The Conti ransomware gang’s brand is dead. That’s the conclusion of researchers at Advanced Intelligence.
Its infrastructure related to negotiations, data uploads, and hosting of stolen data has been shut down.
However, before you start celebrating, the researchers say the gang has dispersed and is operating under a number of smaller brands.
This is part of a calculated scheme that started two months ago when the gang expressed support for Russia’s invasion of Ukraine. That, the researchers argue, made the Conti brand toxic to cyber intelligence agencies and organizations the gang hit. Since then almost no ransom payments have been made to the group. Its locker code became highly detectable by IT defenders and was rarely deployed.
The AdvIntel researchers argue that Conti’s backing of Russia violated an unwritten rule of threat actors: Don’t get involved in politics. One gang member allegedly was so angered that they leaked private Conti chat messages.
And it didn’t help that on May 6th, the U.S. offered rewards of up to US$10 million for information leading to the takedown of the Conti group. The highly-publicized attack on government agencies of Costa Rica was a diversion while it restructured, say AdvIntel researchers.
What next? Conti is adopting a network organizational structure, says AdvIntel, one that is more horizontal and decentralized than its previously rigid hierarchy. “This structure will be a coalition of several equal subdivisions, some of which will be independent, and some existing within another ransomware collective. However, they will all be united by internal loyalty to both each other and the Conti leadership.”
Type 1. Fully autonomous partners: These are pure data-stealing groups. They include the Karakurt, BlackBasta and BlackByte gangs. For a backgrounder on the BlackByte gang see this analysis by Cisco Systems;
Type 2: Semi-autonomous partners: These act as Conti-loyal collective affiliates within other collectives in order to use their ransomware locker: These include the AlphV/BlackCat, Hive, HelloKitty/FiveHands and AvoisLocker gangs;
Type 3:Independent affiliates: These are individuals who may do the actual initial hack of an organization but are loyal to Conti;
Type 4: Mergers & Acquisitions: These are small threat actor groups the Conti leadership infiltrates and consumes entirely, keeping the small brand’s name. The small group’s leader loses independence, but receives a massive influx of manpower, while Conti gets a new subsidiary group.
This structure is different from the Ransomware-as-a-Service model, says AdvIntel, since this network does not seem to be accepting new members. Moreover, the researchers say, unlike RaaS, this model seems to value operations being executed in an organized, team-led manner. Finally, all the members know each other very well personally and are able to leverage these personal connections and the loyalty that comes with them.
What does this mean for IT defenders? Not much. It’s still vital to perform cybersecurity basics to protect against any cyber attack:
- inventory and triage hardware and software so vital devices and applications can be patched as soon as security updates are available;
- have all staff enrolled in multifactor authentication as an extra step to protect logins; ensure staff and partners only have access to data and systems they need;
- segment data and networks;
- encrypt sensitive data at rest and in transit; have one copy of backup data saved offline and off-site;
- test backup and recovery procedures to make sure they work and staff know what to do;
- have an incident response plan that is regularly tested.
For more advice see the reports of the Ransomware Task Force, the Canadian Centre for Cyber Security’s ransomware resource pages and the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Stop Ransomware web site.
Meanwhile, the CISA announced Friday it plans to soon convene a Joint Ransomware Task Force as mandated under a recently-passed federal law. It would be co-chaired by the CISA and the FBI. When fully implemented, the legislation will require critical infrastructure companies to report to the federal government any substantial cybersecurity incidents within 72 hours or ransom payments within 24 hours.
The U.S. Justice Department also said it will increase work to crack down on illegal cryptocurrency transactions and work closer with other countries to prosecute threat actors.