Two months after the infamous Conti ransomware gang ceased operations, several of its members remain as active as ever either as part of other ransomware groups or as independent contractors focused on data theft, initial network access, and other criminal endeavors.
Separately, they remain as dangerous to organizations as they used to be as members of a single gang, according to Intel 471. Its researchers have been tracking Conti actors as they have moved in different directions since the group dissolved in May.
The cessation of operations appears to be a bid by the group’s operators to distance themselves from the brand more than anything else. In a new report, the threat intelligence firm speculates that once law-enforcement attention around the Conti group wanes, it’s likely that its now-scattered members will regroup and form another criminal organization similar in structure to the original.
“In order to defend their enterprises, security practitioners need to understand how cybercriminals organize their operations,” says Brad Crompton, director of intelligence for Intel 471’s shared services group. “Even though Conti is defunct, former operators are still using similar [tactics, techniques, and procedures], which means security teams can still use their prior strategies in stopping similar attacks rather than ignoring them altogether in light of Conti’s demise.”
Most-Destructive Ransomware Group
The Conti group is widely regarded within the security industry as one of the most destructive ransomware operations of all time. The predominantly Russia-based group first surfaced in 2020, and has used a variety of tactics to break into victim networks — including via spear-phishing campaigns, stolen Remote Desktop Protocol credentials, software vulnerabilities, and poisoned software.
The FBI estimated that by January, the gang had collected some $150 million in ransom payouts from more than 1,000 victims worldwide—including more than 400 in the US. The scale of its destruction prompted the US State Department in May to announce a $10 million reward for information leading to the identification and/or location of key individuals of the gang. The State Department offered another $5 million for information leading to the arrest and conviction of individuals participating in attacks involving Conti ransomware incidents.
Leaking a Window into Conti’s Operations
In May, a Ukrainian member of the gang publicly released a big trove of Conti’s internal conversations after the Conti team officially announced its support for the Russian government’s invasion of Ukraine. Information from that leak, and another previous leak in September 2021 showed the Conti ransomware operation was structured along the lines of a formal business complete with a physical office, scheduled working hours, managers at various tiers and separate departments for HR, coding, training, testing, intelligence gathering, and other functions.
The FBI, the National Security Agency (NSA), and the US Cybersecurity and Infrastructure Security Agency (CISA) earlier assessed that Conti’s developers used a ransomware-as-a-service model to distribute their malware. But instead of taking a cut of the ransom from affiliates — as is usually the case with ransomware-as-a-service — Conti’s developers paid attackers a flat fee for deploying their malware on victims’ networks.
Significantly, the leaks also appeared to confirm widely held suspicions about a link between Conti’s developers and Russia’s Federal Security Service (FSB).
Rebrand & Regroup?
In mid-May, Conti’s developers seemingly abruptly began shutting down infrastructure — such as admin panels, servers, proxy hosts, chatrooms, and a negotiations service site — likely in response to the high level of attention it had managed to attract from law enforcement and media. A few weeks later, it also shut down a site it had used to name-and-shame victims that refused to pay a ransom.
One analysis by AdvIntel at the time concluded that the group’s main actors had already put in place plans to continue the operation under various guises a few months before its official shutdown.
The Black Basta ransomware gang, which started operations in April, or one month before Conti’s official exit from the ransomware scene appears to be one such operation. Intel 471 said its analysis of the group’s activities show that Black Basta’s infrastructure — such as its payment and data leak sites, its payment site, recovery portals, and communication and negotiation methods — have overlaps with Conti’s operations.
Intel 471 also has identified two other ransomware operations — BlackByte and Karakurt — that have similar, significant overlaps with Conti and in fact may simply be rebranded Conti operations. In addition, some Conti affiliates and managers have forged alliances with other ransomware teams, including Ryuk, Maze, LockBit 2.0, BlackCat, Hive, and HelloKitty. According to Intel 471, it is possible also that other actors could use leaked Conti source code to developer their own ransomware and decryption tools.
