Feds Post $10 Million Reward for Conti Ransomware Actors$5 Million Reward Also Offered for Conviction of Participants in Any Conti Incident
The U.S. Department of State is offering rewards of up to $10 million for information that leads to the identification or location of anyone who holds a key leadership position in the Conti ransomware variant transnational organized crime group.
The Department of State is also offering a second reward of up to $5 million for information that leads to the arrest or conviction of anyone in any country who wants to participate or did participate in a Conti variant ransomware incident.
The reward money will come from the State Department's Transnational Organized Crime Rewards Program and is being administered as part of the government's Rewards for Justice program.
Conti remains one of the most prolific ransomware groups. "The Conti leak site listed an average of 43 victims per month in 2021, "hitting a peak of 95 last November before easing off for the winter holidays," according to cybersecurity firm Secureworks. After a lull at the end of 2021, which is typical for cybercrime groups, Conti's activities appear to have resumed in earnest in February, and it has continued to post new victims despite a security researcher leaking the group's internal communications and source code in late February.
The Department of State has tied the Conti ransomware group to hundreds of ransomware incidents over the past two years. "The FBI estimates that as of January, there had been over 1,000 victims of attacks associated with Conti ransomware with victim payouts exceeding $150 million, making the Conti ransomware variant the costliest strain of ransomware ever documented," it says.
Conti's Recent Activity
In April, Conti launched a ransomware attack against the Costa Rican government that severely affected the country's foreign trade by disrupting its customs and tax platforms.
The government says targeted agencies included the Ministry of Finance; the Ministry of Science, Innovation, Technology and Telecommunications, or MICITT; the Instituto Meteorológico Nacional; the Radiográfica Costarricense; and a Caja Costarricense de Seguro Social portal.
Conti had demanded a $10 million ransom from the Costa Rican government, but since no negotiations were initiated, the group began leaking the data it had exfiltrated, according to its data leak site.
Paola Vega Castillo, the head of MICITT, said that the attack against his ministry resulted only in "modification of the contents of the web page," and that no data appeared to have been stolen. But in the case of the IMN and RACSA, a "process of extracting email archives" was detected, and the CCSS confirmed that its human resources portal had been targeted, she says.
Conti, on its data leak site "Conti News," claims it gained access to about 800 servers and stole nearly 1TB of data, including 900GB of Tax Administration Portal databases, as well as 100GB of Ministry of Finance internal documents containing full names and email addresses.
Conti later also claimed to have accessed two other email server files of two more Costa Rican entities. The attackers also claimed to have implemented a large number of backdoors in various public ministries and private companies, and they pledged to continue to attack Costa Rican entities until the government pays them a ransom.
Widening Attack Surface?
As it seeks to take down new targets, Conti continues to refine its technical acumen, according to researchers at cybersecurity firm Trellix. They say the Russian-language ransomware group has been targeting ESXi hypervisors with a Linux version of its ransomware, which it first detected in the wild on April 4.
"Although the ESXi version of Conti is not new and has already been discussed, this is the first public sample we have seen in the wild," the researchers write in a newly published report that describes a newly detected Linux variant of Conti ransomware.