Chris Swagler | June 28th, 2022

One notorious cybercrime brand’s final chapter has been officially closed with the shutdown of the Conti ransomware operation’s final public-facing infrastructure, two Tor servers used to leak data and negotiate with victims. According to a threat intel analyst, Conti’s servers were shut down and are still offline. Conti ransomware group began shutting down its operations in May and informed its members that the brand no longer existed and decommissioned its internal infrastructure, including communication and storage servers. However, Conti transferred its members to other ransomware groups while leaving one member behind to continue data leaks and taunting Costa Rica creating an illusion that the operation is still running.

The ransomware operation was not carrying out any new attacks, despite pretending to be still active and the data leaked by the remaining member was from older ransomware attacks. The Conti member released the same victim’s data on both sites plus Hive’s data leak site, where the member is also an affiliate, to confuse researchers and law enforcement. In the end, it was a ruse because other ransomware operations were being infiltrated or taken over by the rest of the Conti ransomware.

Conti, a Russian ransomware group, launched their operation in the summer of 2020 after replacing the Ryuk ransomware. The City of Tulsa, Broward County Public Schools, and Advantech were among Conti’s numerous high-profile targets. They gained a reputation when breached Ireland’s Health Service Executive (HSE) and Department of Health (DoH), shutting down the country’s IT systems for weeks. Between November 17 and December 20, 2021, Conti members breached more than 40 organizations in one of their largest infiltration campaigns. Conti developed into a true cybercrime organization, taking over the creation of TrickBot and BazarBackdoor among other malware operations.

A Ukrainian security researcher released the source code for the Conti ransomware encryptor along with over 170,000 internal chat conversations belonging to the groups after supporting Russia in its invasion of Ukraine. The ransomware group was embarrassed when they discovered that law enforcement and security researchers had access to their internal private conversations and began analyzing the vast amount of data. Other security researchers and possibly Ukrainian law enforcement started doxing Conti/TrickBot members on Twitter and through discussions, addresses, and social media, which made it worse for the group.

Even though the Conti operation appears to have shut down, the group has divided into smaller cells that have either taken over or penetrated other ransomware operations. The members continue to be devoted to the organization that is operated by a small team of managers. It can prevent the whole operation from being taken down in case a single cell is discovered, or law enforcement shuts down a ransomware group by distributing the members among numerous groups. Hive, AvosLocker, BlackCat, Hello Kitty, and the recently revived Quantum operation are among the ransomware groups to have absorbed former Conti members.

Because the Conti threat actors are still aggressively targeting victims all over the world under numerous operations, companies need to remain vigilant of the current threat landscape and maintain good cybersecurity practices. At SpearTip, our certified engineers are working continuously 24/7/365 at our Security Operations Center monitoring companies’ data networks for potential ransomware threats. Our engineers will investigate the nature of the breach, conduct thorough data analysis, and execute a recovery plan returning impacted businesses to their normal operations.

SpearTip examines companies’ security posture to improve weak points in their network and provides a technical roadmap ensuring organizations have the awareness and support to optimize their overall cyber security posture. Our ShadowSpear Platform, our cutting-edge endpoint detection and response tool, uses comprehensive insights through unparalleled data normalization and visualization to detect sophisticated known and advanced ransomware threats.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.