Chris Swagler | June 2nd, 2022

The infamous ransomware group, Conti, officially shut down its operation and took its infrastructure offline, to which the threat operation leaders explained their brand is no more. A cybersecurity company broke the news when they discovered the group’s internal infrastructure was turned off. Even though the public-facing ‘Conti News’ data leak and ransom negotiation sites are still online, the Tor admin panels used by members to conduct negotiations and publish “news” on their data leak site are now offline. Additionally, other internal services, including their rocket servers, are decommissioned. Even though it was unexpected for Conti to shut down in the middle of their information war with Costa Rica, Conti staged this highly public attack to create the appearance of a live operation while its members gradually shifted to smaller ransomware operations.

According to a report from threat researchers, Conti’s unique adversarial visibility and intelligence findings led to an opposing conclusion: Conti’s only goal with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived. The Conti leadership declared internally that the agenda to attack Costa Rica was for publicity rather than money. Despite unverified claims of a $10 million USD ransom and Conti’s own claims of a $20 million USD ransom, internal communications between group members indicate that the ransom payment was below $1 million USD.

Even though the Conti ransomware brand is no longer active, the cybercrime organization will continue to play an important role in the ransomware industry for a long time. Instead of rebranding as another huge ransomware operation, Conti leadership has partnered with other smaller ransomware groups to launch attacks. Smaller ransomware groups gained an influx of skilled Conti pentesters, negotiators, and operators. By dividing into smaller “cells,” all managed by central leadership, the Conti cybercrime syndicate gains greater mobility and avoidance of law enforcement. According to a report, Conti has partnered with numerous well-known ransomware operations, including HelloKitty, AvosLocker, Hive, BlackCat, and BlackByte.

Even though members will now use the encryptors and negotiation sites used by other ransomware operations, they’re still part of the bigger Conti cybercrime syndicate. The cybersecurity researchers claim that new autonomous groups of Conti members have been created to solely focus on data exfiltration rather than data encryption. Karakurt, BlackByte, and the Bazarcall collective are a few of the groups. These measures allow the existing cybercrime syndicate to operate under a different name.

Conti’s rebranding is no surprise to researchers and journalists who have followed the groups in recent months, if not years. After taking the Ryuk ransomware group’s place, the Conti ransomware operation launched in the summer of 2020. Conti, like Ryuk, was spread through collaborations with other malware infections, including TrickBot and BazarLoader, who gave the ransomware group initial access. Conti developed into the largest ransomware operation over time, eventually turning into a cybercrime syndicate after acquiring TrickBot, BazarLoader, and Emotet. During their time, Conti was responsible for multiple attacks, including those against the City of Tulsa, Broward County Public Schools, and Advantech. After attacking Ireland’s Health Service Executive (HSE) and Department of Health (DoH) and shutting down the country’s IT systems for weeks, they attracted global media attention. The ransomware group eventually issued a free decryptor to Ireland’s HSE, however, they were in the law enforcement’s crosshairs around the world. Conti siding with Russia’s invasion of Ukraine is what made the brand extremely toxic, and their fate was sealed.

A Ukrainian security researcher published over 170,00 internal Conti ransomware group chat conversations between members and the Conti ransomware encryptor source code. Other threat actors used the source code in their own attacks once it became public, with one group using the Conti encryptor in attacks on Russian entities. According to the United States government, Conti is one of the most expensive ransomware strains ever created, with thousands of victims and over $150 million in ransom payments. The exploits of the Conti ransomware group led the United States government to offer a $15 million reward for the identification and location of Conti leaders.

Even though high-profile ransomware groups like Conti have shut down their operations, they can still be extremely dangerous as a rebranded group. That’s why it’s very important for companies to always remain alert to the current landscape and keep offline backups of sensitive data. At SpearTip, our Security Operations Center is staffed 24/7/365 with certified engineers who continuously worked in an investigative cycle and are ready to respond to events at a moment’s notice. Our team investigates the nature of the breach, conducts thorough data analysis, and executes the recovery plan to help return companies to their normal operations. SpearTip’s remediation experts focus on restoring companies’ operations, reclaiming their networks by isolating malware, and recovering business-critical assets needed to operate. We understand the importance of recovering companies’ core operations and offer full-scale incident coordination customized to meet individual organizational needs.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.