Conti ransomware gang stops activities – actors continue to operate

Sicherheit (Pexels, allgemeine Nutzung)[German]A few hours ago, the Conti ransomware gang seems to have officially announced its resolutions and the cessation of all activities. The questions that remain: How long will this last? Will there be a sudden comeback? And do the actors involved in the Conti gang strike out on their own or join other ransomware groups?

The Conti Ransomware Gang

The Conti ransomware gang's activities have been observed since 2020, with security specialists locating its members in Russia. The malware used by the gang targets Windows systems and uses its own AES-256 implementation to encrypt files on victim systems. 

The gang behind Conti has been running a website since 2020, from which it can publish documents ripped off during ransomware infections. The same gang also distributed the Ryuk ransomware under the name Wizard Spider and was based in Saint Petersburg, Russia. The cyberattacks on many companies are attributed to Conti.

In November 2021, there was a spat within the group and someone published information about the groups' internals as well as their payment structures (see Structures of Conti ransomware group exposed – payment infrastructure offline). As a result, more than 60,000 chat records of Conti members also became public (see More than 60,000 chats of the Conti ransomware gang leaked).

Conti discontinued

The above development suggested that the group is in the process of disbanding, even if the last major action was a ransomware attack against Costa Rica and its government. I came across the information that the group is officially disbanding via the following tweet from colleagues at Bleeping Computer. This comes from Yelisey Bogusalvskiy & Vitali Kremez of ADV Intel, who published the whole thing in the post DisCONTInued: The End of Conti's Brand Marks New Chapter For Cybercrime Landscape.

Conti ransomware group shuts down operation

The Costa Rica attack was probably meant to be a demonstration of the group's tools. On May 19, 2022, the Conti ransomware website's administrative page, Conti News, was taken down. The ransomware negotiation website is also down. The rest of the infrastructure – from chat rooms to messengers and from servers to proxy hosts – was also reset.

This is probably not a spontaneous decision, but a calculated move for which there had been signs since late April, security researchers write. As early as May 6, AdvIntel wrote that the "Conti" brand, rather than the organization itself, was facing final closure. As of May 19, 2022, the exclusive source used by the security researchers confirmed that the gang was shutting down its operation. This shutdown reflects the realization that has been obvious to the Conti leadership since the spring of 2022: the group could no longer adequately support and execute extortion operations. The blog's main and only valid purpose was to republish captured records. That has now been discontinued as well.

In their analysis, the security researchers go into further details about the Conti ransomware gang. While the "Conti" brand no longer exists as such, the operations continue. Speaking to Bleeping Computer, ADV Intel's Boguslavskiy explained that the Conti gang's leaders have teamed up with other smaller ransomware gangs to carry out attacks. This article from ADV Intel elaborates on this development.

Through this partnership, these ransomware gangs are receiving an influx of experienced Conti pentesters, negotiators, and operators. The Conti cybercrime syndicate gains flexibility and is better able to elude law enforcement by splitting into smaller "cells," all directed by central leadership. The issue is therefore not off the table, but emerges like a hydra with new heads.

Similar articles
Structures of Conti ransomware group exposed – payment infrastructure offline
More than 60,000 chats of the Conti ransomware gang leaked

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *