Skip to main content

Conti Inc.: understanding the internal discussions of a large ransomware-as-a-service operator with machine learning

Abstract

Ransomware-as-a-service (RaaS) is increasing the scale and complexity of ransomware attacks. Understanding the internal operations behind RaaS has been a challenge due to the illegality of such activities. The recent chat leak of the Conti RaaS operator, one of the most infamous ransomware operators on the international scene, offers a key opportunity to better understand the inner workings of such organizations. This paper analyzes the main discussion topics in the Conti chat leak using machine learning techniques such as Natural Language Processing (NLP) and Latent Dirichlet Allocation (LDA), as well as visualization strategies. Five discussion topics are found: (1) Business, (2) Technical, (3) Internal tasking/Management, (4) Malware, and (5) Customer Service/Problem Solving. Moreover, the distribution of topics among Conti members shows that only 4% of individuals have specialized discussions while almost all individuals (96%) are all-rounders, meaning that their discussions revolve around the five topics. The results also indicate that a significant proportion of Conti discussions are non-tech related. This study thus highlights that running such large RaaS operations requires a workforce skilled beyond technical abilities, with individuals involved in various tasks, from management to customer service or problem solving. The discussion topics also show that the organization behind the Conti RaaS operator shares similarities with a large firm. We conclude that, although RaaS represents an example of specialization in the cybercrime industry, only a few members are specialized in one topic, while the rest runs and coordinates the RaaS operation.

Introduction

In the past 10 years, there has been an increase in the scale, complexity, and number of ransomware attacks (Ryan, 2021). This was facilitated by the rise of ransomware-as-a-service (RaaS) business models, which provide the infrastructure and technology to conduct ransomware attacks (Salvi, 2019; Meland et al., 2020; Maurya et al., 2018; Alwashali et al., 2021). There are well-known RaaS operators, among which Conti (formerly Ryuk) (Cimpanu, 2020) stands up as one of the most active and famous ones (Chainalysis, 2023).

Conti has been active since early 2020 (Shriebman, 2022), and its ransomware has targeted high-profile organizations, including government agencies, municipalities, healthcare facilities, law enforcement agencies, 9-1-1 dispatch centers and universities (CISA, 2020; 2024). Attacks attributed to Conti are known to demand high ransom payments, generally in Bitcoin, while also threatening to publish the victim’s data if the payment is not made (Fokker and Tologonov, 2022).

In early 2022, following the Russian invasion of Ukraine, the Conti RaaS operator announced its support to the Russian government. This announcement allegedly led to the leak of hundreds of thousands of their internal  chat logs (Vx-underground, n.d.). This leak represents a key opportunity to better understand the inner workings of the Conti RaaS operator. However, given the hundreds of thousands of conversations, a manual analysis represents a time-consuming and monotonous task.

This study uses machine learning algorithms to uncover insights into the organization of Conti. More precisely, it leverages well-established machine learning methods, including Natural Language Processing (NLP) and Latent Dirichlet Allocation (LDA), coupled with visualization strategies, to uncover the main topic discussions in Conti leaked chats. The results of the analysis showed five distinct topics: (1) Business, (2) Technical, (3) Internal tasking/Management, (4) Malware, and (5) Customer Service/Problem-Solving that are distributed across discussions. How these topics are distributed among well-known actors is compared with qualitative analyses conducted by other security researchers. The study’s key takeaways are:

  • The discussion topics uncovered highlight the enterprise-like organization of the Conti RaaS operator.

  • A significant proportion of Conti discussions are non-tech related; large RaaS operations require a workforce skilled beyond technical abilities.

  • Only 4% of individuals have specialized discussions, while most individuals (96%) are all-rounders with diverse discussions.

The results of the study corroborate the idea that running such a large RaaS operation translates to developing an enterprise-like structure. The importance of non-tech talk, including business discussions, as well as internal tasking and management discussions, also shows that the coordination of large RaaS operations requires a workforce skilled beyond technical abilities. Moreover, only a few individuals need to be really specialized in one area, while the rest coordinate the activities between members and customers. Even for cybercrime organizations, the bigger the organization becomes, the more “all-rounder” individuals are required to sustain the economic activities. Finally, this study illustrates how to automatically extract actionable information on the organization of a sophisticated cybercrime organization.

The rest of the paper is organized as follows: Sect. Background and context presents a short literature review on ransomware-as-a-service and the Conti group; Sect. Methods and data outlines the methods and data; Sect. Results presents the results of the study; Sect. Discussion provides a discussion; Sect. Study limitations and future research presents the limitations and future research; Sect. Conclusion is the conclusion.

Background and context

This section starts by presenting the state of research on ransomware and the rise of ransomware-as-a-service. Then, what is known on the Conti organization is presented to provide context to the study’s topic.

Ransomware-as-a-service (RaaS) business model

Ransomware attacks have devastating impacts on enterprises worldwide (Brewer, 2016; Oosthoek et al., 2022; Kamil et al., 2022). Such attacks refer to an extorting scheme in which an attacker compromises one or several devices and then locks the device(s) or encrypts the files and asks for money in return for either re-accessing the device(s) and/or obtaining the key that can be used to decrypt the files. Since the first known incidence of ransomware, identified as the AIDS Trojan (Peattie, 1995), ransomware attacks have become a central threat to information technologies and the topic of several studies aimed at preventing and detecting it (Kirda, 2017; Kok et al., 2019; Richardson and North, 2017; Scaife et al., 2016; Song et al., 2016; Lee et al., 2018).

In the past ten years, the threat has evolved. In 2015,  Kharraz and colleagues (2015) analyzed 1359 samples from 15 ransomware families and found that the number of families with destructive capabilities was small. In the same vein, Gazet, (2010) conducted a comparative analysis of 15 ransomware in 2010 and concluded that ransomware attackers relied rather on small attacks for small ransoms, which led to high amounts due to mass propagation. In this study Gazet, (2010), the bulk of ransomware attackers rather followed a low-cost and low-risk business model. Since then, there has been an increase in the scale, complexity, and number of ransomware attacks (Ryan, 2021). Indeed, according to recent studies, ransomware attackers are now successful at compromising advanced information systems (Kalaimannan et al., 2017), and they are better at generating revenue through various extortion schemes (O’Kane et al., 2018).

