The infamous Conti ransomware gang has officially shut down, with infrastructure taken offline and team leaders informed that the brand is no longer active.
Yelisey Boguslavskiy of Advanced Intel tweeted this afternoon that the gang’s internal infrastructure had been shut off.
While the public-facing ‘Conti News’ data leak and ransom negotiation sites remain up, Boguslavskiy told BleepingComputer that the Tor admin panels used by members to conduct negotiations and publish “news” on their data leak site are now offline, according to Boguslavskiy.
Other internal services, such as their rocket chat servers, are also being deactivated, according to BleepingComputer.
While it may appear weird for Conti to shut down in the middle of their information battle with Costa Rica, Boguslavskiy claims that Conti staged this highly visible attack to provide the appearance of a live operation while Conti members gradually shifted to lesser ransomware activities.
“However, AdvIntel’s unique adversarial visibility and intelligence findings led to the exact opposite conclusion: Conti’s only goal with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” according to a report to be released tomorrow by Advanced Intel.
“The Conti leadership indicated internally that the attack on Costa Rica would be conducted for publicity rather than money. Despite unsubstantiated accusations that the ransom was $10 million USD, and Conti’s own statements that the total was $20 million USD, internal group correspondence revealed that the demanded ransom payment was significantly less than $1 million USD.”
Conti is no longer with us, but the operation continues.
While the Conti ransomware brand is no longer active, the cybercrime organization will continue to play an important role in the ransomware sector for some time.
Instead of rebranding as another huge ransomware operation, Boguslavskiy informed BleepingComputer that the Conti leadership has joined with other smaller ransomware gangs to carry out assaults.
The smaller ransomware gangs benefit from an influx of skilled Conti pentesters, negotiators, and operators as a result of this relationship. By dividing into smaller “cells,” all of which are supervised by central leadership, the Conti cybercrime syndicate gets greater mobility and avoidance of law enforcement.
Conti has cooperated with a number of well-known ransomware operations, including HelloKitty, AvosLocker, Hive, BlackCat, BlackByte, and others, according to the Advanced Intel research.
Existing Conti members, which include negotiators, intelligence analysts, pentesters, and developers, are scattered throughout different ransomware operations. While these members will now use the encryptors and negotiation sites used by other ransomware operations, they are still part of the bigger Conti cybercrime gang.
The graphic below, supplied by Advanced Intel, depicts this splintering into smaller semi-autonomAdvanced Intel further claims that new autonomous Conti groups have been formed that are solely focused on data exfiltration rather than data encryption. Karakurt, BlackByte, and the Bazarcall collective are among these groups.
These actions allow the existing cybercrime ring to continue operating, but without the Conti moniker.
A poisonous brand
Conti’s rebranding comes as little surprise to scholars and journalists who have followed the company in recent months, if not years.ous and autonomous groupings.
After taking the position of the Ryuk ransomware, the Conti ransomware campaign began in the summer of 2020.
Conti, like Ryuk, was spread by collaborations with other malware infections like TrickBot and BazarLoader, which gave the ransomware gang first access.
Conti developed into the world’s greatest ransomware operation over time, eventually transforming into a criminal syndicate after acquiring TrickBot, BazarLoader, and Emotet.
During their time together, Conti was responsible for a number of assaults, including ones against Tulsa, Broward County Public Schools, and Advantech.
After attacking Ireland’s Health Service Executive (HSE) and Department of Health (DoH) and shutting down the country’s IT services for weeks, they attracted worldwide media attention.
The ransomware gang eventually issued a free decryptor to Ireland’s HSE, but they were already in the sights of law authorities around the world.
However, it wasn’t until Conti supported Russia’s invasion of Ukraine that the Conti brand became extremely toxic, and the company’s demise was sealed.
After siding with Russia, a Ukrainian security researcher began publishing over 170,000 internal Conti ransomware gang chat discussions as well as the Conti ransomware encryptor source code.
Other threat actors began using this source code in their own assaults once it became public, with one hacking gang using the Conti encryptor in attacks against Russian businesses.
Conti is one of the most expensive ransomware strains ever generated, according to the US authorities, with thousands of victims and over $150 million in extortion payments.
The exploits of the Conti ransomware group have prompted the US government to offer a reward of up to $15 million for the identification and location of Conti leaders.
