Chris Swagler | May 12th, 2022

The United States Department of State is offering $10 million for information leading to the identification and location of Conti ransomware group leaders and co-conspirators. An additional $5 million is for information leading to the arrest and/or convictions of individuals in any country attempting to participate in Conti ransomware attacks. According to a State Department spokesperson, Conti has targeted more than 1,000 victims who paid over $150 million in ransoms making them the costliest ransomware strain. Conti is responsible for hundreds of ransomware incidents over the past two years. The United States government is committed to protecting potential global ransomware victims from exploitation by cybercriminals by offering this reward.

The reward is part of the Department of State’s Transnational Organized Crime Rewards Program (TOCRP). The TOCRP is managed by the Department in close coordination with the federal law enforcement partners as part of the government’s effort to disrupt and dismantle global transnational organized crimes, including cybercrimes. Since 1986, the TOCRP and the Narcotics Rewards Program have brought more than 75 transnational criminals and major narcotics traffickers to justice. Under these programs, the Department has paid more than $135 million in rewards.

Conti ransomware group is most recently responsible for a cyberattack on the Costa Rica Government by disrupting its customs and taxes platform, which severely impacted the country’s foreign trade. The President of Costa Rica declared a national emergency after the ransomware attack on numerous government bodies. Conti published 97% of the 672GB it stole, which contains data belonging to several Costa Rican government agencies. The Ministry of Finance was the first public body to suffer damage and is still evaluating the scope of the security incident or to what extent taxpayer information, payments, and custom systems were impacted. The Ministry refused to pay a $10 million ransom demand. The Conti ransomware group lists the following government agencies affected by the attack on their leak site.

The threat actor “UNC1756”, along with their affiliate, claimed responsibility for the cyberattack and threatened to launch more serious future attacks. The Treasury’s digital services were unavailable for an extended period, affecting the entire “productive sector” because government procedures, signatures, and stamps were disrupted. The cyberattack impacted several other agencies:

Conti is a Ransomware-as-a-Service (RaaS) operation with connections to the Russian cybercrime group, Wizard Spider, known for other malware, including Ryuk, TrickBot, and BazarLoader. Earlier in 2022, Ireland’s Health Service Executive (HSE) and its Department of Health (DoH) were among the Conti ransomware attack victims and asked to pay a $20 million ransom. Additionally, the FBI issued a warning that Conti operators were attempting to breach a dozen US healthcare and first responder organizations.

A disgruntled affiliate released Conti’s training materials, including information on an operator, various malicious tools deployment manuals, and numerous help documents provided to the group’s affiliates. Analysts from numerous cybersecurity companies indicate that Conti manages various side businesses to sustain its ransomware operation or pay for initial network access. According to researchers, the Karakurt data extortion group, a side operation that has been active since June 2021, is connected to Conti as the cybercrime group’s data extortion arm.

Even with the $15 million offered by the State Department and an internal leak, ransomware groups like Conti will continue to target global governments and high-profile companies. That’s why it’s important for companies to remain vigilant on the current threat landscape, regularly update their data network security posture, and contact the FBI or local law enforcement with any ransomware-related information. At SpearTip, our IT remediation experts focus on restoring companies’ insureds’ operations. Our team immediately reclaims networks by isolating malware and recovering the business-critical assets needed to operate. Our qualified professionals work at our 24/7/365 Security Operations Center to execute the technical recovery plan, utilizing Digital Forensics to decipher and communicate recovery possibilities. We understand the importance of recovering core operations, which is why we offer full-scale incident coordination designed to meet individual organizational needs.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.