant for stealing data and then leaking it. It is considered the world’s biggest ransomware organization and specializes in high-value targets from which it could demand large payouts. Cybersecurity experts estimate Conti launched 500 attacks last year.

Conti is a syndicate, meaning that it has smaller ransomware groups, called affiliates, undertaking attacks using its software. 

Read more: Frightening reality: You can buy ransomware as a service

In February 2022, a Ukrainian researcher leaked Conti’s chat logs, which revealed how much the group resembled a typical business, with its own HR department, management structure, and assigned tasks. 

Negotiation methods were also leaked, showing how Conti takes into account the target’s annual revenue, the quality of the stolen data, and the presence of cyber insurance. Plus, it offers discounts for early payment.

How do Conti ransomware attacks work?

According to the U.S. Cybersecurity and Infrastructure Security Agency, the methods Conti uses to gain access to networks include:

  • Spearphishing campaigns using tailored emails that contain malicious attachments or malicious links
  • Stolen or weak Remote Desktop Protocol (RDP) credentials
  • Phone calls
  • Fake software promoted via search engine optimization

Conti encrypts networks with its software and steals sensitive data, followed initially by releasing some of the data. It demands payment for the decryption key, while threatening to release more data if the ransom is not paid. If payment is not received, Conti will also “name and shame” the company or organization that was attacked on its blog to damage its reputation. 

Who has Conti attacked?

The FBI estimated in January 2022 that more than 1,000 organizations had paid over 150 million USD in ransom money to Conti. Major U.S. manufacturer Parker Hannifin is a high-profile recent hit. Others have included more than a dozen U.S. medical and first-response networks, the Irish healthcare system, Panasonic, and Peru’s intelligence agency.

The group has also threatened to attack organizations that oppose Russia amid its war in Ukraine.

What happened to Costa Rica?

Conti attacked Costa Rica in April, taking down its computer systems and demanding 10 million USD—which has now been raised to 20 million USD—to prevent further attacks. Conti stole over 670 GB of data and has leaked that information out slowly. 

The attack affected the country’s tax collecting services and its exports and customs systems. The country has asked taxpayers to file by hand and pay in person, rather than digitally.

Declaring a state of emergency has supposedly allowed the state to take further measures to combat the fallout. Costa Rica has refused to pay so far—with Conti calling on Costa Rican citizens to rally for the government to pay the ransom as the easiest way out of the situation.

What is the U.S. bounty for?

Several countries have offered to help Costa Rica, as governments have become increasingly adamant about not capitulating to ransom demands. The U.S. is offering 10 million USD for the identification or the location of leaders of Conti, and 5 million USD for information that results in the arrest of anyone conspiring with Conti. 

Can ransomware be stopped?

In 2020, we wrote about what was possibly the first death resulting from ransomware. And the attacks have only grown. Recently, a college in Illinois announced that it was closing for good as it couldn’t recover from a ransomware attack on its systems, coupled with losses from Covid-19. With ransomware becoming more pervasive, the task of stopping it is daunting. 

While law enforcement attempts to break up these criminal groups, most technical solutions revolve around artificial intelligence capable of detecting behavioral changes in a network to stop ransomware before it does damage. 

Individuals can protect their home network and their companies by taking common cybersecurity precautions:

  • Keep your devices and apps up to date. This ensure they have the latest bug patches.
  • Use two-factor authentication to raise your account security.
  • Avoid suspicious links and email attachments, especially from people you don’t know. 
  • Remove unnecessary apps from your devices. Attackers look for vulnerabilities, and the more applications you use, the more likely it is for them to find one.
  • For more advanced users, analyze received files in a “sandbox” environment—an isolated area that won’t affect the main system.
Phone protected by ExpressVPN.
Protect your online privacy and security

30-day money-back guarantee

Various devices protected.
Take the first step to protect yourself online. Try ExpressVPN risk-free.
What is a VPN?
Vanessa is an editor of the blog.