Yet, such increase in capacities by ransomware attackers may also be due to the rise of as-a-service business models that now characterize the cybercrime industry (Huang et al., 2018; Manky, 2013; Hyslip, 2020. Specifically, the ransomware-as-service (RaaS) business model provides the infrastructure and technology to conduct ransomware attacks (Salvi, 2019; Meland et al., 2020; Maurya et al., 2018; Alwashali et al., 2021). RaaS clients, known as affiliates, can purchase pre-developed ransomware tools to execute attacks. Usually, affiliates will need to connect to a platform, download the ransomware file, conduct the attack, and manage the victims (Hyslip, 2020). Also, some RaaS operators provide more support to affiliates, such as negotiating ransoms and/or providing customer support. In some cases, the affiliate and the operator split the profit generated from the attack (Meland et al., 2020). In the end, RaaS models reduce the barriers to entry into the market but do not completely remove them as affiliates (those who use the service) still need to have good technical knowledge to purchase the service (Meland et al., 2020).

Recently, a study by Chainalysis, (2023) suggested that a small number of affiliates would be responsible for a large number of attacks and these affiliates would work with many RaaS operators. Such concentration was also observed for RaaS operators as, according to, again, Chainalysis, (2023), there exists a few prolific RaaS operators, including Conti.

Given the scale and professionalization of these prolific cybercrime operators, their structure may resemble that of an enterprise. Admittedly,  Lusthaus, (2018) interviewed over 200 individuals linked to cybercrime and suggested that some cybercrime organizations may now be organized as firms with offices, floors, and work days. Such a corporate-like structure develops where the forces of illegality [as defined by Reuter, (1983)], and specifically the risks of arrests, are absent. Without the threat of law enforcement, individuals can openly organize (Lusthaus and Varese, 2021; Lusthaus, 2018). Nevertheless, note that most studies point towards cybercrime organizations being rather small and loosely organized (Leukfeldt et al., 2019; Leukfeldt, 2014; Leukfeldt et al., 2016; Leukfeldt Holt, 2020; Leukfeldt et al., 2017c, 2017a; Leukfeldt et al., 2017; Leukfeldt et al., 2017b; Lusthaus, 2018). Yet, RaaS providers, and at least Conti, seem to be the exception to the rule. Understanding how these groups operate is key to countering their criminal activities.

The conti RaaS operator

Active since 2020, the Conti RaaS operator successfully ran more than 700 campaigns  (CheckPoint Research, 2022), generating a revenue, in 2021, of over $2.7 billion in cryptocurrency (Shriebman, 2022). To spread ransomware in their victims’ network, Conti was known to leverage phishing campaigns or exploit unpatched software vulnerabilities (Umar et al., 2021; Alzahrani et al., 2022). Their phishing campaigns usually contained a zip file or a link luring the victims into downloading a Trojan, which provided a backdoor to deploy their ransomware (Alzahrani et al., 2022).

Following the Russian invasion of Ukraine in February 2022, the Conti RaaS operator announced its support to the Russian government, which allegedly led to the leak of over 160,000 messages from their internal jabber chat logs (Vx-underground, n.d.). The person responsible for the leak used a newly created Twitter account under @ContiLeaks, 2022Footnote 1 to release the files, which also include the source code for the Conti ransomware and other internal project source codes that the Conti organization used to facilitate its operations.

Since then, qualitative analyses of the chat log have been conducted by various security researchers from the private industry (Fokker and Tologonov, 2022; Cimpanu, 2020; Krebs, 2022; CheckPoint Research , 2022; Kovacs, 2022). These analyses support the idea that Conti is organized as a firm with physical office buildings, a regular pay schedule and predefined departments such as human resources, finance and reversing (Fokker and Tologonov, 2022; Cimpanu, 2020; Krebs, 2022; CheckPoint Research, 2022; Kovacs, 2022). Conti’s structure followed a classic organizational hierarchy, with team leaders who reported to upper management (CheckPoint Research, 2022). The operator had more than 100 people on its payroll, and employees were assigned a specific 5-day workweek (Krebs, 2022).

Recently, according to Kovacs, (2022), the Conti organization has shut down the “Conti brand”, transitioning to a different organizational structure involving multiple subgroups (Kovacs, 2022). Still, the leaked chat log represents a golden opportunity to uncover insights into the organization of the Conti RaaS operator beyond these manual qualitative investigations.

Methods and data

This section covers the methods and data used to conduct the analysis and is detailed enough so any researchers who wish to reproduce the analysis on the Conti chat log, but also any other data corpus, can do so easily. The data source, data preprocessing (cleanup), and modeling strategy are presented below. The goal of the analysis was to automatically detect the discussion topics of Conti members. To do so, we used (1) NLP to clean the data, (2) LDA topic modeling to create clusters of groups, and (3) data visualizations to extract meanings from the results.

Dataset

The chat files used for the research were extracted from TheParmak GitHub (TheParmak, 2023), which was one of the first repositories providing an open source access to the Conti chats translated in English.

The available jabber chat logs cover the period from June 21, 2020, to March 2, 2022 .Footnote 2 The data consists of 168,711 chats. These chat logs list the discussions of 346 actors, including members of the organization as well as potential affiliates and customers. The files are in a JSON format, and each log contains the date, the sender, the receiver as well as the actual message. They are structured as follows:

  • “ts”: “2021-12-11T08:48:06.821161”,

  • “from”: “Actor 34@q3mcco35auwcstmt.onion”,

  • “to”:“Actor 77@q3mcco35auwcstmt.onion”,

  • “body”: “hello”

We aggregated all chats sent per actor. Table 1 shows a summary of the aggregated chats per actor after the processing. Such dataset is referred to below as the corpus.

