The ransomware group known as Conti has been officially shut down and all of its infrastructures are now offline.
While this may seem like good news, it’s only good on the surface – Conti isn’t over yet, it’s just broken up into smaller operations.
Conti was launched in the summer of 2020 as a successor to the Ryuk ransomware. It relied on partnerships with other malware infections to spread. Malware such as TrickBot and BazarLoader was the first entry point for Conti, who then proceeded to attack. Conti proved so successful that it eventually grew into a cybercrime syndicate that took over TrickBot, BazarLoader, and Emotet.
In the past two years, Conti has carried out a number of high-profile attacks targeting Tulsa County, Advantech and Broward County Public Schools. Conti also held ransoms for the IT systems of the Irish Health Service Executive and the Ministry of Health for weeks, only releasing them when they faced serious problems from law enforcement officers around the world. However, this attack gave Conti a lot of attention from the global media.
Most recently, it targeted the country of Costa Rica, but according to Advanced Intel’s Yelisey Bogslavskiy, the attack was just a cover for the fact that Conti was disbanding the entire operation. Boguslavskiy told Bleeping Computer that the attack on Costa Rica was made public in order to give Conti members time to migrate to various ransomware operations.
“The agenda to carry out the attack on Costa Rica for the purpose of publicity rather than ransom was disclosed internally by Conti’s leadership. Internal communications between group members suggested that the ransom demanded was much less than $1 million (despite unverified claims that the ransom was $10 million, followed by Conti’s own claims that the amount was $20 million),” said a yet-to-be-published Advanced Intel report, shared in advance by Bleeping Computer.
The eventual end to Conti was brought by Russia’s open approval of the group and the invasion of Ukraine. On official channels, Conti went so far as to say it will pool all its resources to defend Russia against potential cyber-attacks. After that, a Ukrainian security researcher leaked more than 170,000 internal chat messages between members of the Conti group and eventually also leaked the source code for the gang’s ransomware encryptor. This encryptor was later used to attack Russian entities.
As things stand, all of Conti’s infrastructure has been taken offline and the group’s leaders said the brand is over. However, this does not mean that Conti members will no longer pursue cybercrime. According to Boguslavskiy, Conti’s leadership decided to split up and team up with smaller ransomware gangs, such as AvosLocker, HelloKitty, Hive, BlackCat, and BlackByte.
Members of the previous Conti ransomware gang, including intelligence analysts, pentesters, developers and negotiators, are scattered across various cybercrime operations, but they are still part of the Conti syndicate and under the same leadership. This helps them avoid law enforcement and still carry out the same cyber attacks as under the Conti brand.
Conti was considered one of the most expensive and dangerous forms of ransomware ever created, with more than $150 million in ransom collected during its two-year period. The U.S. government is offering a substantial award of up to $15 million for help identifying those involved with Conti, especially those in leadership positions.