Conti ransomware surfaced as far back as 2020. Believed to have been created by Russia-based cybercriminal group Wizard Spider, it has been involved in a multitude of double extortion campaigns over the years. Just last May, the U.S. government began offering a reward of up to US$15 million for information on the gang’s key members.
Law enforcement agencies have had no such luck catching the bad guys, at least to our knowledge, as Conti ransomware infections continue to make headlines. WhoisXML API threat researcher Dancho Danchev’s recent investigation into the threat revealed:
- Close to 30 known Wizard Spider gang members’ aliases or online handles
- More than 250 email addresses belonging to the gang’s members
- More than 50 domains that served as Conti ransomware hosts
- More than 500 domains that pointed to Conti ransomware command-and-control (C&C) servers, a vast majority of which were registered in the U.S.
- More than 1,400 IP address resolutions of the domains primarily geolocated in the U.S., 19% of which were tagged “malicious” by various malware engines
- More than 70 domains that shared the C&C domains’ IP hosts, 9% of which were dubbed “malicious” by various malware engines
A sample of the additional artifacts obtained from our analysis is available for download from our website.
What the Public Knows So Far
In the past two years since Conti ransomware came to light, several cybersecurity researchers have found indicators of compromise (IoCs) related to the threat. Danchev’s OSINT analysis findings uncovered:
- 29 online handles or aliases Wizard Spider members used
- 257 email addresses belonging to the gang’s members
- 52 domains that served as Conti ransomware hosts or download pages
- 512 domains that pointed to Conti ransomware C&C servers or stolen data repositories
Our In-Depth Investigation Findings
Given the wealth of publicly available IoCs, we began by subjecting the 564 domains to a bulk WHOIS lookup. That showed that 29% of the domains were registered in the U.S. while the remaining 71% were distributed across at least 18 other registrant countries.
Of these domains, only 45 were likely owned by legitimate businesses at least…