Table 1 Structure of the data after aggregation per actor

When chats were posted as a general message in a channel containing several members, they were appearing more than once in an actor’s corpus. For example, if Actor A posted “hello guys” in a channel, it would appear X number of times in the actor’s corpus, with X being the number of people in the channel, even though Actor A posted this message only once, as illustrated in Table 2.

Table 2 Chat logs

Such repetitive chats were problematic for the model developed below for two reasons: (1) they distorted what an actor “really” posted; the actor’s corpus would no longer be accurately representative of an actor’s activity, and (2) they impaired the process of topic creation as a topic is a set of words that are often seen together throughout documents. They were thus removed. Each actor’s corpus was then cleaned using Natural Language Processing (NLP), as explained below.

Natural language processing (NLP)

To clean the chats, we used Natural Language Processing (NLP). NLP is a subfield of artificial intelligence that focuses on allowing a machine to understand natural language, that is, human language (Chowdhary, 2020; Raina and Krishnamurthy, 2022). Basically, NLP teaches a machine to learn, understand, and derive meaning from a language. Natural language processing uses various algorithms to learn and follow grammatical rules, which are then used to derive meaning out of words and sentences (Chowdhary, 2020); Raina and Krishnamurthy, 2022). Some of the most commonly used algorithms are stemming (reducing words to their lexical root), lemmatization (converting a word into its canonical form), and tokenization (dividing the text into meaningful pieces). NLP is used in a myriad of diversified fields such as biology (Ofer et al., 2021), translation (Zong and Hong, 2018), business intelligence (Vashisht and Dharia, 2020) and psychology (Andrew Stephen Henning, 2017) to name a few.

Using NLP algorithms, we were able to clean the chat logs, keeping only relevant words, such as “hack”, “pay” or “malware”. To do so, we first used normalization, which changed all words to lowercase. Second, we removed all irrelevant material from the text, like stop words, punctuation, and HTML links. Stop words are commonly used words that are not essential to the context or meaning of the sentence: “I”, “is”, “the”, “you”. Third, we tokenized the text, which consisted in dividing the text into meaningful pieces or elements for the algorithm. The message “I like blue birds” then became “[like; blue; birds]”. Fourth, we lemmatized the text, which is the process of converting a word into its “canonical form”. In other words, “codes” became “code” and “talked” became “talk”. Thus, words in the third person were changed to the first person, and verbs in past and future tenses were put in the present tense.

This process allowed us to identify some actors who stood out for their small corpus compared to others. Some had 4000 and plus words, whereas others only had ten relevant words or even two after the data processing. For the algorithm (presented below) to process the meaning of discussions, an actor has to have a substantial amount of chats. Hence, we removed actors whose corpus contained fewer than 100 words, reducing the number of actors for the analysis to 137, each having a corpus of at least 100 relevant words. Descriptive statistics on the final sample of 137 actors are presented in the Table 3 below.

Table 3 Post processing descriptive statistic

Latent dirichlet allocation (LDA)

To find the discussion topics of Conti members,Footnote 3 we computed Latent Dirichlet Allocation (LDA) topic models based on actors’ corpus. LDA is a topic modeling method based on a generative probabilistic model for text corpora. It is widely applied with NLP to uncover topics from unordered corpora of documents  (Blei et al., 2003). The basic idea behind LDA is that each document is represented as a finite mixture of latent topics, and each topic is characterized by its own distribution over words. So the LDA extracts the latent topics from a corpus of documents and simultaneously assigns a probabilistic mixture of these topics to each document. Thus the topic probabilities provide an explicit representation of a document. Topic models are applied in various fields, including political science (Zhou and Na, 2019), medicine (Wu et al., 2011) and cybersecurity (Kolini and Janczewski, 2017).

The LDA model was implemented using mallet 2.0.8 (MALLET, 2018) and the gensim wrapper (Gensim, 2023). To find the best model, we developed a strategy that combined both the traditional coherence score along with heuristic interpretations of the main topics discussed in each cluster. The coherence score helped distinguish topics that were semantically interpretable topics from topics that were simple artifacts of statistical inference. Such score ranges from zero to one, and the higher the score, the better the model should be.

The clusters found were evaluated through visualizations created with WordClouds (to visualize the most important words) and semantic space using pyLDAvis  (pyLDAvis, 2018). For the latter, the clusters were plotted onto a semantic space where two words in the same lexical field or synonyms were correlated and thus “close” to each other in the space. The larger the topic cluster, the more conversations actors had about that topic. The more the clusters (and thus words) were far apart, the more these clusters had their own vocabularies. Overlapping clusters had similar vocabularies. This way, a model with no overlapping clusters was considered good. The best model selected had the highest coherence score and the best visual representation, with far-apart clusters.

After training various models with a different number of topics (k), investigating the coherence scores, as shown in Fig. 1 and inspecting the resulting clusters (with WordClouds and semantic space representation of the topics), the most promising model was the one with k=5 topics.

Fig. 1
figure 1

Coherence score per number of topics k

Topic distribution

The five topics span across each actors’ corpus with different weights as each actor can be represented as a mixture of determined topics: topic 1 may represent 100% of actor A’s corpus, while 60% of Actor B’s corpus. For example, Table 4 shows how the five topics are distributed in Actor 112’s corpus and Actor 83’s corpus. In this example, Actor 112’s discussions revolve clearly around topic 1 whereas Actor 83’s discussions revolve around the five topics.

Table 4 LDA representation explained

Topic interpretation

The LDA model gives topics that are composed of a word list, often appearing together within chats. It is the researcher’s role to make sense of these topics by giving them a theme or a name based on what they are made of. To do so, we went over the words in the five clusters, interpreting their meaning. We also took the main actors in each cluster (those whose corpus was mainly related to a topic) and read their discussions to have contextual information around the words. The interpretation of the topics is presented below, along with how the topics are distributed among actors.

