Money Over Morals: A Business Analysis of Conti Ransomware

TL;DR

This paper provides an in-depth empirical analysis of the Conti ransomware group, revealing its business structure, profit mechanisms, and ransom payment flows, based on leaked chat data and blockchain analysis.

Contribution

It introduces novel methodologies for tracing ransom payments and publishes a dataset of Bitcoin addresses, significantly advancing ransomware economic analysis.

Findings

Identified over $80 million in ransom payments to Conti.

Constructed a detailed operational and profit model of Conti.

Published a dataset of Bitcoin addresses related to Conti.

Abstract

Ransomware operations have evolved from relatively unsophisticated threat actors into highly coordinated cybercrime syndicates that regularly extort millions of dollars in a single attack. Despite dominating headlines and crippling businesses across the globe, there is relatively little in-depth research into the modern structure and economics of ransomware operations. In this paper, we leverage leaked chat messages to provide an in-depth empirical analysis of Conti, one of the largest ransomware groups. By analyzing these chat messages, we construct a picture of Conti's operations as a highly-profitable business, from profit structures to employee recruitment and roles. We present novel methodologies to trace ransom payments, identifying over $80 million in likely ransom payments to Conti and its predecessor -- over five times as much as in previous public datasets. As part of our work, we publish a dataset of 666 labeled Bitcoin addresses related to Conti and an additional 75 Bitcoin addresses of likely ransom payments. Future work can leverage this case study to more effectively trace -- and ultimately counteract -- ransomware activity.