red 
Elliptic’s analysis of newly discovered ransomware transactions revealed that Conti’s illegal activities netted the group at least $25.5 million as of July 2021, including one ransom payment of over $7 million in November 2021.
In a cooperation with the company Prodaft for notification of threatsElliptic analyzed Bitcoin addresses associated with 14 ransomware attacks carried out by Conti between July 1 and November 5, 2021. These addresses were identified by Prodaft after they were able to access Conti’s administrative management portal.
Conti ransomware was first spotted in 2020 and is believed to be the successor to Ryuk, which has been active since 2018. Both Conti and Ryuk are operated by the Russian cybercrime group, Wizard Spider.
Conti has targeted a number of high-profile victims, including Japanese electronics supplier JVCKenwood and high-society London jeweler Graff. In September 2021, Prodaft’s threat intelligence team observed an increase in ransomware attacks attributable to Conti, which is currently one of the most active strains of ransomware.
Of the 14 attacks Elliptic analyzed, 50% resulted in a payout to Conti, though the group’s overall success rate is likely to be significantly lower. In the same time period, Conti’s leaked public page listed more than 130 victims.
Conti uses a Ransomware-as-a-Service (RaaS) model. RaaS Bitcoin transactions are characteristically split – since the revenue from each ransom payment is distributed between the ransomware operator and the affiliate that infected the victim – with the exact percentage varying between RaaS groups. In most cases, affiliates are awarded the majority of the ransom payment, while ransomware operators take a smaller percentage.
Analysis of the ransom payment addresses identified by Prodaft resulted in the identification of a consolidated cluster, which received a 22.5% split of several ransom payments, believed to represent the operator’s share. In total, Conti received at least $25.5 million (more than 500 BTC) in ransom as of July 2021, of which $6.2 million was retained by Conti’s operator.
IMG 1: Screenshot from Elliptic’s cryptocurrency research software, Forensics — shows the destination of the Conti operator’s share of the ransom payments.
Apart from one outgoing payment of 0.07 Bitcoins sent from the consolidation cluster to a prominent exchange in August 2021, the Conti operator has not sent any Bitcoins in this wallet to services such as exchanges where they could cash out their revenue. Blockchain records show that the remaining 123.06 Bitcoins are currently held in a wallet without hosts.
Elliptic also tracked ransomware revenue received by Conti affiliates. One identified wallet received payments from both Conti and DarkSide, which may indicate that the individual worked as an affiliate for both of these groups.
Conti subsidiaries appear to be running a sophisticated money laundering operation, avoiding the obvious consolidation of funds. Despite this, Elliptic has identified associated funds being sent to exchanges, coin exchanges, privacy-enhancing wallets, including Wasabi, and the Russian darknet marketplace Hydra.
The importance of countering Ransomware groups and how Elliptic can help
The fight against ransomware has become a top priority for the world’s largest financial jurisdictions, with US OFAC recently imposing sanctions on two cryptocurrency exchanges believed to be laundering ransomware proceeds. The latest, against Chatex based in Latviacoincided with an international law enforcement operation against REvil, another ransomware group.
Virtual asset service providers and financial institutions have a legal and financial responsibility to ensure they have effective transaction verification tools in place to prevent the facilitation of ransomware-related money laundering. Any attempt by Conti operators or affiliates to pay out money is a risk to VASP.
We at Elliptic offer blockchain analytics solutions to help regulated crypto-asset businesses and financial institutions prevent exposure to illegal actors such as ransomware groups.
Elliptic’s customers can visualize and investigate wallets and transactions, including ransomware payments, using Elliptic Forensicsto ‘follow the money’ to its ultimate source or destination. Elliptical Lens and Navigator allow you to review wallets and transactions to ensure you stay compliant in an increasingly ransomware regulatory environment.
Contact us for a demo and to learn more about how Elliptic’s leading blockchain analytics solutions can enable you to address the dual challenges of sanctions and ransomware.
