Assessing the structure, dynamics, and evolution of ransomware criminal groups: A case study of Conti

• In Event: Various types of cyberfraud

Abstract

Ransomware is widely regarded as one of the most significant cyber threats facing the Asia-Pacific and the West. Highly sophisticated ransomware groups are of particular concern; however, there is very little known about the internal structure and dynamics of these criminal groups. This study aims to establish the internal organisational structure of the Conti ransomware group and how it evolved over the course of its career. It extends earlier studies using leaked chat logs (n=168,740) that have been used to define and assign roles to key individual users and examine communication patterns to gain insights into how Conti coordinated its activities. Roles include those in various leadership positions (team leaders, managers, senior managers, etc.), those in defined teams (e.g., coders, testers, hackers) as well as those in administrative occupations (e.g., human resources). Using social network analysis, this study employed various techniques to reveal how Conti evolved over time. Community detection techniques revealed five subgroups of varying size and composition; the structure and dynamics of each are examined in this paper. Insights for cybercrime scholarship as well as policy and practice are discussed.

Authors

• Chad Whelan, Deakin University

• David Bright, Deakin University

• Callum Jones, Deakin University

• Matthew Roughan, University of Adelaide

• Lewis Mitchell, University of Adelaide