Comparing the study results

Finally, to compare the results of the study, we went through summaries of qualitative analyses conducted by security researchers. We found four relevant blog articles by: CheckPoint  (CheckPoint Research, 2022), KrebsonSecurity   (Krebs, 2022), Cyberint (Shriebman, 2022, and Trellix (Fokker and Tologonov, 2022) that conducted a qualitative analysis on the Conti chat logs to paint a picture of the organization. Each blog article attempts to uncover the roles and importance of each member, providing a description of a few actors identified as key. From these documents, we extracted the role attributed to those well-known actors and compared them with the topic distribution found in this study.

Ethical considerations

The study has been approved by the ethics committee at the University of Montreal (project N.2023-4659) under minimal risks. The study required asking for a waiver of consent in line with Article 5.5A of the Canadian Tri-Council Policy Statement on Research Ethics. To ensure participants’ confidentiality and privacy, the real pseudonyms of the actors are not displayed throughout the text.

Results

The best model included five topics that encompassed actors’ discussions. The interpretation of the topics is presented below, followed by how they are distributed among actors’ corpus. We then compare the results of this study with previous qualitative research conducted on the role of some of these actors.

From business to tech topics

The five topics that span actors’ corpus are: (1) Business, (2) Technical, (3) Internal tasking/Management, (4) Malware, and (5) Customer Service/Problem Solving. Each topic is accompanied by an excerpt of a discussion from an actor’s corpus whose main topic is the one being presented.Footnote 4

Business topic The first topic encompassed discussions regarding planification and internal tasking within a project. Actor 118, Actor 112 and Actor 23 were actors often quoted within chats to repeat what was said or ordered. The topic included words like build, office, task, and report, referring to some sort of task management. Words like system, hacker, coder, and software, were also included, referring to employees and their work tools. Actors getting the first topic as their dominant topic could be seen as “higher-ups” or participating in the management activities of the Conti organization.

Here is an excerpt of a discussion from actor 118, whose main topic is Business: “This is an important task, then let’s build a system for it [...]. I suggest that you allocate people and build a system that will analyze and report information from these office-based documents, [...] prepare reports by sector, the main department will prepare attacks [...].

Technical topic The second topic revolved around technical talks and developing technical projects. The vocabulary of this topic was very much focused on computer science, including words like version, command, module, program, function, system, window. Some other words were even more specific and denoted an attack vector or part of it: script, loader, backdoor and .exe. Actors having a tendency towards this topic could be taking part in delivering attacks. Here are excerpts from actors 86 and 54’s corpus whose main topic is the Technical topic:“When an error occurs during process hollowing creation, do you send an error code to the server? [...]” and “I tried to shift the.exe file image in the process address space (i.e. to modify the process hollowing) and to write it to an arbitrary address, but this didn’t work.

Internal tasking/management topic The third topic was the only one without any computer science or technical words in it. The core of this topic was about human resources, management, and salaries. The topic included words like salary, people, money, email, network, talk, team, buy, month, salary, touch, company, blog and offer. The words onion and protonmail_com were also there, which are both domains used to communicate or add actors to different channels. Actors holding a high percentage of correspondence to this topic may have been involved in human resources, internal tasking and management tasks.

Here is an example of a discussion from actor 124’s corpus, whose main topic is Internal tasking/Management: “I’ll help you when you get your salary. Add to your contacts Actor 101, this is your team leader. [...] salary pay 2 times a month to your bank card. [...] workday 10-11 to 7:20 p.m, but it’s best to discuss this with your supervisor [...].

Malware topics The fourth topic was directed toward one type of attack vector: malware and/or ransomware. Many of the words that made up this topic alluded to the injection or implementation of the malware as well as stratagems to avoid detection: DLL (refers to DLL hijacking), detect, crypto, crypt, loader and pour (term used as a synonym of launch/inject). An actor having the fourth topic as its main topic was likely taking part in the conception of malware as an attack vector.

Here is an excerpt of a discussion from actors 11 and 85 whose main topic is Malware: “As long as it is through rundll32 and dll pathmake [...] with pdf icon. [...] I’ve run a new version of loader [...]” and “Don’t crypt [encrypt files] if you’re going to, I’ll be pouring in new files soon.

Customer service/problem-solving topics The fifth and last topic appeared to be a bit blurrier, including two subtopics. The first revolved around customer service with words like order, payment, client and receive. The second subtopic related to what seemed to be attack assistance or problem-solving, with words like log (i.e., record of the events), error, module, proxy and IP. Actors with this topic as their main topic would represent actors who solved problems while also dealing with clients.

Here is a quote from actor’s 36 corpus whose main topic is Customer Service/Problem-solving: “if a lib [library] crashes, it means the client [affiliates] isn’t sending what the lib is expecting [...] so the http parser crashes. You should give specifications to those who write to clients, what this lib can and cannot do. This is an industrial solution... and a lot of people use it.”.

Multifaceted discussions of conti actors

Figure 2 displays the distribution of topics for each actor through a stacked bar graph. The colored brackets grossly emphasize where the prevalence of a topic is high across the actors’ corpus. The figure shows that only a small number of actors (including Actor 112, Actor 118, Actor 86, Actor 94, Actor 11, Actor 85, Actor 126, and Actor 71) have discussions that centered around a single topic. For these actors, their stacked bar is almost monochrome, meaning that their discussions were almost entirely focused on a single topic. Quite the opposite, the rest of the studied actors’ stacked bar is a mixture of multiple topics, illustrating the diverse and all-rounder discussions that most actors had.

Fig. 2
figure 2

Topic distribution per actor

Figure 2 also shows that the Business [red] and the Malware [green] topics are the rarest ones in members’ discussions. Moreover, the number of actors’ whose corpus specializes in one of these two topics is small, including Actor 112 and Actor 118 for the Business topic, as well as Actor 11 and Actor 85 for Malware topic.

In the same fashion, the Customer Service/Problem Solving [light blue] and Technical [dark blue] topics are spread among actors, with a few of them having their discussions centered specifically on one of these two topics.

On the other hand, the Internal tasking/Management topic [pink] is widely spread among actors. Actually, such topic is present in almost every actor corpus and monopolizes a moderate to high part of actors’ discussions. Such topic is not technical (like the Business topic); it included discussions on human resources, management, and salaries. Such result illustrates the intensive non-technical aspect of RaaS operations, which seemed to monopolize time and effort for a large proportion of Conti actors.

