A couple of months after its members shut down larger syndicate operations, members of the Conti ransomware gang seem to be active. Intel 471 discovered that the Russia-based ransomware gang isn’t back to business but that some of its members have resurfaced in smaller cybercriminal factions. Others have ventured out on their own.
Conti, one of the most prolific ransomware gangs in recent history, disbanded in the wake of Conti Leaks. This offered a rare glimpse into the malicious operations of the cybercriminal syndicate.
Soon after Conti declared support for Russia amid the Russia-Ukraine conflict, an internal member, possibly Ukrainian, leaked internal Conti chats in March going back to the gang’s founding. This action, famously known as Conti Leaks, revealed how the Conti gang operated like a modern-day business.
The group advertised job postings, attempted to test the security products of cybersecurity companies, and even offered bonuses and appraisals like a contemporary business. In May 2022, Conti suddenly took offline its internal infrastructure, including panels and hosts, and a new blog used as the leak site.
At the time, Conti was in the middle of an intense ransomware deadlock with the government of Costa Rica, which enforced a national emergencyOpens a new window in the country. Cian Heasley, a security consultant at Adarma, told Spiceworks (then Toolbox) that they did so because of the hot pursuit by law enforcement due to “continued PR scandals and OPSEC fails they’ve experienced in the last year.â€
In May 2022, the U.S. Department of State issued a $10 million bountyOpens a new window on Conti’s head and $5 million for any information that could lead to the arrest of Conti members. The FBI estimated that Conti had victimized 1,000 organizations and had amassed over $150 million as payouts from ransomware operations, the highest among all.
Heasley added, “The skills that Conti members and affiliates have accrued, the training materials they have created, the expertise they have developed in setting up infrastructure and laundering cryptocurrency will all make them highly prized members for other groups to poach,†and added that Conti members would reemerge under other names.
Security experts assessed cybercriminal syndicates BlackBasta, BlackByte, and Karakurt as prime suspects with whom Conti members would resurface. This was confirmed by researchers at Intel 471, a Texas-based cybercrime intelligence company, which released a report on the same yesterday.
See More: Talk of the REvil: Amid Much Speculation, Dreaded Ransomware Gang Makes a ComebackOpens a new window
“Some actors have leaned into side projects that take advantage of segments of Conti’s prior operations, like network access or data theft. Others have allegedly forged alliances with other Ransomware-as-a-service (RaaS) groups, building upon individual relationships that were cultivated during Conti’s existence,†Intel 471 said.
“Having previously managed a variety of underground side businesses, actors associated with Conti have either branched out as independent contractors or small syndicates, using skills and/or schemes previously used to support Conti’s operations.â€
Intel 471 observed similarities between Conti’s tactics, techniques and procedures (TTPs) and those of BlackBasta and BlackByte ransomware gangs. The company goes on to call both a rebrand of Conti given similarities in BlackBasta’s data leak blogs, payment sites, recovery portals, victim communications and negotiation methods with Conti.
On the other hand, BlackByte leverages worm capabilities and resizes volume shadow storage to delete it, both hallmarks of Conti. BlackBasta is relatively new. It emerged only one month before Conti shut down its systems.
BlackByte ransomware gang’s origins date back a year to July 2021. The top sectors targeted by BlackByteOpens a new window include manufacturing, retail, professional and legal services, hospitality, construction, and others. The FBI issuedOpens a new window a threat alert for BlackByte days before its most significant high-profile attack against the San Francisco 49ersOpens a new window in February.
Karakurt is the third cybercriminal entity Intel 471 associated Conti with. Like the Lapsus$ groupOpens a new window , Karakurt primarily engages in data theft and extortion without encrypting victim data, thus making it different than BlackBasta and BlackByte. However, Karakurt uses the same attacker hostname and the same exfiltration and remote access methods as Conti. There is evidence of cryptocurrency transfers between Karakurt and Conti.
Besides Intel 471, WhoisXML API threat researcher Dancho Danchev delved into the present-day prevalence of Wizard Spider, the same group that created Conti. Danchev found the followingOpens a new window :
- Nearly 30 known Wizard Spider gang members’ aliases or online handles
- 250+ email addresses belonging to the gang’s members
- 50+ domains that served as Conti ransomware hosts
- 500+ domains that pointed to Conti ransomware command-and-control (C&C) servers, a vast majority of which were registered in the U.S.
- 1,400+ IP address resolutions of the domains primarily geolocated in the U.S., 19% of which were tagged “malicious†by various malware engines
- 70+ domains that shared the C&C domains’ IP hosts, 9% of which were dubbed “malicious†by various malware engines
It isn’t uncommon for cybercriminal groups to temporarily break their association with each other to throw law enforcement off their tail. “The ContiLeaks were a mortal blow to the Conti group, exposing enough information to make the group’s continued operation untenable,†Intel 471 added.
“Yet even with the leaks, there were steps Conti took that enabled the ransomware group to remain resilient and continue parts of its operation. Intel 471 believes it is highly likely the most prolific members of the group will continue to operate, successfully conducting illicit cyber activity.â€
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
MORE ON RANSOMWARE
- Meet ALPHV Collections: BlackCat Ransomware Group’s Search Engine for Stolen Data
- Lockbit Ransomware Gang Claims Mandiant’s Scalp in a Publicity Tit-for-TatOpens a new window
- LockBit Ransomware Gang Announces a Bug Bounty Program for LockBit 3.0
- Ransomware Payment: To Pay, or Not to Pay? That Is the Question