[MART] - Daily Diary #516 - Conti Ransomware Operation Shut Down

CTAS-MAT ctas-mat at appgate.com
Mon May 23 21:24:41 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

05/23/2022 - Diary entry #516:

Conti Syndicate, the group responsible for the Conti Ransomware is one of the most dangerous ransomware families that operate using the double-extortion model. In many of our Daily Diaries, we covered Conti about a spike in their activities in September last year. Then, their statement supporting Russia in the conflict against Ukraine led to a series of leaks involving their infrastructure by an allegedly Ukrainian security researcher.

More recently, the US State Department offered $10 million USD for information that led to the takedown of the Conti group. Besides that, we covered Conti's attacks against Peruvian and Costa Rican governmental entities (Daily Diary #506) that caused the Costa Rican President to declare a national emergency.

Most recently, evidence suggests that the group was gradually shutting down its operation to re-organize itself into smaller, horizontal, and decentralized operations. This new organizational structure is divided into different types of operations, having full autonomous groups focused only on data-stealing (without a locker), such as Karakurt, BlackByte, and BlackBasta, and semi-autonomous groups (using a locker) like BlackCat, HIVE, HelloKitty/FiveHands, and AvosLocker, then, independent affiliates, and finally, the mergers and acquisitions of small brands.

Despite Conti's wall-of-shame blog being still online and recently updated (having new victims' data published today), sources claim that Conti was officially shut down on May 19, 2022 and that this is only part of their strategy to not go dark as other groups did after drawing attention from the media and law enforcement authorities.

In some of our recent Daily Diaries, we covered other big ransomware operations rebranding after getting a lot of media attention. Considering that an operation big as Conti probably involves lots of threat actors, the prize offered by the US State Department might be big enough to make insiders disrupt Conti's operation, making Conti's strategy of dissolving a reflection of the pressure they are facing from international law enforcement, and a safe way to "stay in business". If all this confirms and gets clearer in the future, this new structure can cause a transformation in the RaaS and data theft business, leading to a more decentralized and nebulous scenario.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220523/21da7c8d/attachment.htm>

More information about the MART mailing list