Threat analysts have presented fresh intelligence suggesting that the apparent shutdown of the notorious Conti ransomware cyber crime syndicate – news of which began to emerge on Friday 20 May – was self-inflicted and that the gang pulled the plug itself in the wake of a series of missteps that made it too toxic to continue.
Yelisey Bogusalvskiy and Vitali Kremez of AdvIntel, who have been tracking Conti closely throughout its eventful life, were among the first to observe the shutdown on 19 May, when the administration panel of the collective’s infamous Conti News website, and its negotiation service site, went down, followed swiftly by the rest of its infrastructure relating to negotiations, data hosting and so on.
In a final message posted to the Conti News site, the gang threatened the government of Costa Rica – which has declared a national emergency due to an ongoing Conti attack – and declared the USA a “cancer on the body of the earth”.
In an in-depth report published at the weekend, Bogusalvskiy and Kremez said this message was “strikingly different” from the gang’s previous statements, which are usually written in well-edited English. They suggested this means that the public side of the group’s operations is no longer being taken seriously by its leaders.
“This shutdown highlights a simple truth that has been evident for the Conti leadership since early spring 2022 – the group can no longer sufficiently support and obtain extortion. The blog’s key and only valid purpose is to leak new datasets, and this operation is now gone,” they wrote.
“This was not a spontaneous decision, instead, it was a calculated move, signs of which were evident since late April. Two weeks ago, on May 6, AdvIntel explained that the Conti brand, and not the organisation itself, was in the process of the final shutdown. As of 19 May 2022, our exclusive source intelligence confirms that today is Conti’s official date of death,” they added.
Ukraine invasion was the beginning of the end
In their report, Bogusalvskiy and Kremez revealed how the Conti collective’s statement of support for Russia’s invasion of Ukraine may have been the point at which its operation began to become untenable.
The statement, made shortly after the initial invasion of Ukraine on 24 February, prompted a damaging leak of the gang’s internal data by disgruntled affiliates, providing threat analysts and law enforcement with a treasure trove of information on Conti.
Critically, they added, its alignment with Russian aggression also cut its main income source off overnight – since February, virtually no payments have been made to the gang.
Bogusalvskiy and Kremez suggested this was because, suddenly, any ransom payment made to Conti could potentially have been made to a sanctioned individual, in violation of the US’ Office of Foreign Asset Control (Ofac) regulations. Therefore, those who might before have been inclined to pay a ransom were suddenly more inclined to risk not paying and losing their data than causing themselves a compliance headache by dealing with a Russian entity.
In light of this, they said, it was little surprise that Conti’s frontman, who goes by the handle “reshaev”, took the decision to retire the brand.
However, the process of retiring one of the most iconic ransomwares is complex and somewhat fraught. It is not, Bogusalvskiy and Kremez argued, really possible for such a high-profile group to discontinue its own operations and resurface shortly afterwards without tainting its future reputation in the cyber criminal underground. Others such as REvil and DarkSide have tried this and failed.
The shutdown operation appears to have been carefully orchestrated, with the collective creating subgroupings using existing Conti alter egos and malwares, or creating new ones, which ensured that the gang’s affiliates would be able to reemerge ahead of Conti’s official shutdown.
Dead man walking
These lifeboats launched, Conti’s leadership then appeared to stage an elaborate deception, essentially giving the collective the appearance of being alive and well and bouncing back from the leaks.
This activity seems to have included publishing previously stolen documents and being generally loud and obnoxious in all the right places. The masterstroke, however, seems to have been the attack on the systems of the government of Costa Rica, which began in April. It now appears that this attack may have been a last hurrah for Conti, going out in a blaze of mainstream publicity by hijacking and extorting its biggest target yet – a whole country.
Citing AdvIntel’s own adversarial visibility and intelligence operations, Bogusalvskiy and Kremez now believe that Conti’s goal with the Costa Rica attack was to gain as much publicity as possible, and that they purposely set a relatively low ransom demand in the knowledge that they weren’t expecting to get paid.
“In our pre-and-post attack investigation, we have found the agenda to conduct the attack on Costa Rica for the purpose of publicity instead of ransom was declared internally by the Conti leadership,” they said.
“The attack on Costa Rica brought Conti into the spotlight and helped them to maintain the illusion of life for just a bit longer, while the real restructuring was taking place.”
Who’s next?
The researchers went on to explore what may lie ahead for the members of Conti, suggesting the group will now adopt a more networked, decentralised structure – effectively a coalition of different operations united by internal brand loyalty and personal connections.
Some of these groups are already operational, and are thought to include BlackBasta, BlackByte and Karakurt, which are focused on data theft and extortion rather than on data encryption and may have a high degree of autonomy; AlphV/BlackCat, AvosLocker, HelloKitty/FiveHands and HIVE, which are thought to be Conti-loyal affiliates working with other groups; some independent affiliates which remain loyal to Conti; and some groups that Conti has effectively infiltrated and taken over – AdvIntel is not currently naming any operations within the latter two groupings.
“This model is more flexible and adaptive than the previous Conti hierarchy but is more secure and resilient than RaaS [ransomware-as-a-service],” said Bogusalvskiy and Kremez.
“Within the short but tumultuous timeline of ransomware’s history, 19 May 2022, the day that Conti died, will leave a mark that severs the threat landscape from its past and casts a shadow on its future. However, in the grand scheme of the group’s existence, this day is not something new,” they wrote.
“The actors that formed and worked under the Conti name have not, and will not, cease to move forward with the threat landscape – their impact will simply leave a different shape.”