24 May 2022

Conti ransomware group shuts down operation, but doesn’t go out of business


Conti ransomware group shuts down operation, but doesn’t go out of business

Conti, a notorious ransomware gang behind a series of high profile hacks, including a recent attack on the Costa Rican government agencies in mid-April, has officially shut down its operation, with all of its infrastructure now offline. However, security researchers have warned that the gang hasn’t gone anywhere, but simply split into smaller, more novel brands.

The Conti ransomware operation was launched in 2020 by a Russia-based group as a successor to the Ryuk ransomware. Over the past few years, the group has evolved into a succesful cybercrime syndicate that took over TrickBot, BazarLoader, and Emotet. The US government offered a reward of up to $10 million for information on the gang leaders in early May of 2022.

According to AdvIntel, last Thursday the admin panel of the Conti ransomware gang's official website, Conti News, was shut down, as well as negotiations service site. The rest of the infrastructure - from chatrooms to messengers, and from servers to proxy hosts was going through a massive reset.

As AdvIntel’ Yelisey Bogusalvskiy and Vitali Kremez explained in a blog post, the shutdown was not spontaneous decision, but rather calculated move, signs of which were evident since late April. Conti’s downfall began in February 2022, when the group pledged support to the Russian government over the invasion of Ukraine. Shortly after, a Ukrainian security researcher released a trove of information related to Conti, including the ransomware source code and internal chats.

“For over two months, Conti collective had been silently creating subdivisions that began operations before the start of the shutdown process. These subgroups either utilized existing Conti alter egos and locker malware, or took the opportunity to create new ones,” the researchers said.

“This decision was convenient for Conti, as they already had a couple of subsidiaries operating under different names: KaraKurt, BlackByte, BlackBasta. The rebranded version of Conti—the monster splitting into pieces still very much alive—ensured that whatever form Conti’s ex-affiliates chose to take, they would emerge into the public eye before news of Conti’s obsolescence could spread, controlling the narrative around the dissolution as well as significantly complicating any future threat attributions.”

AdvIntel says that the group has not received any ransom payments since February, because Conti victims did not pay due to the threat of being sanctioned by the US government.

“Conti had essentially cut itself from the main source of income. Our sensitive source intelligence shows that many victims were prohibited to pay ransom to Conti. Other victims and companies who would have negotiated ransomware payments were more ready to risk the financial damage of not paying the ransom than they were to make payments to a state-sanctioned entity,” the researchers wrote.

“Looking back, a trail of similar marks lead from the group’s days as the organization Ryuk to their first rebranding from the collective’s Overdose division. Each mark represents a shift in the threat landscape, a series of tics that, only when viewed from a great distance, show the dramatic impact the group has made on ransomware’s very existence. However, the actors that formed and worked under the Conti name have not, and will not cease to move forward with the threat landscape—their impact will simply leave a different shape.”

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!


Back to the list

Latest Posts

Researchers uncovered undetectable malware linked to Russia's APT

Researchers uncovered undetectable malware linked to Russia's APT

According to a recent report published by Palo Alto Networks, new piece of malware currently evades 56 antivirus products.  
6 July 2022
New ransomware operation RedAlert puts victims on a "board of shame"

New ransomware operation RedAlert puts victims on a "board of shame"

At this point, only one victim is listed on the RedAlert’s data leak website, indicating that the development is very new.
6 July 2022
Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Despite patching the flaw, Microsoft hasn’t provided any details about it and assigned a CVE ID yet.
6 July 2022