Finally, out of 137 actors, six had specialized discussions with 95% of their discussions revolving around a single topic. Table 5 shows the six actors and the topic they specialized in. In short, the discussion of Actor 118 and Actor 112 were mainly about Business, Actor 11 focused on Malware, Actor 86 on Technical and Actor 126 and Actor 71 on Customer Service/Problem Solving.

Table 5 Specialized actors with percentage of dominant topic in their corpus

All in all, this means that only 4.38% of the studied actors were specialized in a single topic, whereas 95.62% were all-rounders, with a corpus of discussion revolving around the five topics.

Topic distribution of well-known actors

This section compares the results obtained using machine learning to external sources’ results obtained by humans reading the chat logs to assess if our results are coherent. This comparison also serves to evaluate the coherence of the machine learning model’s output when compared with human judgment.

To compare the results of this study, we went through previously published blogs in which the Conti chats were analyzed qualitatively and extracted the role of well-known actors according to sources. We present in Table 6 the role assigned to well-known actors by external researchers and their distribution of topics based on the results of this analysis. To facilitate the analysis, we focus on their dominant topics, meaning the topic with the highest percentage in the actor’s corpus.

As shown in Table 6, the two actors with their dominant topic being Business are Actor 112 and Actor 118. They were both interpreted as being the organization bosses in other blogs. Hence, talking about business is related to being at a high level in the organization.

Three individuals (Actor 55, Actor 65, and Actor 94) were interpreted as either penetration testers, coders, or hackers by previous researchers. In our study, their dominant topic was the Technical topic, which relates to coding, testing, and hacking. Our results are thus consistent with previous research.

Five actors were interpreted as managers with various specializations (see Table 6) in previous analyses. In our analysis, the dominant topic of these actors was Internal Tasking and Management. This result is also consistent as it shows how managers, regardless of their specialization, are involved in internal and management tasks.

On the other hand, three actors (Actor 85, Actor 132, and Actor 11) were interpreted as managers of technical teams in previous external analyses while, in our analysis, Malware is their dominant topic. These managers may thus have been more the type of technical/hands-on type of managers. Note that Actor 132 and Actor 85 are a pair in this table because they were referred to as being the same actor with two different pseudonyms  (CheckPoint Research, 2022).

Finally, two actors (Actor 23 and Actor 36) had as a dominant topic Customer-Service/Problem Solving. One was interpreted as a technical manager responsible for coders in other blogs. The other was interpreted as a manager/Chief operating officer. These two roles align with having a high prevalence of Customer Service/Problem-Solving topics.

While our results align with those from external sources, there are also some discrepancies. For instance, as shown in Table 6, a Conti Chief Operation Officer’s (COO) focus appears to be primarily on customer service and problem-solving (Actor 36). However, this COO was also classified as a “manager” by another source, showing discrepancies in role assignments from external sources. This is because assigning roles to individuals based on their conversations might not be perfectly accurate: what discussion topic an individual engages in depends on the individual’s role but also on the individual’s interests, skills, and the context in which the discussion takes place. The algorithm, on the other hand, produced a summary of the topics (most frequently co-occurring words) of actors’ discussions, regardless of their roles. Further research could combine both methods to provide a more comprehensive link between roles and discussion topics.

Table 6 Roles of well-known actors and their topic distribution

Discussion

The results obtained are in line with large cybercrime organizations being organized similarly to firms (Lusthaus, 2018). This is highlighted by the three discussion points below: (1) the importance of non-tech talks, (2) culprit of specialization, yet diverse discussions, (3) higher-ups are business focus. The study results also corroborate key findings highlighted in previous qualitative research on the Conti RaaS operator (Fokker and Tologonov, 2022; Cimpanu, 2020;  CheckPoint Research, 2022; Krebs, 2022; Kovacs, 2022).

However, note that the Conti RaaS operator is one of the biggest RaaS operators and thus, this finding may be, in fact, an outlier. Whether a RaaS operator become organized as such probably depends on its size and scope as well as its success. Where members of a RaaS operator are located may also have an impact on its structure as places where the risks of arrests are low may facilitate the development of structured criminal organizations (Lusthaus, 2018; Lusthaus and Varese, 2021). Further research should investigate other cybercrime organizations to see what influences their structure.

The importance of non-tech talks The results of the study illustrate that a large proportion of discussions are non-technical and such discussion topics span across almost all Conti members. Non-tech talks encompass the Business and the Internal tasking/Management topics while focused tech talks encompassed the Malware and the Technical topics. The fifth topic, Customer Service/Problem Solving, included both. Merging non-tech talks and tech talks shows that, on average, 44.2% (std=21.9) of actors’ corpus involved non-tech talks, while 31.8% (std=23.0) involved tech talks. The Customer Service/Problem Solving topic formed, on average, 24% (std=17.6) of actors’ corpus. These results show that Conti’s daily operations required a lot of organization beyond writing malicious code to compromise networks.

Culprit of specialization, yet diverse discussions The results of the study also highlight that only a few members have a corpus that represented mainly a single topic. On the other hand, most actors in the dataset were diverse in their discussion topics: they mixed both Customer Service/Problem Solving with Internal tasking/Management as well as Business, Technical talks and Malware discussions. Hence, Conti’s staff needed to work across multiple fields and have expertise in various areas. Moreover, as shown in Table 6, some of Conti managers discussed about Customer Service/Problem Solving while others were more specialized, discussing more about Technical or Malware topics. Hence, some managers no longer talked as much about technical subjects, focusing instead on managing their team and dealing with customers. These different management roles were also noted in another blog (CheckPoint Research, 2022). Hence, although such RaaS operator represents the culprit of specialization in the cybercrime industry (Salvi, 2019); Meland et al., 2020; Maurya et al., 2018; Alwashali et al., 2021), the bulk of its members appeared to have non-tech and diverse discussions, such discussions are likely required to coordinate the economic activities of a large criminal organization.

