US Offers $15M Reward for Conti Ransomware Gang
The U.S. Department of State announced a reward of up to $10 million for information leading to the identification or location of key leaders of the Conti ransomware crime group, which has been responsible for hundreds of ransomware incidents over the past two years.
On top of that, the State Department said it would put up an additional $5 million for any info leading to the arrest and/or conviction of individuals in any country conspiring to participate in, or attempting to participate in, a Conti variant ransomware incident.
“In offering this reward, the United States demonstrates its commitment to protecting potential ransomware victims around the world from exploitation by cybercriminals,” a statement from the State Department read. “We look to partner with nations willing to bring justice for those victims affected by ransomware.”
Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, said his company identified Conti as the second most-active group in Q1 2022 and in Q4 2021.
“Conti have been in operation for several years, with the group first discovered in December 2019,” he said. “In the past three years, the group has emerged as one of the most consistent and pernicious ransomware groups in operation.”
Ransomware Rewards: Shifting Tactics
He explained that U.S. authorities offering rewards for information on Conti members may indicate a shift in tactics in targeting ransomware operations.
“By taking a more proactive approach in soliciting the assistance of external researchers—and individuals potentially close to Conti’s organization—they may identify useful information that would otherwise have remained unclear,” Morgan said.
John Bambenek, principal threat hunter at Netenrich, a digital IT and security operations company, said the State Department takes time to make these decisions and that it’s likely it was made at the behest of other agencies.
“The U.S. government making these rewards a bigger part of its strategy in cracking down on cybercrime and ransomware is a natural evolution of the amount of destruction these groups are causing,” he said, explaining that ransomware in 2013 was largely an individual consumer problem.
Now, however, these groups are hijacking entire organizations and/or leaking large caches of stolen information, he said.
“They’ve entered the big leagues of organized crime, so now there are big league-style responses,” Bambenek said.
Conti: Ruthless Efficiency
The Conti ransomware group is one of the most well-known and feared ransomware operations around, primarily because of their prolific targeting and ruthless efficiency.
Morgan added that several recent breaches suffered by Conti itself have highlighted that the group is susceptible to operational security breaches, which could reveal insights on their membership or leadership.
“It does, however, remain unclear whether raising the bounties will significantly impact its activity,” he said. “Despite Conti’s recent setbacks, ransomware operators, in general, are skilled in maintaining their anonymity, typically operating in parts of the globe where they believe they are impervious to law enforcement operations. Only time will tell if the bounties yield significant results.”
As Morgan noted, the ransomware group’s attacks continue to wreak havoc on nation-states, with Costa Rica the latest victim.
Last month, the group perpetrated a ransomware incident against the Costa Rican government, severely impacting the country’s foreign trade by disrupting its customs and taxes platforms.
The country’s recently elected president, Rodrigo Chaves, declared a national emergency in the wake of the devastating attack.
Through Conti, Panasonic suffered another breach just six months after a high-profile attack—this time at Panasonic Canada. The ransomware gang said it was behind the February attack that resulted in the theft of more than 2.8GB of data.
In addition, Conti has launched more than 200 attacks against hospitals and other health care facilities since first surfacing in 2018 under its earlier name, Ryuk.
Ransomware attacks from Ryuk/Conti have impacted hundreds of health care facilities across the United States, including facilities located in 192 cities and 41 states and the District of Columbia.
The FBI estimated the Conti ransomware variant is the costliest strain of ransomware ever documented, with more than 1,000 victims of attacks associated with Conti ransomware and an accumulated volume of victim payouts topping $150 million since the start of the year.
The State Department has itself paid more than $135 million in rewards to date under the Transnational Organized Crime Rewards Program (TOCRP) and Narcotics Rewards Program (NRP).
The State Department runs the TOCRP in coordination with other federal law enforcement partners as part of a government effort to tackle global organized crime, including cybercrime.
“These kinds of rewards help people like me who love to research and identify these individuals,” Bambenek said. “That being said, nothing is going to really help until we start making significant arrests. The initial piece of that is who to arrest, of course; however, the bigger problem is that they often operate in jurisdictions where extradition isn’t an option.”
He pointed out that Evgeniy Bogachev, the operator of the first modern ransomware family, Cryptolocker, has been under indictment since 2012.
