Danger sign on screen showing Conti ransomware becoming smaller ransomware groups

Conti Ransomware Group Voluntarily Shuttered, but Members Expected to Splinter off To Smaller Groups

At the seeming height of its success, the Conti ransomware group has chosen to disband and has taken its infrastructure offline. It is unclear if there was any coordinated law enforcement pressure on the group, but the move appears to be voluntary with leaders instructing team members to split themselves off into smaller groups.

The move comes amidst the gang’s notorious ransom of the Costa Rican government, which one security researcher claims was an intentional smokescreen to cover the reorganization into smaller ransomware groups.

Another one down (sort of) as Conti ransomware gang folds its tent

The information comes from Advanced Intel security researcher Yelisey Boguslavskiy, who was able to access internal Conti messages and has been posting updates about the group’s movements on Twitter. Boguslavskiy reports that the ransom negotiation and data leak pages remain online as the group is in the midst of extorting a number of victims, but the rest of the Conti ransomware infrastructure (such as Tor administration panels and chat servers) has been taken down.

The group would appear to be abandoning ship right in the midst of a crippling attack on the government of Costa Rica, which has seen it compromise multiple government agencies and limit a number of the country’s financial services. Boguslavskiy contends that, from the beginning, the entire attack on Costa Rica was a smokescreen to facilitate the group’s reorganization. The group’s grandiose talk of starting a revolution in the country and overthrowing the government was apparently accompanied by a secret plan to exit the situation by eventually settling for a ransom of less than $1 million, far below the $20 million it recently called for.

While dragging this process out, the leaders of the Conti ransomware gang were privately having members filter out to smaller ransomware groups. This appears to be a bid to formally put an end to the public “Conti” name while reorganizing in a way that makes the operation more agile and able to evade law enforcement pursuit. In return for becoming “cells” in the newly reformed Conti system, these smaller ransomware groups get the benefit of the more experienced Conti personnel working with them. These include software developers, penetration testers, negotiators and intelligence analysts.

Some of the groups that the Conti ransomware specialists are joining up with (Bazarcall, BlackByte, Karakurt) are cutting the “ransomware” bit out of ransomware attacks. They simply exfiltrate sensitive data and threaten to publicly leak it.

“Cells” of smaller ransomware groups carry on Conti activities

It would have been baffling if the Conti ransomware gang had voluntarily gone dark without the sort of serious international law enforcement pressure that split up predecessors DarkSide and REvil. The group instead seems to have learned lessons from those examples, getting out ahead of the attention that being the biggest of the ransomware groups inevitably brings.

Conti ransomware first appeared in 2020, with members believed to have come from the group behind Ryuk. The group took the pole position among ransomware groups after DarkSide and REvil were scattered by law enforcement due to their brazen attacks on critical infrastructure companies. Conti developed a reputation for the ruthless targeting of schools and hospitals with minimal IT defenses, successfully penetrating the Irish Health Service Executive (HSE) and Department of Health (DoH) and causing damage that took weeks to remediate. The group also hit a major health care provider in Canada, the Scottish Environment Protection Agency, and photo service Shutterfly among an estimated tally of about 500 victims.

The group had already been under an elevated level of fire since it declared support for Russia early in the invasion of Ukraine. This drew the attention of Ukrainian security researchers, who were able to penetrate the group’s chat server in late February and leak tens of thousands of internal messages that described its operational structure and techniques. The source code for the Conti ransomware was also leaked.

Researchers believe the reorganization plan began in March, not long after the leaks happened. Members have been slowly and gradually migrating to other ransomware groups (referred to as “collective affiliates”) in an attempt to stay below the radar. The one major change that it brings is that Conti ransomware will seemingly no longer be available on a “ransomware as a service” basis, something that allowed lower-skilled cyber criminals to take advantage of it. The smaller ransomware groups that members are joining operate independently, but presumably will be taking up some variant of the Conti ransomware going forward. Modification and branches of the malware used are very likely given that the leak of the source code made it easier for automated security defenses to detect it.