Higher-ups are business focus According to previous blogs, (CheckPoint Research, 2022, Krebs, 2022) Conti higher-ups were always trying to find new ways to expand the firm’s operation and generate  more profit. Some of them even followed corporate tradition and held yearly performance review, talking about employees’ efficiency and deliberating on the employee of the month. Two actors’ discussions revolved almost solely on Business topic: Actor 112 and Actor 118. As shown in Table  6 Actor 112 and Actor 118 were identified as “Big Boss” and “Effective head of office operations” and both of their discussions revolved at 99% around the Business topic. This finding supports the claim that Conti was indeed an organized firm with leaders constantly seeking fresh approaches to grow the company’s activities and generate greater profits.

Study limitations and future research

A first limitation of this study lies in the dataset as only the Jabber chat logs were used while the whole leak included also the rocket chat logs. To build on this limit, further studies could use the rocket chat logs or combine them with the jabber ones to investigate if the findings of this study hold with this additional corpus. Moreover, the original messages were written in Russian, and consequently, it is likely that the translations carried out was limited because of the use of Russian slang or abbreviations. Part of the meaning or nuance of a sentence may have been altered or lost through translation. Interpretation and reuse of results must take this limit into account. Consequently, it would also be interesting to carry out this research using the original chat logs in Russian. The use of the original chat logs would preserve all the meaning present in the data and could provide additional material and nuances the results.

Another limitation lies in the interpretation of the results. This study did not consider the size of the corpus, the timeline of the chats, nor the “member status” of the individuals. First, the corpus size may influence the topic distribution as individuals who discuss more may be more inclined to have generalist talks. Further studies should investigate how topic distribution influence the types of discussions in which individuals engage. Second, actors’ experience in the organization was also not considered, limiting the interpretation of the results. For example, new individuals who have just arrived in the organization may have been more involved in specific discussion topics, such as human resources, due to their newcomer status. A more qualitative research focusing on the timeline of each actor could dive deeper into the data and analyze the changes of an actor over time. Third, this research does not consider the official status of the studied actors. Some actors are official members whereas others could be affiliates or even customers. Further studies should look whether topic distributions vary when considering the status of the actors studied.

A final limitation lies in the use of LDA models since such a model cannot capture contextual information, it only considers the frequency of words in a corpus. To overcome this, the conversations of actors having a specific topic as a dominant one were read and interpreted, thus providing contextual information around that topic. Further studies could deepen this analysis by conducting a qualitative thematic analysis of the conversations and comparing the results with this study.

Conclusion

Leveraging the Conti chat leaks, this study uses machine learning algorithms to uncover insights on the organization of the Conti RaaS operator. The study shows that the discussions of the large RaaS operator Conti revolved around five topics: (1) Business, (2) Technical, (3) Internal tasking/Management, (4) Malware, and (5) Customer service/Problem Solving. Moreover, the topic distribution illustrates that only a few actors had specialized discussions in one topic, while the rest were all-rounders. The results corroborate that large cybercrime organizations are organized similarly to firms (Lusthaus, 2018). This is highlighted due to the importance of non-tech talks in the chats, the diverse discussion topics (although the organization represents the culprit of specialization), the varied management styles of actors, and how higher-ups, and specifically the two bosses, were business-focused in their discussions. Finally, this study illustrates how to automatically extract actionable information on the organization of a sophisticated cybercrime organization.

Availability of data and materials

The data used in this paper can be found here https://github.com/TheParmak/conti-leaks-englished

Notes

  1. conti leaks [@ContLeaks]. Tweets [Twitter profile]. Twitter. february 2022. https://x.com/contileaks?

  2. However, note that there is an absence of data from November 16, 2020, to January 29, 2021. Other sources also show a lack of data over the same period of time (Northwave Security, 2022; vx-underground, n.d.). One possibility is that the user behind the data leak may have wanted to purposely omit this data to avoid incrimination or because it contained sensitive data in some way.

  3. For the purpose of this study, we consider Conti members anyone who participated in the chats.

  4. These excerpts are for illustrative purposes only and do not reflect the format of the actor’s corpus provided to the algorithm nor the full range of discussions found within the actor’s corpus.

References

  • Alwashali, A. A. M. A., Abd Rahman, N. A., & Ismail, N. (2021). A survey of ransomware as a service (RaaS) and methods to mitigate the attack. In 2021 14th International Conference on Developments in eSystems Engineering (DeSE), 92–96. ISSN: 2161-1351.

  • Alzahrani, S., Xiao, Y., & Sun, W. (2022). An Analysis of Conti Ransomware Leaked Source Codes. IEEE Access, 10, 100178–100193. Conference Name: IEEE Access.

    Article  Google Scholar 

  • Blei, D. M., Ng, A. Y., & Jordan, M. I. (2003). Latent dirichlet allocation. Journal of machine Learning research, 3, 993–1022.

  • Brewer, R. (2016). Ransomware attacks: detection, prevention and cure. Network Security, 2016(9), 5–9.

    Article  Google Scholar 

  • Cimpanu, C. (2020). Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites. ZDNET. https://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/.

  • CISA: Cybersecurity and Infrastructure Security Agency. (2024). Official Alerts & Statements. FBI. Retrieved March 22, 2023 from: https://www.cisa.gov/stopransomware/official-alerts-statements-fbi.

  • CISA: Cybersecurity and Infrastructure Security Agency. (2020). Ransomware activity targeting the healthcare and public health sector. FBI. Retrieved March 22, 2023 from: https://www.cisa.gov/stopransomware/ransomware-activity-targeting-healthcare-and-public-health-sector.

  • CheckPoint Research (2022). Leaks of Conti Ransomware Group Paint Pictue of a Suprisingly Normal Tech Start-Up... Sort of. CheckPoint. Retrieved September 1st, 2023 from: https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/.

  • Chowdhary, K. R. (2020). Natural Language Processing. In K. R. Chowdhary (Ed.), Fundamentals of Artificial Intelligence (pp. 603–649). New Delhi: Springer India.

