The world famous hacker group operates like a company, has recruitment interviews, even “runs KPIs of all kinds”

The Conti ransomware group appeared in 2020 and quickly became one of the largest ransomware organizations in the world with about 350 members. In the past two years alone, this hacker group has made about $2.7 billion in profits.

According to the FBI’s Internet Crime Report 2021, Conti’s ransomware ranks among the top three variants targeting critical US infrastructure.

Shmuel Gihon, a researcher at cyber-risk assessment firm Cyberint, commented that Conti was the most successful ransomware group in the world until it was leaked internally on Twitter, on February 28. An account called ContiLeaks claiming to be “a security researcher” posted thousands of internal Conti messages.

Chats between Conti members were made public on Twitter. Photo: The Record.

According to Gihon, the leak had a huge impact on the cybersecurity community, with many cybersecurity researchers around the world spending weeks studying the documents.

The leaked documents detail Conti’s size, leadership and operations, and the ransomware source code used by the group.

Traditional organization

Documents posted online show that Conti is organized and operated like a regular technology company with a clear management structure.

Conti’s organizational chart. Graphics: Cyberint.

Lotem Finkelstein, director of threat assessment at Check Point Research, said Conti has separate finance and human resources divisions. Some evidence even suggests that Conti even has a research and development department. During the operation, group leaders will report directly to their superiors.

Company regulation

Check Point Research found that Conti pays employees regularly (using fake information to protect their identities), some of which receive payments in Bitcoin. This hacker group also has a performance evaluation system and regular training courses for employees.

Conti also has expert negotiators with commissions ranging from 0.5-1% for successful extortion transactions.

This group of hackers also rewards those who refer personnel to the company, has a reward for half a month’s salary for “typical employee of the month” as well as fines if the employee does not meet the work quota.

When recruiting, candidates will be promised a high salary, interesting work and career development by Conti leaders, but it comes with the requirement to complete the work and often have to work overtime.

Recruitment process

Conti recruits personnel from legitimate sources such as recruitment agencies, in conjunction with criminal networks.

Conti also hires call center staff (no computer skills required) to impersonate well-known businesses and try to scam victims over the phone.

Many employees do not know the nature of Conti

Finkelstein said there is evidence that many Conti employees were unaware they were working in a cybercrime group and believed they were working in an advertising business.

The leaked messages show that the job candidates were deceived by Conti’s management. One message read “Here everything is anonymous, main job is developing software for penetration testers”.

In the process of working, each programmer only works in one software module, so the size of the organization is not understood. If an employee discovers the nature of Conti, they will be offered a raise in order to continue working.

Before the data leak happened, Conti had many uncertainties. Many employees are owed wages, one leader disappeared during January. However, Conti is still operating in moderation and may rise in the future.

(Refer to Quantrimang)