Ransomware gangs "die" only to resurrect stronger and become harder for law enforcement to trace. Does Conti's disappearance mean we should expect a grand comeback soon or are they gone for good?
Before disappearing, Conti went on a spree. Reports show that the gang attacked around two companies per day, with its victim list exceeding 1,000 organizations.
In May, the group was proclaimed dead. The official website for Conti ransomware was shut down, signaling that the notorious group is disbanding, Yelisey Boguslavskiy, the Head Of Research at threat and loss prevention firm Advintel claimed.
But you don't exactly see fireworks to celebrate the breakup of one of the most active Ransomware-as-a-service (RaaS) gangs. Extortion groups are masters of disguise and will undoubtedly be back, just as happened with REvil.
I sat down with Jamie Moles, Senior Technical Manager at the cybersecurity company ExtraHop, to learn more about Conti's disappearance and whether it could be a cause for celebration or worry.
From our perspective, the international conflict between Russia and Ukraine fueled Conti's activity rather than bringing their operations to a standstill,
Jamie Moles said.
Do you have any more clues pointing to the Conti's "shutdown"?
This isn't the first time a ransomware gang has claimed to close up shop after catching heat, only to emerge in new forms and under new branding. They have taken down their infrastructure, and the Tor admin panels used by members to perform negotiations and publish updates on their data leak site are offline. However, there has already been speculation that Conti, which was known to be a large and sophisticated organization, has been spinning off subsidiaries. Now the industry, including our threat research team, will need to monitor future breach tactics and techniques to identify behaviors from the Conti playbook. This could alert us to Conti gang members working for or with new partners or subsidiaries.
Did the fact that it was a blend of Ukrainian and Russian criminals, given the war in Ukraine, contribute to the "shutdown"?
From our perspective, the international conflict between Russia and Ukraine fueled Conti's activity rather than bringing their operations to a standstill.
Successful criminal enterprises rarely allow themselves to be held back by concepts like patriotism, and during uncertain times, such as Ukraine is seeing now, law enforcement is drastically reduced and focused on other more tangible targets. Cross-border criminal gangs – so long as they can continue to agree with terms - will benefit from the chaos of war and potentially make increased profits due to not having to worry so much about being caught.
The war could even be seen to be shielding Conti and providing them with an opportunity to restructure their operations, develop and maintain relationships with other ransomware gangs and take some time to perform research and development on new attack methodologies and supporting infrastructure.
Expect a resurgent Conti at some point in the coming 12 months – perhaps even under a new name.
Was this something that we could foresee after the Conti leaks? Did it inflict enough damage for the gang to disperse?
Though many had hoped the leaks would be a 'nail in the coffin' for Conti, we saw that they bounced back quite quickly, with experts showing the group was successfully executing data breaches a mere 10 days post-leak. While the leak may have created internal doubts for some of the group's members, we've seen the Conti gang at-large remain nimble by reorganizing, forging alliances, and recruiting new members.
What's next – a new, even more dangerous and evolved ransomware gang taking Conti's place?
It's possible that a new ransomware group will emerge in Conti's place and might even be backed by former members of the original group. Right now, it's likely that Conti members might be using this time out of the public eye to support other ransomware groups, joining them while researching and developing new tools and tactics. They could potentially resurface as their own entity again or remain dispersed throughout rebranded subsidiaries. Regardless of where or who the ransomware might come from, the shutdown signals a potential shift in their attack strategies, which is a daunting thought.
It took half a year for REvil to come back. So it probably won't be too long until Conti's operators emerge with something new?
We don't believe it will take long for Conti's operators to emerge with something new, as there's already been speculation that Conti has been spinning off subsidiaries. When ransomware groups disband, they rarely fully go away. The leaks illustrated that Conti was a well-structured organization with various players involved, including an admin team, coders, and even a human resources department. With this in mind, it's likely that the same actors will re-emerge after the group undergoes organizational changes.
Your email address will not be published. Required fields are markedmarked