Since the Conti ransomware strain emerged in 2020, its operators have caused havoc around the world. They have used it to cripple hospitals, attack governments, and extort countless businesses. These criminal hackers have targeted more than 1,000 organizations, earning over $180 million last year alone. Now, the US government is upping its fight against the group, identifying members of the gang for the first time and aiming to expose their potential ties to the Russian state.
Today, the Rewards for Justice mission, an organization within the US State Department that handles national security rewards, is announcing new bounties of up to $10 million for anyone who provides useful information about individual members of Conti. Specifically, the agency has called for people to share details about five key members of the Conti group: actors using the handles Professor, Reshaev, Tramp, Dandis, and Target.
Rewards for Justice has also published an alleged photo of the person believed to be Target. In the picture, a middle-aged man is wearing a hat with ear flaps, a black T-shirt, and a dark-colored jacket. It is one of the first times that the potential real-world identity of a member of the Conti gang has been publicly exposed.
“Today marks the first time that the US government has publicly identified a Conti operative,” says a State Department official who asked not to be named and did not provide any more information about Target’s identity beyond the picture. “That photo is the first time the US government has ever identified a malicious actor associated with Conti,” they say, adding they are looking for information ranging from names of the individuals to their physical locations to their vacation and travel plans. (Many cybercriminals based in Russia will not travel abroad due to fears of arrest.)
The move from the State Department signifies Conti’s uniquely dangerous role in the world of ransomware. Often known as Wizard Spider, or part of the wider Trickbot cybercrime syndicate, the group is run and organized like any small- or medium-sized business. Earlier this year, Conti’s innermost secrets were exposed by a Ukrainian cybersecurity researcher who published 60,000 of its internal messages after Conti backed Vladimir Putin’s full-scale invasion of Ukraine. The leaked information has been dubbed the Conti Files.
Conti and the wider Trickbot group are thought to have more than 100 different members, each working within individual departments. According to their leaked chats, they ask for holiday time off, are paid regularly, and are professional in their approach to extorting victims. The leaks even showed that the group has tried to develop a cryptocurrency payments platform. When Conti attacked the Costa Rican government earlier this year—disrupting more than 30,000 medical appointments—a separate $10 million reward was issued.
The Rewards for Justice program is separate from other rewards programs across the US and focuses on national security issues, such as foreign election interference and North Korean hacking groups. “[Conti] is viewed as a national security threat because we believe, and we are seeking more information to confirm, that they are associated with a foreign government,” the state department official says. “They have been involved in malicious cyberactivity against our critical infrastructure. We view them as a national security threat.”
Many members of Conti are believed to be based in Russia or surrounding regions. For years, the Kremlin has largely turned a blind eye to cybercriminals based in the country, making it a home base for several ransomware groups. The leaked Conti Files revealed that some high-level members of the gang appear to have connections to the Russian state and security services. Members of the group have chatted about working on “political” subjects and knowing members of the Russian hacking group Cozy Bear, also known as Advanced Persistent Threat 29.
“Conti has publicly acknowledged its connection with foreign governments, specifically its support of the Russian government,” says US Air Force major Katrina Cheesman, a spokesperson for the Cyber National Mission Force. “Based on its ties to Conti and other indicators, it is assessed that the leadership of the organized crime group known as Wizard Spider likely have a connection to government entities inside of Russia,” Cheesman adds.
Since the Conti Files were leaked in early March, multiple cybersecurity firms have pored over the documents. It is believed that Professor, who is included in the reward program’s call for information and is also involved in Trickbot, oversees much of the ransomware deployment and is a “significant player” in the operation, according to security experts. In other cases, several online monikers used by actors of the Conti group may, in fact, refer to the same person.
Aside from the Conti Files, there have been other leaks from the wider cybercrime syndicate. Earlier this year, a Twitter account called Trickleaks started posting the alleged names and personal details of Trickbot members. The doxxing, which has not been independently verified but is believed to be at least partly accurate, shows photos of alleged members and their social media accounts, passport details, and more.
Jeremy Kennelly, a senior manager in financial crime analysis at cybersecurity firm Mandiant, says that continued action against Conti and Trickbot is “critical” in helping prevent ransomware groups from making money and attacking businesses. “Stripping anonymity from key players, offering bounties, seizing illicit funds, and making public declarations of intent are important actions that may help to increase the real and perceived risks of engaging in ransomware operations and may ultimately lead to a chilling effect among some criminal actors and/or organizations,” Kennelly says.
The Rewards for Justice officials say that they will be publishing their call for information about the Conti members in multiple languages and urge people to get in touch via a Tor link. All of the tips they receive will be verified, and any lead must pass multiple steps before a payment is made. They say it is theoretically possible that multiple $10 million rewards could be issued. The officials are specifically targeting Russian-language online spaces, saying the reward details will be posted to Russian social network VK and also hacking forums.
In recent weeks, Conti’s activities have dwindled, as it is believed the group is attempting to rebrand following the leak of its internal chats. However, many of the members are still thought to be active and involved in other cybercrime efforts. These kinds of ransomware attacks can have a huge impact on businesses and wider society.
“While these are not state-sponsored groups, they routinely carry out attacks as impactful as any nation-state group, and they need to be treated as such,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “This likely won’t lead to the arrest of members of Conti, unless any of them are dumb enough to step foot outside of Russia. The intelligence that might be gathered through this reward could prove to be invaluable.”