    Chapter  Google Scholar 

  • Cimpanu, C. (2020) Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites. ZDNET. https://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/.

  • Fokker, J., & Tologonov, J. (2022). Conti Leaks: Examining the Panama Papers of Ransomware. Trellix. Retrieved September 1st, 2023 from: https://www.trellix.com/en-ca/blogs/research/conti-leaks-examining-the-panama-papers-of-ransomware/.

  • Gazet, A. (2010). Comparative analysis of various ransomware virii. Journal in Computer Virology, 6(1), 77–90.

    Article  Google Scholar 

  • Gensim (2023). Python framework for fast Vector Space Modelling. Available at: https://pypi.org/project/gensim/.

  • Henning, A. S. (2017). Machine Learning And Natural Language Methods For Detecting Psychopathy In Textual Data.

  • Huang, K., Siegel, M. & Madnick, S. (2018). Systematically Understanding the Cyber Attack Business: A Survey. ACM Computing Surveys, 51(4), 70:1–70:36.

    Google Scholar 

  • Hyslip, T. S. (2020). Cybercrime-as-a-Service Operations. In Thomas J. Holt & Adam M. Bossler (Eds.), The Palgrave Handbook of International Cybercrime and Cyberdeviance (pp. 815–846). Cham: Springer International Publishing.

    Chapter  Google Scholar 

  • Kalaimannan, E., John, S. K., DuBose, T. & Pinto, A. (2017). Influences on ransomware’s evolution and predictions for the future challenges. Journal of Cyber Security Technology, 1(1), 23–31. https://doi.org/10.1080/23742917.2016.1252191. Publisher: Taylor & Francis _eprint.

    Article  Google Scholar 

  • Kamil, S., Norul H. S. A. S., Firdaus, A. & Usman, O. L. (2022). The Rise of Ransomware: A Review of Attacks, Detection Techniques, and Future Challenges. In 2022 International Conference on Business Analytics for Technology and Security (ICBATS), pages 1–7.

  • Kharraz, A., Robertso, W., Balzarotti, D., Bilge, L. & Kirda, E. (2015). Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks. In Magnus Almgren, Vincenzo Gulisano, and Federico Maggi, editors, Detection of Intrusions and Malware, and Vulnerability Assessment, Lecture Notes in Computer Science, pages 3–24, Cham. Springer International Publishing.

  • Kirda, E. (2017). UNVEIL: A large-scale, automated approach to detecting ransomware (keynote). In 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 1–1.

  • Kok. S., Abdullah, A., Jhanjhi, N. Z. & Supramaniam, M. (2019). Ransomware, Threat and Detection Techniques: A Review.

  • Kolini, F. & Janczewski, L. (2017). Clustering and Topic Modelling: A New Approach for Analysis of National Cyber security Strategies.

  • Kovacs, E. (2022). Conti Ransomware Operation Shut Down After Brand Becomes Toxic, SecurityWeek. Retrieved September 2nd, 2023 from: https://www.securityweek.com/conti-ransomware-operation-shut-down-after-brand-becomes-toxic/.

  • Krebs, B. (2022). Conti Ransomware Group Diaries, Part II: The Office. Kreb on Security. Retrieved September 2, 2023 from: https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/.

  • Lee, K., Yim, K. & Seo, J. T. (2018). Ransomware prevention technique using key backup. Concurrency and Computation: Practice and Experience, 30(3), e4337.

    Article  Google Scholar 

  • Leukfeldt, E. R., & Holt, T. J. (2020). Examining the Social Organization Practices of Cybercriminals in the Netherlands Online and Offline. International Journal of Offender Therapy and Comparative Criminology, 64(5), 522–538. Publisher: SAGE Publications Inc.

    Article  Google Scholar 

  • Leukfeldt, E. R., Kleemans, E. R., Kruisbergen, E. W. & Roks, R. A. (2019). Criminal networks in a digitised world: on the nexus of borderless opportunities and local embeddedness. Trends in Organized Crime, 22(3), 324–345.

    Article  Google Scholar 

  • Leukfeldt, E. R., Kleemans, E. R. & Stol, W. P. (2017). Origin, growth and criminal capabilities of cybercriminal networks. An international empirical analysis. Crime, Law and Social Change, 67(1), 39–53.

    Article  Google Scholar 

  • Leukfeldt, E. R., Kleemans, E. R. & Stol, W. P. (2017). A typology of cybercriminal networks: from low-tech all-rounders to high-tech specialists. Crime, Law and Social Change, 67(1), 21–37.

    Article  Google Scholar 

  • Leukfeldt, R., Kleemans, E. & Stol, W. (2017). The Use of Online Crime Markets by Cybercriminal Networks: A View From Within. American Behavioral Scientist, 61(11), 1387–1402.

    Article  Google Scholar 

  • Leukfeldt, E. R., Lavorgna, A. & Kleemans, E. R. (2017). Organised Cybercrime or Cybercrime that is Organised? An Assessment of the Conceptualisation of Financial Cybercrime as Organised Crime. European Journal on Criminal Policy and Research, 23(3), 287–300.

    Article  Google Scholar 

  • Leukfeldt, E. R. (2014). Cybercrime and social ties: Phishing in Amsterdam. Trends in Organized Crime.

  • Leukfeldt, E. R., Kleemans, E. R. & Stol, W. P. (2016). Cybercriminal Networks, Social Ties and Online Forums: Social Ties Versus Digital Ties within Phishing and Malware Networks. British Journal of Criminology, page azw009.

  • Lusthaus, J. & Varese, F. (2021). Offline and Local: The Hidden Face of Cybercrime. Policing: A Journal of Policy and Practice, 15(1), 4–14.

    Article  Google Scholar 

  • Lusthaus, J. (2018). Industry of Anonymity: Inside the Business of Cybercrime. Harvard University Press, \$ nombreer édition edition.

  • MALLET (2018). MAchine Learning for LanguagE Toolkit. Available at: https://mallet.cs.umass.edu/download.php.

  • Manky, D. (2013). Cybercrime as a service: a very modern business. Computer Fraud & Security, 2013(6), 9–13.

