May 24, 2022

Conti Group shuts-down their operations

Industry: N/A | Level: Strategic | Source: AdvIntel

AdvIntel intelligence well-known for tracking Conti activity has discovered the shutdown of Conti ransom operations, as critical ransom features were identified to have been removed from the infamous Conti News blog. Key aspects of the still active blog have been deactivated, “the crucial operational function of Conti News which was to upload new data in order to intimidate victims to pay is defunct, as all the infrastructure related to negotiations, data uploads, and hosting of stolen data was shut down.” These features appeared to have started to shut down on May 19th, 2022, with Conti’s leadership seeing the end coming, “this shutdown highlights a simple truth that has been evident for the Conti leadership since early Spring 2022 – the group can no longer sufficiently support and obtain extortion.” Conti was prepared for this moment and utilized the attack on Costa Rica as publicity to act as cover for the shutdown as opposed to ransom. Conti’s preparation for the end provides an ominous warning the Conti Threat remains, despite the shutdown. The Conti leaks reveal the organizational structure, from which the group operates, and transitioning to a “network organizational structure, more horizontal and decentralized,” provides members to be dispersed and operate within sub-groups with different goals. AdvIntel outlines four different group types that could be structured to continue Conti’s operations. Type one involves an autonomous group operating with the goal of data theft without the need for a ransomware locker. This would include groups such as Karakurt, BlackBasta, and BlackByte. Type two involves collaborating with other known ransomware groups such as AlphV/BlackCat, HIVE, HelloKitty/FiveHands, and AvosLocker working in a “semi-autonomous” manner. Type 3 affiliates choose to work individually. Type 4 involves “mergers & acquisitions,” of Conti members infiltrating smaller groups and spreading their influence/expertise from within. AdvIntel’s final warning is the “the transition from data encryption to data exfiltration” particularly observed from the Karakurt and BlackByte groups. “In a nutshell, relying on pure data exfiltration maintains most major benefits of a data encryption operation, while avoiding the issues of a locker altogether. Most likely, this will become the most important outcome of Conti’s re-brand.”