The monthly salary of the average participant of the Conti cyber-extortion group is about $ 1.8 thousand, which is quite small, given its income.
The Secureworks information security company has published the results of an analysis of the group’s internal chats that leaked earlier this month.
Conti (GOLD ULRICK in the Secureworks classification) is a powerful cyber-extortion group, allegedly operating from Russia, whose victims are hundreds of organizations around the world. Hackers penetrate the networks of the attacked companies (by hacking them themselves or buying access on the black market), steal data, encrypt networks and demand a ransom. If the victim refuses to pay, her data is published online.
The amount of the required redemption is on average about $ 750 thousand, but, depending on the size of the company and its annual income, it can be much higher and reach $ 1 million.
Earlier, the researchers of the information security company Check Point also studied the leaked Conti chats and found out that it works like a very ordinary software company. “Employees” work remotely and in offices, their performance is regularly evaluated, bonuses are provided, there are teams of developers and testers, system administrators and HR department.
During the interview process, applicants are not always informed that they will work for a criminal organization, but when they find out about it later, they are offered a salary increase.
As Secureworks specialists found out, after analyzing 160 thousand messages exchanged by about 500 people in the period from January 2020 to March 2022, Conti paid salaries to 81 people, and the average monthly salary was $ 1.8 thousand.
Although the leaders of the group, most likely, receive much more, compared to the average salary in Russia, $ 1.8 thousand per month is a pretty good income, and given the fall in the ruble exchange rate, it is completely excellent.
In addition, experts have studied the leaked correspondence between the “appointed head” of Conti under the pseudonym Stern and other cybercrime groups.
Stern is described as a person who “makes key organizational decisions, distributes salaries, settles conflicts and communicates with other cybercrime groups.” According to the researchers, Stern may also be the head of Trickbot/BazarLoader.
Among other things, experts have identified a connection between the cybercrime groups Gold Crestwood (Emotet), Gold Mystic (LockBit) and Gold Swathmore (IcedID), however, it may not be direct, but for the purpose of communication and/or cooperation.
On March 20, a security researcher, presumably from Ukraine, published the latest version of the source code of the extortionate Conti software. The package was posted on VirusTotal, which can be used by both security experts and cybercriminals.