The Conti ransomware operation has finally shut down its last public-facing infrastructure, consisting of two Tor servers used to leak data and negotiate with victims, closing the final chapter of the notorious cybercrime brand.
According to threat intel analyst Ido Cohen, Conti’s servers were shut down on Wednesday and BleepingComputer has confirmed they are still offline as of today.
In May, BleepingComputer first reported that Conti had started to shut down their operations, telling members that the brand was no more and decommissioning internal infrastructure, including communication and storage servers.
However, Conti left one member behind to continue leaking data and taunting Costa Rica to create a facade of a running operation while its members quietly moved to other ransomware gangs.
"The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived," explains a May report by Advanced Intel.
Even though they were pretending to still be active, the ransomware operation was not performing any further attacks, and the data leaked by this remaining Conti member was from older attacks.
To confuse researchers and law enforcement, even more, this Conti member released the same victim's data on both their site and Hive's data leak site, where he is also an affiliate.
Ultimately, this was just a charade with the rest of the Conti ransomware infiltrating or even taking over other ransomware operations.
A notorious ransomware gang
Conti is a Russian ransomware operation that launched in the summer of 2020 after taking the place of the Ryuk ransomware.
Since then, Conti was involved in numerous high-profile attacks, including those against the City of Tulsa, Broward County Public Schools, and Advantech.
However, it wasn't until they attacked Ireland's Health Service Executive (HSE) and Department of Health (DoH), shutting down the IT systems of the country for weeks, that they gained notoriety.
One of their biggest hacking sprees occurred between November 17 and December 20, 2021, when Conti members breached more than 40 organizations.
Over time, Conti grew into an actual cybercrime syndicate, taking over the development of a variety of malware operations, including TrickBot and BazarBackdoor.
After siding with Russia over its invasion of Ukraine, a Ukrainian security researcher leaked over 170,000 internal chat conversations belonging to the gang, along with the source code for the Conti ransomware encryptor.
This was an embarrassing moment for the elite hacking group, who found their internal private conversations exposed to law enforcement and security researchers, who quickly began to analyze the wealth of data.
To make matters worse for the gang, other security researchers, and some suspect Ukrainian law enforcement, began doxing Conti/TrickBot members on Twitter and conversations, addresses, social media accounts, and more.
Due to this, it was only a matter of time until they ceased operating.
Conti is gone but not really
It may seem like the Conti operation has shut down, but Advanced Intel's Yelisey Boguslavskiy told BleepingComputer that only the 'Conti' brand has shut down while the cybercrime syndicate continues to operate.
The gang members are now split into smaller cells that infiltrated other ransomware operations or took over existing ones. However, these members are still loyal to the syndicate, which is operated by a small group of managers.
By spreading the members among multiple groups, it prevents the whole operation from being taken down if a single cell is apprehended or a ransomware gang is shut down by law enforcement.
Instead, the members move from one operation to another as necessary while taking advantage of the pentesters, developers, and programmers that are part of the syndicate.
Some of the ransomware gangs known to now include old Conti members include Hive, AvosLocker, BlackCat, Hello Kitty, and the recently revitalized, Quantum operation.
Other members have launched their own data extortion operations that do not encrypt data, such as Karakurt, BlackByte, and the Bazarcall collective.
Therefore, businesses must remain vigilant and practice good cybersecurity habits, as the Conti threat actors are still actively targeting victims worldwide, simply under different operations.
Comments
Pentester - 2 years ago
Why does this otherwise good article refer to criminal hackers as "pentesters"?
Actual pentesters have been frustrated for years by being called "hackers", as it is the same term used for criminals.
Now we're going to describe criminals as "pentesters" too?!
Hackers = criminals
Penetration Testers = authorized security testers
Come on, it's not hard!