Collaborative Research on the CONTI Ransomware Group

An Insight into the 'Customer' Negotiation Process and Some Lessons Learnt

Ransomware remains one of the pre-eminent cyber threats, with the evolution in tactics, techniques and procedures (TTPs) amongst threat actor groups over recent years upping the stakes for both victims and defenders.

 

In addition to Team Cymru’s involvement with the Ransomware Task Force, our analysts have also been collaborating over recent months with a group of academics, focusing specifically on the CONTI ransomware group.

 

Today we are publishing some of the findings made to date (at TLP: WHITE), on behalf of this collaborative international effort.

 

PDF available here: Conti Research Paper.

This paper examines the operations of the CONTI group, including the websites used to negotiate ransom payments, and to advertise and sell victim data. It will outline some potential flaws in the group’s operation, as well as ways that as a community we may be unknowingly leaking victim information.

 

Figure 1 – An Example of the CONTI Negotiation Portal