{"title":"Conti Inc.: understanding the internal discussions of a large ransomware-as-a-service operator with machine learning","authors":"Estelle Ruellan, Masarah Paquet-Clouston, Sebastián Garcia","doi":"10.1186/s40163-024-00212-y","DOIUrl":null,"url":null,"abstract":"Ransomware-as-a-service (RaaS) is increasing the scale and complexity of ransomware attacks. Understanding the internal operations behind RaaS has been a challenge due to the illegality of such activities. The recent chat leak of the Conti RaaS operator, one of the most infamous ransomware operators on the international scene, offers a key opportunity to better understand the inner workings of such organizations. This paper analyzes the main discussion topics in the Conti chat leak using machine learning techniques such as Natural Language Processing (NLP) and Latent Dirichlet Allocation (LDA), as well as visualization strategies. Five discussion topics are found: (1) Business, (2) Technical, (3) Internal tasking/Management, (4) Malware, and (5) Customer Service/Problem Solving. Moreover, the distribution of topics among Conti members shows that only 4% of individuals have specialized discussions while almost all individuals (96%) are all-rounders, meaning that their discussions revolve around the five topics. The results also indicate that a significant proportion of Conti discussions are non-tech related. This study thus highlights that running such large RaaS operations requires a workforce skilled beyond technical abilities, with individuals involved in various tasks, from management to customer service or problem solving. The discussion topics also show that the organization behind the Conti RaaS operator shares similarities with a large firm. We conclude that, although RaaS represents an example of specialization in the cybercrime industry, only a few members are specialized in one topic, while the rest runs and coordinates the RaaS operation.","PeriodicalId":37844,"journal":{"name":"Crime Science","volume":"45 1","pages":""},"PeriodicalIF":3.1000,"publicationDate":"2024-06-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Crime Science","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1186/s40163-024-00212-y","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"CRIMINOLOGY & PENOLOGY","Score":null,"Total":0}
引用次数: 0
Abstract
Ransomware-as-a-service (RaaS) is increasing the scale and complexity of ransomware attacks. Understanding the internal operations behind RaaS has been a challenge due to the illegality of such activities. The recent chat leak of the Conti RaaS operator, one of the most infamous ransomware operators on the international scene, offers a key opportunity to better understand the inner workings of such organizations. This paper analyzes the main discussion topics in the Conti chat leak using machine learning techniques such as Natural Language Processing (NLP) and Latent Dirichlet Allocation (LDA), as well as visualization strategies. Five discussion topics are found: (1) Business, (2) Technical, (3) Internal tasking/Management, (4) Malware, and (5) Customer Service/Problem Solving. Moreover, the distribution of topics among Conti members shows that only 4% of individuals have specialized discussions while almost all individuals (96%) are all-rounders, meaning that their discussions revolve around the five topics. The results also indicate that a significant proportion of Conti discussions are non-tech related. This study thus highlights that running such large RaaS operations requires a workforce skilled beyond technical abilities, with individuals involved in various tasks, from management to customer service or problem solving. The discussion topics also show that the organization behind the Conti RaaS operator shares similarities with a large firm. We conclude that, although RaaS represents an example of specialization in the cybercrime industry, only a few members are specialized in one topic, while the rest runs and coordinates the RaaS operation.
期刊介绍:
Crime Science is an international, interdisciplinary, peer-reviewed journal with an applied focus. The journal''s main focus is on research articles and systematic reviews that reflect the growing cooperation among a variety of fields, including environmental criminology, economics, engineering, geography, public health, psychology, statistics and urban planning, on improving the detection, prevention and understanding of crime and disorder. Crime Science will publish theoretical articles that are relevant to the field, for example, approaches that integrate theories from different disciplines. The goal of the journal is to broaden the scientific base for the understanding, analysis and control of crime and disorder. It is aimed at researchers, practitioners and policy-makers with an interest in crime reduction. It will also publish short contributions on timely topics including crime patterns, technological advances for detection and prevention, and analytical techniques, and on the crime reduction applications of research from a wide range of fields. Crime Science publishes research articles, systematic reviews, short contributions and theoretical articles. While Crime Science uses the APA reference style, the journal welcomes submissions using alternative reference styles on a case-by-case basis.