{"id":36360,"date":"2022-05-23T07:15:00","date_gmt":"2022-05-23T07:15:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/archives\/36360"},"modified":"2022-05-23T07:15:00","modified_gmt":"2022-05-23T07:15:00","slug":"did-the-conti-ransomware-crew-orchestrate-its-own-demise","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=36360","title":{"rendered":"Did the Conti ransomware crew orchestrate its own demise?"},"content":{"rendered":"
<\/div>\n

Threat analysts have presented fresh intelligence suggesting that the apparent shutdown of the notorious Conti ransomware<\/a> cyber crime syndicate \u2013 news of which began to emerge on Friday 20 May \u2013 was self-inflicted and that the gang pulled the plug itself in the wake of a series of missteps that made it too toxic to continue.<\/p>\n

Yelisey Bogusalvskiy and Vitali Kremez of AdvIntel<\/a>, who have been tracking Conti closely throughout its eventful life, were among the first to observe the shutdown on 19 May, when the administration panel of the collective\u2019s infamous Conti News website, and its negotiation service site, went down, followed swiftly by the rest of its infrastructure relating to negotiations, data hosting and so on.<\/p>\n

In a final message posted to the Conti News site, the gang threatened the government of Costa Rica \u2013 which has declared a national emergency due to an ongoing Conti attack \u2013 and declared the USA a \u201ccancer on the body of the earth\u201d.<\/p>\n

In an in-depth report published at the weekend<\/a>, Bogusalvskiy and Kremez said this message was \u201cstrikingly different\u201d from the gang\u2019s previous statements, which are usually written in well-edited English. They suggested this means that the public side of the group\u2019s operations is no longer being taken seriously by its leaders.<\/p>\n

\u201cThis shutdown highlights a simple truth that has been evident for the Conti leadership since early spring 2022 \u2013 the group can no longer sufficiently support and obtain extortion. The blog\u2019s key and only valid purpose is to leak new datasets, and this operation is now gone,\u201d they wrote.<\/p>\n

\u201cThis was not a spontaneous decision, instead, it was a calculated move, signs of which were evident since late April. Two weeks ago, on May 6, AdvIntel explained that the Conti brand, and not the organisation itself, was in the process of the final shutdown. As of 19 May 2022, our exclusive source intelligence confirms that today is Conti\u2019s official date of death,\u201d they added.<\/p>\n

\n

<\/i>Ukraine invasion was the beginning of the end<\/h3>\n

In their report, Bogusalvskiy and Kremez revealed how the Conti collective\u2019s statement of support for Russia\u2019s invasion of Ukraine may have been the point at which its operation began to become untenable.<\/p>\n

The statement, made shortly after the initial invasion of Ukraine on 24 February, prompted a damaging leak of the gang\u2019s internal data by disgruntled affiliates<\/a>, providing threat analysts and law enforcement with a treasure trove of information on Conti.<\/p>\n

Critically, they added, its alignment with Russian aggression also cut its main income source off overnight \u2013 since February, virtually no payments have been made to the gang.<\/p>\n

Bogusalvskiy and Kremez suggested this was because, suddenly, any ransom payment made to Conti could potentially have been made to a sanctioned individual, in violation of the US\u2019 Office of Foreign Asset Control (Ofac) regulations. Therefore, those who might before have been inclined to pay a ransom were suddenly more inclined to risk not paying and losing their data than causing themselves a compliance headache by dealing with a Russian entity.<\/p>\n

In light of this, they said, it was little surprise that Conti\u2019s frontman, who goes by the handle \u201creshaev\u201d, took the decision to retire the brand.<\/p>\n

However, the process of retiring one of the most iconic ransomwares is complex and somewhat fraught. It is not, Bogusalvskiy and Kremez argued, really possible for such a high-profile group to discontinue its own operations and resurface shortly afterwards without tainting its future reputation in the cyber criminal underground. Others such as REvil and DarkSide have tried this and failed.<\/p>\n

The shutdown operation appears to have been carefully orchestrated, with the collective creating subgroupings using existing Conti alter egos and malwares, or creating new ones, which ensured that the gang\u2019s affiliates would be able to reemerge ahead of Conti\u2019s official shutdown.<\/p>\n<\/section>\n

\n

<\/i>Dead man walking<\/h3>\n

These lifeboats launched, Conti\u2019s leadership then appeared to stage an elaborate deception, essentially giving the collective the appearance of being alive and well<\/a> and bouncing back from the leaks.<\/p>\n

This activity seems to have included publishing previously stolen documents and being generally loud and obnoxious in all the right places. The masterstroke, however, seems to have been the attack on the systems of the government of Costa Rica<\/a>, which began in April. It now appears that this attack may have been a last hurrah for Conti, going out in a blaze of mainstream publicity by hijacking and extorting its biggest target yet \u2013 a whole country.<\/p>\n

Citing AdvIntel\u2019s own adversarial visibility and intelligence operations, Bogusalvskiy and Kremez now believe that Conti\u2019s goal with the Costa Rica attack was to gain as much publicity as possible, and that they purposely set a relatively low ransom demand in the knowledge that they weren\u2019t expecting to get paid.<\/p>\n

\u201cIn our pre-and-post attack investigation, we have found the agenda to conduct the attack on Costa Rica for the purpose of publicity instead of ransom was declared internally by the Conti leadership,\u201d they said.<\/p>\n

\u201cThe attack on Costa Rica brought Conti into the spotlight and helped them to maintain the illusion of life for just a bit longer, while the real restructuring was taking place.\u201d<\/p>\n<\/section>\n

\n

<\/i>Who\u2019s next?<\/h3>\n

The researchers went on to explore what may lie ahead for the members of Conti, suggesting the group will now adopt a more networked, decentralised structure \u2013 effectively a coalition of different operations united by internal brand loyalty and personal connections.<\/p>\n

Some of these groups are already operational, and are thought to include BlackBasta, BlackByte and Karakurt, which are focused on data theft and extortion rather than on data encryption and may have a high degree of autonomy; AlphV\/BlackCat<\/a>, AvosLocker, HelloKitty\/FiveHands and HIVE, which are thought to be Conti-loyal affiliates working with other groups; some independent affiliates which remain loyal to Conti; and some groups that Conti has effectively infiltrated and taken over \u2013 AdvIntel is not currently naming any operations within the latter two groupings.<\/p>\n

\u201cThis model is more flexible and adaptive than the previous Conti hierarchy but is more secure and resilient than RaaS [ransomware-as-a-service],\u201d said Bogusalvskiy and Kremez.<\/p>\n

\u201cWithin the short but tumultuous timeline of ransomware\u2019s history, 19 May 2022, the day that Conti died, will leave a mark that severs the threat landscape from its past and casts a shadow on its future. However, in the grand scheme of the group\u2019s existence, this day is not something new,\u201d they wrote.<\/p>\n

\u201cThe actors that formed and worked under the Conti name have not, and will not, cease to move forward with the threat landscape \u2013 their impact will simply leave a different shape.\u201d<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

Threat analysts have presented fresh intelligence suggesting that the apparent shutdown of the notorious Conti ransomware cyber crime syndicate \u2013 news of which began to emerge on Friday 20 May \u2013 was self-inflicted and that the gang pulled the plug itself in the wake of a series of missteps that made it too toxic to […]<\/p>\n","protected":false},"author":1,"featured_media":36361,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-36360","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36360","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=36360"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36360\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/36361"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=36360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=36360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=36360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}