    Article  Google Scholar 

  • Maurya, A. K., Kumar, N., Agrawal, A. & Khan, P. R. (2018). Ransomware Evolution, Target and Safety Measures. International Journal of Computer Sciences and Engineering, 6, 80–85.

    Article  Google Scholar 

  • Meland, P. H., Bayoumy, Y. F. F., & Sindre, G. (2020). The Ransomware-as-a-Service economy within the darknet. Computers & Security, 92, 101762.

    Article  Google Scholar 

  • NorthwaveSecurity. (2022). NorthwaveSecurity/complete_translation_leaked_chats_conti_ransomware. Github. https://github.com/NorthwaveSecurity/complete_translation_leaked_chats_conti_ransomware.

  • Ofer, D., Brandes, N. & Linial, M. (2021). The language of proteins: NLP, machine learning & protein sequences. Computational and Structural Biotechnology Journal, 19, 1750–1758.

    Article  Google Scholar 

  • Oosthoek, K., Cable, J. & Smaragdakis, G. (2022). A Tale of Two Markets: Investigating the Ransomware Payments Economy, arXiv:2205.05028 [cs].

  • O’Kane, P., Sezer, S. & Carlin, D. (2018). Evolution of ransomware. IET. Networks, 7(5), 321–327.

    Google Scholar 

  • Peattie, N. (1995). Approaching zero: The extraordinary underworld of hackers, phreakers, virus writers, and keyboard criminals. Journal of Information Ethics, 4(2), 79.

    Google Scholar 

  • pyLDAvis. (2018). pyLDAvis 2.1.2 documentation. https://pyldavis.readthedocs.io/en/latest/.

  • Raina, V. & Krishnamurthy, S. (2022). Natural Language Processing. In Vineet Raina and Srinath Krishnamurthy, editors, Building an Effective Data Science Practice: A Framework to Bootstrap and Manage a Successful Data Science Practice, pages 63–73. Apress, Berkeley, CA.

  • Reuter, P. (1983). Disorganized Crime: Illegal Markets and the Mafia. Cambridge, MA, USA: Organization Studies series. MIT Press.

    Google Scholar 

  • Richardson, R. & North, M. (2017). Ransomware: Evolution, Mitigation and Prevention. International Management Review.

  • Ryan, M. (2021). Ransomware Revolution: The Rise of a Prodigious Cyber Threat. Advances in Information Security (Vol. 85). Cham: Springer International Publishing.

    Google Scholar 

  • Salvi, HU. (2019). RAAS: Ransomware-as-a-Service. International Journal of Computer Sciences and Engineering, 7(6), 586–590.

    Article  Google Scholar 

  • Scaife. N., Carter, H., Traynor, P. & Butler, K. R. B. (2016). CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data. In 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pages 303–312. ISSN: 1063-6927.

  • Shriebman, Y. (2022). To Be CONTInued? Conti Ransomware Heavy Leaks Cyberint. Retrived September 3, 2023 from: https://cyberint.com/blog/research/contileaks/.

  • Song, S., Kim, B. & Lee, S. (2016). The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform. Mobile Information Systems, 2016:e2946735, Publisher: Hindawi.

  • Team Chainalysis. Ransomware revenue down as more victims refuse to pay, 2023.

  • TheParmak, (2023). ThePharmak/conti-leaks-englished. Github. https://github.com/TheParmak/conti-leaks-englished.

  • Umar, R., Riadi, I. & Kusuma, R. S. (2021). Analysis of Conti Ransomware Attack on Computer Network with Live Forensic Method. IJID (International Journal on Informatics for Development), 10(1), 53–61. Number: 1.

    Article  Google Scholar 

  • Vashisht, V. & Dharia, P. (2020). Integrating Chatbot Application with Qlik Sense Business Intelligence (BI) Tool Using Natural Language Processing (NLP). In Devendra Kumar Sharma, Valentina Emilia Balas, Le Hoang Son, Rohit Sharma, and Korhan Cengiz, editors, Micro-Electronics and Telecommunication Engineering, Lecture Notes in Networks and Systems, pages 683–692, Singapore. Springer.

  • vx-underground (n.d.). Conti Leaks. Retrieved May 12, 2023 from: https://share.vx-underground.org/Conti/.

  • Wu, Y., Liu, M., Zheng, W. J., Zhao, Z. & Xu, H. (2011). Ranking gene-drug relationships in biomedical literature using latent dirichlet allocation. In Biocomputing 2012, pages 422–433. WORLD SCIENTIFIC.

  • Zhou, Y., & Na, J-C. (2019). A comparative analysis of Twitter users who Tweeted on psychology and political science journal articles. Online Information Review, 43(7), 1188–1208. Publisher: Emerald Publishing Limited.

    Article  Google Scholar 

  • Zong, Z. & Hong, C. (2018). On Application of Natural Language Processing in Machine Translation. In 2018 3rd International Conference on Mechanical, Control and Computer Engineering (ICMCCE), pages 506–510.

Download references

Acknowledgements

This research was funded by the Human-Centric Cybersecurity Partnership (HC2P). We thank members of the Stratosphere Laboratory and the EconCrime Lab for reviewing previous versions of the article. We also thank Maxime Fuchs for his input during the brainstorm process.

Funding

No outside funding was used to support this research.

Author information

Authors and Affiliations

Authors

Contributions

All authors participated in the writing and approval of the final manuscript.

Corresponding author

Correspondence to Estelle Ruellan.

Ethics declarations

Competing interests

The authors declares that they have no competing interests.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/. The Creative Commons Public Domain Dedication waiver (http://creativecommons.org/publicdomain/zero/1.0/) applies to the data made available in this article, unless otherwise stated in a credit line to the data.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ruellan, E., Paquet-Clouston, M. & Garcia, S. Conti Inc.: understanding the internal discussions of a large ransomware-as-a-service operator with machine learning. Crime Sci 13, 16 (2024). https://doi.org/10.1186/s40163-024-00212-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1186/s40163-024-00212-y

Keywords