Conti, one of the most prolific ransomware gangs, seems to have packed its bags and broken up into smaller ransomware groups. Advanced Intel’s head of research, Yelisey Boguslavskiy, confirmed the disbanding of the dreaded ransomware syndicate operating from Russia.
Boguslavskiy clarified that while the older onion version of the ransomware gang’s blog is still online, Conti’s internal infrastructure, such as panels and hosts, as well as the new blog used as the leak site, is now offline.
Thank you for the extended comments. We are aware that the older onion version of the blog is still technically working. But we also see that the internal panels and hosts are down. More details in our blog.
— Yelisey Boguslavskiy (@y_advintel) May 19, 2022Opens a new window
“If it is in fact true that the Conti ransomware gang is wrapping up and shutting down their operations, then it will be interesting to see how they conclude current ransoms and of course there is the threat of them dumping large amounts of stolen data as they exit,†Cian Heasley, security consultant at Adarma told Toolbox.
While that has yet to be confirmed, it isn’t uncommon for cybercriminal groups and individual threat actors to temporarily break their association with each other when faced with a difficult situation. Louise Ferrett, a threat intelligence analyst at Searchlight Security, told Toolbox that Conti’s behavior became increasingly reckless.
He said, “I’d say the key reasons they would ‘disband’ (though it’s more like a rebrand in actual fact) are an increase in law enforcement attention from the U.S. ($15 million reward), as well as the continued PR scandals and OPSEC fails they’ve experienced in the last year or so, including the leaking of their internal training handbook and tools last year, plus the more recent extensive leaks of their internal chats, damaging their reputation in the cybercrime world.â€
So disbanding or rebranding allows them to throw law enforcement off their tails, making their job even more complex and at the same time allowing them to rebuild their image.
Heasley added, “The skills that Conti members and affiliates have accrued, the training materials they have created, the expertise they have developed in setting up infrastructure and laundering cryptocurrency will all make them highly prized members for other groups to poach.
“I don’t doubt for a moment that Conti leadership already has other ‘brands’ of ransomware that they can take over or ally with, we may therefore see an influx of more high-profile attacks by groups that were considered more mid-tier within the ransomware scene up until now.â€
Boguslavskiy confirmed to BleepingComputer that the Conti leadership had formed partnerships with smaller ransomware gangs such as HelloKitty, AvosLocker, Hive, BlackCat, and BlackByte. Ferrett told Toolbox, “In terms of which groups have broken off and formed, it’s not quite clear – most are pretty confident that the Karakurt group is a data-theft subgroup of Conti.â€
See More: Limiting the Threat of Ransomware with Closer Networking & Security Collaboration
He adds, “There was speculation around BlackBasta being the successor to Conti, with good reason, but that’s been disputed by Conti themselves who disparaged BlackBasta as ‘kids.†I think it’s possible Conti could create a whole new identity rather than trying to grow any of its suspected subgroups.â€
What’s confusing, however, is that Conti is shutting shop in the middle of an intense ransomware deadlock with the government of Costa Rica, which enforced a national emergency in the country recently and refused to fork out the ransom demand.
Conti even claimed to have insiders in the Costa Rican government, which besides creating a public narrative of fear and urgency, seemed rather “exaggerated and outlandish,†according to Ferrett.
Researchers including Boguslavskiy and Heasley believe that this was Conti’s attempt at distracting the world as they complete their transition into smaller groups. “The recent threats by Conti to ‘overthrow’ the government of Costa Rica because of that government’s refusal to pay a huge ransom for the keys to encrypted systems seemed out of the ordinary even for a high-profile group like Conti,†Heasley noted.
He further told Toolbox, “It seems now, if the gang is, in fact, closing up shop, that this very public conflict is intended to distract from the gang decommissioning their infrastructure and perhaps for Conti to go out on a defiant note before fading away.â€
Thus, Conti’s attack on Costa Rica may have been a ploy to misdirect while it sets its members up elsewhere.
Conti is widely believed to be a Russian state-sponsored ransomware gang. It was the most active ransomware operation in 2021 and was responsible for 269 attacks, according to Ivanti. It operated under a ransomware-as-a-service model.
When a Conti member leaked internal chats in March going back to the gang’s founding, famously known as Conti Leaks, it offered a glimpse into the operations of the ransomware gang. They advertised job postings, attempted to test the security products of cybersecurity companies, and even offered bonuses and appraisals like a contemporary business.
Boguslavskiy said they would share the details of the Conti shut down shortly.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!