Former Conti actors remain active in the cybercrime underworld following the group’s announcement that it stopped operations in May this year. This is according to a new report by Intel 471, which analyzed the activities of former Conti-affiliated actors in the past two months.
In February 2022, a vast amount of internal chat data from the notorious ransomware outfit was leaked by a Ukrainian researcher after the group released an aggressively pro-Russia statement in the wake of the invasion of Ukraine. This provided detailed insights into Conti’s operations.
Subsequently, the ransomware gang, responsible for numerous high-profile attacks in recent years, officially shut down its operation, with its infrastructure taken offline.
Now, Intel 471 researchers have tracked the paths taken by former gang members since May, observing them “splinter and move in different directions within the cybercrime underground.” This includes becoming independent contractors or small syndicates, utilizing skills and schemes previously used by Conti, such as network access or data theft. Others appear to be working with other Ransomware-as-as-Service groups, “building upon individual relationships that were cultivated during Conti’s existence.”
Intel 471 stated: “Whatever path former Conti-affiliated actors have chosen, they are still focused on making profits and staying out of law enforcement custody, as they move past the information leaks and subsequent media attention of the last few months.”
The researchers have observed signs of overlap between several ransomware gangs and Conti regarding the tactics, techniques and procedures (TTPs) used. This is particularly in areas like data leak blogs, payment sites, recovery portals, victim communications and negotiation methods, suggesting these groups may have become rebranded Conti operations.
These include the Black Basta ransomware gang, which started operations a month before Conti’s shutdown; BlackByte, which has been active since August 2021; and Karakurt, a group primarily responsible for data theft and extortion schemes. In the latter case, Intel 471 researchers found the two groups used the same attacker hostname and exfiltration and remote access methods. Additionally, they observed cryptocurrency transfers between wallets tied to Karakurt and Conti.
Intel471 also expects other Conti operators will bring their skills to other RaaS groups “to distance themselves from Conti’s perceived pro-Russian stance.”
The report concluded: “The ContiLeaks were a mortal blow to the Conti group, exposing enough information to make the group’s continued operation untenable. Yet even with the leaks, there were steps Conti took that enabled the ransomware group to remain resilient and continue parts of its operation. Intel 471 believes it is highly likely the most prolific members of the group will continue to operate, successfully conducting illicit cyber activity. Furthermore, once the negative media attention dissipates, it is probable that Conti operators will seek to regroup into an organization similar to the structure it once held.”