Conti, a notorious ransomware gang behind a series of high profile hacks, including a recent attack on the Costa Rican government agencies in mid-April, has officially shut down its operation, with all of its infrastructure now offline. However, security researchers have warned that the gang hasn’t gone anywhere, but simply split into smaller, more novel brands.

The Conti ransomware operation was launched in 2020 by a Russia-based group as a successor to the Ryuk ransomware. Over the past few years, the group has evolved into a succesful cybercrime syndicate that took over TrickBot, BazarLoader, and Emotet. The US government offered a reward of up to $10 million for information on the gang leaders in early May of 2022.

According to AdvIntel, last Thursday the admin panel of the Conti ransomware gang's official website, Conti News, was shut down, as well as negotiations service site. The rest of the infrastructure - from chatrooms to messengers, and from servers to proxy hosts was going through a massive reset.

As AdvIntel’ Yelisey Bogusalvskiy and Vitali Kremez explained in a blog post, the shutdown was not spontaneous decision, but rather calculated move, signs of which were evident since late April. Conti’s downfall began in February 2022, when the group pledged support to the Russian government over the invasion of Ukraine. Shortly after, a Ukrainian security researcher released a trove of information related to Conti, including the ransomware source code and internal chats.

“For over two months, Conti collective had been silently creating subdivisions that began operations before the start of the shutdown process. These subgroups either utilized existing Conti alter egos and locker malware, or took the opportunity to create new ones,” the researchers said.

“This decision was convenient for Conti, as they already had a couple of subsidiaries operating under different names: KaraKurt, BlackByte, BlackBasta. The rebranded version of Conti—the monster splitting into pieces still very much alive—ensured that whatever form Conti’s ex-affiliates chose to take, they would emerge into the public eye before news of Conti’s obsolescence could spread, controlling the narrative around the dissolution as well as significantly complicating any future threat attributions.”

AdvIntel says that the group has not received any ransom payments since February, because Conti victims did not pay due to the threat of being sanctioned by the US government.

“Conti had essentially cut itself from the main source of income. Our sensitive source intelligence shows that many victims were prohibited to pay ransom to Conti. Other victims and companies who would have negotiated ransomware payments were more ready to risk the financial damage of not paying the ransom than they were to make payments to a state-sanctioned entity,” the researchers wrote.

“Looking back, a trail of similar marks lead from the group’s days as the organization Ryuk to their first rebranding from the collective’s Overdose division. Each mark represents a shift in the threat landscape, a series of tics that, only when viewed from a great distance, show the dramatic impact the group has made on ransomware’s very existence. However, the actors that formed and worked under the Conti name have not, and will not cease to move forward with the threat landscape—their impact will simply leave a different shape.”

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!