It has been reported that the notorious Conti ransomware gang has officially shut down its operation, with infrastructure taken offline and team leaders told that the brand is no more. This news comes from Advanced Intel’s Yelisey Boguslavskiy, who tweeted this afternoon that the gang’s internal infrastructure was turned off. While public-facing ‘Conti News’ data leak and the ransom negotiation sites are still online, Boguslavskiy told BleepingComputer that the Tor admin panels used by members to perform negotiations and publish “news” on their data leak site are now offline.
This is an interesting development that was foreshadowed with regards to Conti\’s behaviour becoming increasingly reckless – even by ransomware gang standards. I\’d say the key reasons they would \”disband\” (though it\’s more like a rebrand in actual fact) are an increase in law enforcement attention from the US ($15 million reward), as well as the continued PR scandals and OPSEC fails they\’ve experienced in the last year or so, including the leaking of their internal training handbook and tools last year, plus the more recent extensive leaks of their internal chats, damaging their reputation in the cybercrime world.
In terms of which groups have broken off and formed, it\’s not quite clear – most are pretty confident that the Karakurt group is a data-theft subgroup of Conti. There was speculation around BlackBasta being the successor to Conti, with good reason, but that\’s been disputed by Conti themselves who disparaged BlackBasta as \”kids.\’\’ I think it\’s possible Conti could create a whole new identity rather than trying to grow any of its suspected subgroups.
If it is in fact true that the Conti ransomware gang is wrapping up and shutting down their operations, then it will be interesting to see how they conclude current ransoms and of course there is the threat of them dumping large amounts of stolen data as they exit.
Groups like Conti operate under umbrellas of disparate organisations, they co-opt each other, rebrand, merge, and split apart as their own internal politics or threats to their business models dictate. The skills that Conti members and affiliates have accrued, the training materials they have created, the expertise they have developed in setting up infrastructure and laundering cryptocurrency will all make them highly prized members for other groups to poach. I don\’t doubt for a moment that Conti leadership already has other \”brands\” of ransomware that they can take over or ally with, we may therefore see an influx of more high-profile attacks by groups that were considered more mid-tier within the ransomware scene up until now.
Conti has suffered a lot of high-profile leaks in the last year and a half, these groups carefully cultivate a mystique and an aura of invulnerability that helps them intimidate people, their private communications and documentation show a more human side that they do not want public. The recent threats by Conti to \”overthrow\” the government of Costa Rica because of that government\’s refusal to pay a huge ransom for the keys to encrypted systems seemed out of the ordinary even for a high-profile group like Conti. It seems now, if the gang is in fact closing up shop, that this very public conflict is intended to distract from the gang decommissioning their infrastructure and perhaps for Conti to go out on a defiant note before fading away.
\”Regardless of the names of the various groups or their unique branding we can look at some basic precautions that will help prevent or detect the kinds of techniques that ransomware groups rely on to achieve their goals. By ingesting and analysing relevant logfiles, strictly enforcing MFA for users, having a good idea of your potentially publicly accessible systems and whether they are being kept up to date with security patching and being vigilant against phishing attacks you will have a good foundation to build on for staying safe from ransomware.