Threat Watch

Conti Ransomware Shuts Down and Rebrands

According to multiple security researchers, including Advanced Intel’s Yelisey Boguslavskiy, the Conti ransomware group has stopped all operations. The group’s public facing website is still available and still includes information on it, but according to Boguslavskiy, the Tor administrative panels used by members to perform negotiations and publish “news” on their data leak site are now offline. According to Boguslavskiy, the group performed an attack on Costa Rica as a way cover the traces of other Conti members migrating to smaller ransomware groups. “The agenda to conduct the attack on Costa Rica for the purpose of publicity instead of ransom was declared internally by the Conti leadership. Internal communications between group members suggested that the requested ransom payment was far below $1 million USD (despite unverified claims of the ransom being $10 million USD, followed by Conti’s own claims that the sum was $20 million USD)” stated Advanced Intel. The group’s members have allegedly partnered with numerous well-known ransomware operations, including HelloKitty, AvosLocker, Hive, BlackCat, BlackByte, and more. Conti is considered one of the costliest groups in ransomware according to the US government and even yielded a $15,000,000 bounty for information leading to the location of high-level members.

ANALYST NOTES

After siding with Russia when their war with Ukraine began, a Ukrainian researcher leaked chats from the group along with their source code, which was then used by other threat actors to target Russian entities. There are many different ransomware groups targeting victims in every vertical. When a major group such as Conti decides to disband, it usually is only a matter of a few weeks before a smaller group will begin to make a bigger name for itself. New groups with some Conti members are also being seen that are only focusing on data exfiltration and not on data encryption.

https://www.bleepingcomputer.com/news/security/conti-ransomware-shuts-down-operation-rebrands-into-smaller-units/