Conti ransomware brand is dead, but gang restructures: Report

Share post:

The Conti ransomware gang’s brand is dead. That’s the conclusion of researchers at Advanced Intelligence. Its infrastructure related to negotiations, data uploads, and hosting of stolen data has been shut down. However, before you start celebrating, the researchers say the gang has dispersed and is operating under a number of smaller brands. This is part of a calculated scheme that started two months ago when the gang expressed support for Russia’s invasion of Ukraine. That, the researchers argue, made the Conti brand toxic to cyber intelligence agencies and organizations the gang hit. Since then almost no ransom payments have been made to the group. Its locker code became highly detectable by IT defenders and was rarely deployed. The AdvIntel researchers argue that Conti’s backing of Russia violated an unwritten rule of threat actors: Don’t get involved in politics. One gang member allegedly was so angered that they leaked private Conti chat messages. And it didn’t help that on May 6th, the U.S. offered rewards of up to US$10 million for information leading to the takedown of the Conti group. The highly-publicized attack on government agencies of Costa Rica was a diversion while it restructured, say AdvIntel researchers. What next? Conti is adopting a network organizational structure, says AdvIntel, one that is more horizontal and decentralized than its previously rigid hierarchy. “This structure will be a coalition of several equal subdivisions, some of which will be independent, and some existing within another ransomware collective. However, they will all be united by internal loyalty to both each other and the Conti leadership.” Type 1. Fully autonomous partners: These are pure data-stealing groups. They include the Karakurt, BlackBasta and BlackByte gangs. For a backgrounder on the BlackByte gang see this analysis by Cisco Systems; Type 2: Semi-autonomous partners: These act as Conti-loyal collective affiliates within other collectives in order to use their ransomware locker: These include the AlphV/BlackCat, Hive, HelloKitty/FiveHands and AvoisLocker gangs; Type 3:Independent affiliates: These are individuals who may do the actual initial hack of an organization but are loyal to Conti; Type 4: Mergers & Acquisitions: These are small threat actor groups the Conti leadership infiltrates and consumes entirely, keeping the small brand’s name. The small group’s leader loses independence, but receives a massive influx of manpower, while Conti gets a new subsidiary group. This structure is different from the Ransomware-as-a-Service model, says AdvIntel, since this network does not seem to be accepting new members. Moreover, the researchers say, unlike RaaS, this model seems to value operations being executed in an organized, team-led manner. Finally, all the members know each other very well personally and are able to leverage these personal connections and the loyalty that comes with them. What does this mean for IT defenders? Not much. It’s still vital to perform cybersecurity basics to protect against any cyber attack:
  • inventory and triage hardware and software so vital devices and applications can be patched as soon as security updates are available;
  • have all staff enrolled in multifactor authentication as an extra step to protect logins; ensure staff and partners only have access to data and systems they need;
  • segment data and networks;
  • encrypt sensitive data at rest and in transit; have one copy of backup data saved offline and off-site;
  • test backup and recovery procedures to make sure they work and staff know what to do;
  • have an incident response plan that is regularly tested.
For more advice see the reports of the Ransomware Task Force, the Canadian Centre for Cyber Security’s ransomware resource pages and the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Stop Ransomware web site. Meanwhile, the CISA announced Friday it plans to soon convene a Joint Ransomware Task Force as mandated under a recently-passed federal law. It would be co-chaired by the CISA and the FBI. When fully implemented, the legislation will require critical infrastructure companies to report to the federal government any substantial cybersecurity incidents within 72 hours or ransom payments within 24 hours. The U.S. Justice Department also said it will increase work to crack down on illegal cryptocurrency transactions and work closer with other countries to prosecute threat actors. The post Conti ransomware brand is dead, but gang restructures: Report first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Cyber Security Today, March 22, 2023 – ChatGPT4 is out, poorly-protected Linux servers are exploited, and more

ChatGPT4 is out, poorly-protected Linux servers are exploited, and more. Welcome to Cyber Security Today. It’s Wednesday, March 22nd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for and in the U.S. The new version of ChatGPT has been released. But if you were hoping that version 4 has made this tool safer

Only 9 per cent of Canadian firms are cyber mature: Cisco report

Only 15 per cent of companies around the world would have a mature cyber readiness, according to survey

Ferrari notifies customers of ransom demand

Exclusive car maker says some client contact information exposed in cy

Government backs down on document demand from Google, Facebook

Change meets criticism that demand for external communications is an invasion

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways