The well-known ransom gang Conti has apparently taken its infrastructure offline and ceased operations. The gang members, who are currently involved in a ransom campaign against Costa Rica, are believed to have formed alliances with other, smaller groups as a way to rebrand. The increased attention from US law enforcement agencies, which has resulted in a reward of $ 15 million for any information about criminals driving Conti, is considered one of the main drivers behind this move.
Conti’s departure marks “a truly historic day in [cybersecurity] community ”, according to the researcher in the security company AdvIntel Elisei Boguslawski. The gang has been active since 2020 and has been a thorn in the side of public sector organizations around the world, most notably hitting the Irish healthcare system in 2021, before launching its ongoing attacks on Costa Rica last month.
Boguslawski noted that some of the online infrastructure remained, like the older version of the victims’ blog, but that “internal panels and hosts are down.”
Why did Conti stop?
Conti’s heightened recklessness has told cybersecurity researchers that he may be planning big changes, so today’s news came as no surprise. Her actions in the Costa Rican attack reflect this, with the gang increasing its ransom demand and threatening to overthrow the government if it is not appeased.
“Conti is likely to have many other ‘side crimes’ in the cybercrime scene, including Karakurt’s data extortion group and the new BlackBasta gang,” said Louise Ferret of Searchlight Security. Technical monitor earlier this month. “The group may be less concerned about ‘burning’ Conti’s identity if it already has these alternative revenue streams.”
Last month, Conti appears to have pledged support for Russia’s invasion of Ukraine before quickly withdrawing from criticism from other hackers. But her actions came too late to stop pro-Ukrainian hacktivists from leaking information about the group online.
Content from our partners
Today’s news is “an interesting development that was foreshadowed by the fact that Conti’s behavior is becoming increasingly reckless – even by the gang’s ransom standards,” Ferret said.
She added: “I would say that the main reasons why they will be ‘disbanded’ – although in fact a rebranding – are the increasing attention of US law enforcement ($ 15 million prize) and ongoing PR scandals and OPSEC failures they have experienced over the past year, including the expiration of their internal manual and training tools last year, plus the more recent extensive leaks of their internal chats, damaging their reputation in the world of cybercrime.
What happens to Conti hackers after the group closes?
AdvIntel suggested the operation in Costa Rica was held to disguise his transition to multiple, smaller gangs. “The only goal Conti wanted to achieve with this latest attack was to use the platform as a tool for publicity, carrying out his own death and subsequent rebirth in the most plausible way imaginable.” say from the company. It remains to be seen whether today’s news will affect negotiations with the Costa Rican government, which has so far refused to pay the ransom demanded.
Both Karakurt and BlackBasta were highlighted as possible new Conti partner bands, as well as other active groups such as Hive, HelloKitty, BlackCat, Advos Locker, BlackByte and BazarCall Collective.
Evidence that Conti acted through other, smaller gangs first came to light in February when the San Francisco 49ers America football team was hit by a ransomware attack over the weekend at Superbowl, believed to have taken place. from the hacker gang BlackByte. However, the evidence seems to show that BlackByte is not a real gang, but “was created solely to maximize the extortion of Conti’s money,” AdvIntel researchers said.
Ferret says it is not yet clear which of these groups are true branches of Conti. “Most people are pretty sure that the Karakurt group is a contingent of data theft on Conti,” she said. “There has been speculation about BlackBasta being a successor to Conti, for good reason, but this has been challenged by Conti themselves, who have disregarded BlackBasta as ‘kids.’
She also believes that the gang can be reformed despite today’s developments. “I think it is possible that Conti will create an entirely new identity instead of trying to develop one of its supposed subgroups.
Ransomware gang Conti ‘shuts down’ in midst of Costa Rica attack