This is how much an average Conti hacking group member makes per month

The average member of the Conti ransomware group earns a salary of $1,800 per month, a figure you might consider low given the criminal gang’s success.

On Wednesday, Secureworks released a set of findings based on the group’s internal chat logs, leaked earlier this month and spun by cybersecurity researchers ever since.

Internal messaging records leaked online after Conti, tracked as Gold Ulrick by Secureworks, declared his public support for the Russian invasion of Ukraine, an ongoing conflict.

Conti is a prolific ransomware group suspected to be of Russian origin that has claimed responsibility for hundreds of victim organizations around the world. The group will infiltrate a network – either independently or by purchasing initial access through underground forums – steal data, encrypt networks and then demand a ransom. Victims who refuse to pay may have their information leaked online.

Conti’s average ransomware claim is around $750,000, but depending on a victim’s size and annual income, blackmail payouts can be much higher, sometimes reaching millions of dollars.

Check Point researchers have already scoured Conti’s chat logs and exposed a rather “mundane” operation, the kind you’d expect from a typical software development firm.

This included a business infrastructure offering desktop, hybrid, or remote work options, performance reviews, bonuses, and a hiring process for coders, testers, system administrators, and HR.

While new members are interviewed, not everyone is made aware that they are applying to work with a crime squad, as some “employee” posts revealed. However, they may be offered wages well above the local average to stay when the truth comes out.

According to Secureworks’ analysis of the logs, containing 160,000 messages exchanged between nearly 500 people between January 2020 and March 2022, there were 81 people involved in payroll, with an average salary of $1,800 per month.


Pay message to group leader Stern (Russian translation)


While the major operators are likely to take a much bigger slice of the pie, the average Russian household is estimated to bring in $540 a month – and so the “salary” offered by cybercrime groups could be a powerful lure. Moreover, with the fall in the value of the ruble due to international sanctions, this could encourage more to enter this market.

Additionally, Secureworks uncovered leaks between Conti’s “designated leader”, nicknamed “Stern”, and other cybercriminal groups.

Stern is a figure described as someone who makes “key organizational decisions, distributes payroll, manages crises and interacts with other threat groups”. The team suspects that they also hold a leadership position in Gold Ulrick (Trickbot/BazarLoader).

Secureworks has also found links to cybercrime groups Gold Crestwood (Emotet), Gold Mystic (LockBit) and Gold Swathmore (IcedID), although this may be for communication and/or collaboration purposes only.

“Discussions reveal a mature cybercrime ecosystem across multiple threat groups with frequent collaboration and support,” the researchers say. “Members of groups previously thought to be distinct frequently collaborated and communicated with members of other threat groups. This interconnectedness shows the motivations and relationships of these groups. It highlights their ingenuity and ability to leverage subject matter expertise within the groups.”

On March 20, an anonymous researcher – believed to be from Ukraine – also released a recent version of the Conti ransomware source code. The package was uploaded to VirusTotal for the benefit of cybersecurity defense teams, but can also be adapted for use by threat actors.

See also

Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0

Comments are closed.