For around two years the Conti ransomware group rampaged across the internet. They attacked hospitals, educational institutions, businesses, governments, and many more, raking in hundreds of millions of dollars in ransomware payments.

Business was booming for the cybercriminals. At least it was until the Russian President Vladimir Putin announced the full-scale invasion of Ukraine. The Conti leadership quickly pledged their loyalty to Russia and then everything began to fall apart.

This is the story of one of the most professional, prolific, and devastating organized cybercriminal groups in history.

Speaker(s):

Selena Larson – Senior Threat Intelligence Analyst and DISCARDED Podcast Co-host at Proofpoint - Twitter

Berk Albayrak, Threat Intelligence Analyst within the PRODAFT Threat Intelligence team and expert on Wizard Spider - Twitter

Conor Gallagher – Crime and Security Correspondent of the Irish Times - Twitter

Allan Liska, Threat Intelligence Analyst at Recorded Future and author of Ransomware: Understand. Precent. Recover. - Twitter

Juan Ignacio Nicolossi, the team leader for the Threat Intelligence Team at PRODAFT.

Zoë Brammer, Cyber & Information Operations Associate at the Institute for Security and Technology - Ransomware Ecosystem Map

Jake Moore, Global Cybersecurity Advisor for ESET.

Artwork by Paulina Rosol-Barrass

Additional Reading:

Reports/Papers:

PRODAFT - Conti Ransomware Group In-Depth Analysis

PRODAFT - Wizard Spider In-Depth Analysis

Google - Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape

DISCARDED Podcast (Proofpoint) - Defending Against Cyber Criminals: Emotet’s Resurrection & Conti’s Implosion - April 12 2022

pwc - Conti cyber attack on the HSE: Independent Post Incident Review

CNN - ‘I can fight with a keyboard’: How one Ukrainian IT specialist exposed a notorious Russian ransomware gang

Proofpoint - The Human Factor Report 2022 - Threat Report

Ransomware Task Force (Institute for Security and Technology - Blueprint for Ransomware Defense

Ransomware Task Force (Institute for Security and Technology - Combating Ransomware

Ransomware Task Force (Institute for Security and Technology - MAPPING THE RANSOMWARE PAYMENT ECOSYSTEM - Video: Mapping the Ransomware Payment Ecosystem & Opportunities for Friction

Ransomware Task Force (Institute for Security and Technology - MAPPING THREAT ACTOR BEHAVIOR IN THE RANSOMWARE PAYMENT ECOSYSTEM: A MINI-PILOT

Ransomware Task Force (Institute for Security and Technology - GAINING GROUND

Book - Ransomware: Understand. Precent. Recover.

Recorded Future - The Business of Fraud: Botnet Malware Dissemination

Recorded Future - Russia’s War Against Ukraine Disrupts the Cybercriminal Ecosystem

Sophos 2023 Threat Report

Sophos - The State of Ransomware 2023

Europol - Wasabi Wallet Report

Wasabi - CoinJoin Legal Concern

vmware - Emotet Exposed: A Look Inside the Cybercriminal Supply Chain

Krebs on Security - Conti Ransomware Group Diaries

Elliptic - Conti Leaks Investigation - The $19m in DAI found in an account linked to Conti Member ‘Target

The Chainalysis 2022 Crypto Crime Report

The Chainalysis 2023 Crypto Crime Report

AdvIntel - DisCONTInued: The End of Conti’s Brand Marks NewChapter For Cybercrime Landscape

FinCEN - Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021

FinCEN - Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments

(Forescout) Vedere Labs - Analysis of Conti Leaks

FATF - Professional Money Laundering

FATF - Targeted update on implementation of the FATF standards on virtual assets and virtual asset service providers

accenture - Global Incident Report: Threat Actors Divide Along Ideological Lines over the Russia-Ukraine Conflict on Underground...