Skip to content
Naked Security Naked Security

US offers reward “up to $10 million” for information about the Conti gang

Wanted - Reward Offered - Five unknown individuals (plus a man with a weird hat)

You’ve almost certainly seen and heard the word Conti in the context of cybercrime.

Conti is the name of a well-known ransomware gang – more precisely, what’s known as a ransomware-as-a-service (RaaS) gang, where the ransomware code, and the blackmail demands, and the receipt of extortion payments from desperate victims are handled by a core group…

…while the attacks themselves are orchestrated by a loosely-knit “team” of affiliates who are typically recruited not for their malware coding abilities, but for their phishing, social engineering and network intrusion skills.

Indeed, we know exactly the sort of “skills”, if that’s an acceptable word to use here, that RaaS operators look for in their affiliates.

About two years ago, the REvil ransomware gang put up a cool $1,000,000 as front money in an underground hacker-recruiting forum, trying to entice new affiliates to join their cybercriminal capers.

Affiliates typically seem to earn about 70% of any blackmail money that’s ultimately extorted by the gang from any victims they attack, which is a significant incentive not only to go in hard, but to go in broad and deep as well, attacking and infecting entire networks in one go.

The attackers often also choose a deliberately difficult time for the company they’re attacking, such as in the early hours of a weekend norning.

The more completely a victim’s network gets derailed and disrupted, the more likely it is that they’ll end up stuck with paying to unlock their precious data and get the business operating again.

As REvil made clear when they spent that $1 million “marketing budget” online, the core RaaS crew was looking for:

   Teams that already have experience and skills in penetration 
   testing, working with msf / cs / koadic, nas / tape, hyper-v 
   and analogues of the listed software and devices.

As you can imagine, the REvil gang had a special interest in technologies such as NAS (networked attached storage), backup tape and Hyper-V (Microsoft’s virtualisation platform) because disrupting any existing backups during an attack, and “unlocking” virtual servers so they can be encrypted along with everything else, makes it harder than ever for victims to recover on their own.

If you suffer a file-scrambling attack only to discover that the criminals trashed or encrypted all your backups first, then your primary route to self-recovery might well already be destroyed.

Strained affiliations

Of course, the symbiotic relationships between the core members of a RaaS gang and the affiliates they rely upon can easily become strained.

The Conti crew, notably, suffered ructions within the ranks just over a year ago, with something of a mutiny amongst the affilates:

Yes, of course they recruit suckers and divide the money among themselves, and the boys are fed with what they will let them know when the victim pays.

As we pointed out at the time, the implication was that at least some affiliates in the Conti ransomware scene were not being paid 70% of the actual ransom amount collected, but 70% of an imaginary but lower number reported to them by the core Conti gang members.

One of the disgruntled affiliates leaked a substantial Conti-crew-related archive file entitled Мануали для работяг и софт.rar (Operating manuals and software).

Turn on your chums

Well, the United States has just upped the ante once more, officially and publicly offering a reward of “up to $10 million” under the single-word headline Conti:

First detected in 2019, Conti ransomware has been used to conduct more than 1,000 ransomware operations targeting U.S. and international critical infrastructure, such as law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities. These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the United States.

Conti operators typically steal victims’ files and encrypt the servers and workstations in an effort to force a ransom payment from the victim. The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely, with some ransom demands being as high as $25 million.

The payment is available under a global US anti-crime and anti-terrorism initiative known as Rewards for Justice (RfJ), administered by the US Diplomatic Service on behalf of the US Department of State (the government body that many English-speaking countries refer to as “Foreign Affairs” or “the Foreign Ministry”).

The RfJ program dates back nearly 40 years, during which time it claims to have paid out about $250 million to more than 125 different people worldwide, which reflects mean average payouts of about $2,000,000 about three times each year.

Although this suggests that any individual whistleblower in the Conti saga is unlikely to net the whole $10 million on their own, there’s still plenty of reward money there for the taking.

In fact, RfJ has promoted its $10 million anti-cybercrime reward before, under a general description:

[The RfJ program] is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).

This time, though, the US Department of State has expressed an explicit interest in five individuals, though they’re only known by their underground names at the moment: Dandis, Professor, Reshaev, Target, and Tramp.

Their mugshots are similarly uncertain, with the RfJ page showing the following image:

Only one snapshot shows an alleged perpetator, though it’s not clear whether the allegation is that he might be one of the five threat actors listed above, or simply a player in the broader gang with an unknown nickname and role:

There’s a curious hat (a party piece, perhaps?) featuring a red star; a shirt with a largely-obscured logo (can you extrapolate the word?); a beer mug in the background; an empty-looking drink in a clear glass bottle (beer, by its size and shape?); an unseen instrumentalist (playing a balalaika, by its tuning pegs?) in the foreground; and a patterned curtain tied back in front of a venetian-style blind at the rear.

Any commenters care to guess what’s going on in that picture?


LEARN MORE ABOUT RANSOMWARE IN 2022


13 Comments

LOL–Screw the DoS. They would be the LAST organization that I would tell. Any/all Conti information is safe with me!!

Reply

Solely regarding the dubious principle of publicly spreading a guy’s picture like some Western movie’s ‘wanted’ poster:
What if that’s actually a different individual’s picture?

Worst case could in theory even be as far as, the picture of some wanted individual that no one would want to snitch on, like privacy / human rights activists.

So, this Justice dept could simply stitch such ‘unwanted people’ pictures on the nickname of a cybercriminal.

Solely based on this principle, I wouldn’t want any of this cash reward.
The possible potential for abuse with this method is way too high.

Who cans even actually witness this guy doing a digital crime?
It’s not like a murder where someone could 100% recognize his face when he flees the scene.

I don’t want this ‘throw a random picture & a snitch will tell us’ thing to become normal for digital crimes.

You either yourself 100% know that this guy comitted the crime, or you can also be like ‘no saw, no heard, no said’.

If you *know* that *this* guy in the picture did it, then you can tell or not tell.
But if you only merely saw this guy somewhere and you don’t even know anything about the guy, then just live your life.

Reply

*cough*
You might get a bit farther with analyzing that picture if you look closer at the *faces* in it.
(Plural. Not a typo.)
*cough*

Reply

That’s not very helpful advice given that if we already thought there were additional faces we’d have alluded to them in the text. (We had someone contact Naked Security directly to ask, “Whose face is that directly behind the guy with the hat?”, if that is the part of the image you are referring to. As you will see from the text, we construed that detail as part of the pattern on an open curtain tied back in front of the window blinds.)

Can you be clearer, and specifically list the rectangles within the full image (pixel or percentage co-ordinates from the top left corner will do) where these “plural faces” can be seen, and whose faces you think they are?

Reply

Look over the man’s right shoulder. Appears to be a statue / sculpture. The question is: can anyone identify and place it?

(And yes, that is probably a balalaika, and the hat *appears* to be a 1930’s-era Red Army artifact or replica.)

Reply

It’s a curtain (with some sort of repetitive pattern) at the window. Opened and tied back to one side, as curtains often are. Isn’t it?

Surely far too large and weirdly-shaped to be a human sculpture?

Reply

Not necessarily. For one thing, many humanoid statues / sculptured are as tall or taller than average humans. When they are placed indoors, they are sometimes indicative of financial status of the property owners. That said, only the head is seen so it is entirely possible that it could be a bust placed atop a display pedestal or other piece of furniture.

It’s not all that oddly shaped. There is a chin, smile, nasolabial fold, eye, brow / brow line, and presumably a hairline or edge of a “head covering”. Near-complete left half of an adult male face.

Reply

If I force myself to “see” a person, they have a truly giant head with four eyes (two “left eyes” visible one above the other), and a voluminmous, sci-fi-monster cranium.

I see a curtain. What I assume you see as a chin, I see as a smooth, continuous, catenary-like curve that continues perfectly behind the back of the subject’s head and continues upwards to the ceiling. Like a sheet of material would if suspended at one end and tied off to one side at the bottom.

(I am not saying you are seeing things that aren’t there, but you are extrapolating from very few pixels – I actually scaled up the image from the RfJ site, where the entire image is just 146 pixels wide. If your statue is a person, who do you think it is?)

Reply

So the NSA can’t find anyone from the most prolific criminal groups in the world? what a crock. – As a US citizen, I want a refund for the trillions you’ve spent to do NOTHING to contribute to a better world. All you’ve done is protect government misdeeds – the exact opposite of what you should be doing. Every year I am surprised that I can be more ashamed of my government than the year before.

Reply

*All* that the US public service has ever done is conduct coverups? It’s done *NOTHING* done to defend against cybercrime?

The problem with absolute claims of that sort is that even a single counter-example disproves them immediately. (You can’t make 100% claims unless you are 100% correct. You’re not saying they could do better, you are saying – insisting, in fact – that the US has *never* investigated, found, remediated damage from, prosecuted, convicted, punished *any* cybercrook, ever, because it has only ever worked on coverups.)

Here are a few recent counter-examples reported on this site:
https://nakedsecurity.sophos.com/2022/07/04/canadian-cybercriminal-pleads-guilty-to-netwalker-attacks-in-us/
https://nakedsecurity.sophos.com/2022/06/21/capital-one-identity-theft-hacker-finally-gets-convicted/
https://nakedsecurity.sophos.com/2022/06/08/ssndob-market-servers-seized-identity-theft-brokerage-shut-down/
https://nakedsecurity.sophos.com/2022/05/13/he-cracked-passwords-for-a-living-now-hes-serving-4-years-in-prison/
https://nakedsecurity.sophos.com/2022/03/11/alleged-kaseya-ransomware-attacker-arrives-in-texas-for-trial/

Note that I am not offering any judgment here, simply providing what seem to be well-documented examples of busts that actually happened.

Perhaps you were simply making a point by hyperbole… but if so then it’s dangerously close to a sweeping statement such as as “All [persons of ethnicity X] have [character flaw Y]”.

PS. Did I get trolled here? If so, pretend that the comment was neither approved nor answered.

Reply

They pay the Russian government/agents some percentage so it turns a blind eye. The Chinese are cleverer: all their cyber criminals are in fact employees or soldiers of the “beloved leader” so they see almost nothing from the loot.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!