Conti Ransomware Ended: They Operate With Other Groups Now
The Conti ransomware gang had taken its infrastructure offline and ceased operations. According to the news of Advanced Intel’s Yelisey Boguslavskiy, the Tor admin panel, where Conti held the ransom negotiations and published new data leak news, has been closed.
A New Strategy?
Conti, which has recently come to the fore with a 672 GB data leak allegedly belonging to the Costa Rican government, surprised cybersecurity researchers by announcing its ending operations. Still, it is widely believed that this may be a new strategy. According to Boguslavskiy, Conti has already started partnering with other smaller ransomware groups.
The Conti brand is doomed, but the gang members’ role in the ransomware environment will continue. Members of famous ransomware groups such as REvil and BlackMatter, which had previously stopped their operations, continued their activities under other names or partnerships with different groups.
Conti Forms Partnerships With Other Ransomware Groups
According to cybersecurity experts, this move by Conti will mobilize both the gang members and the ransomware industry. It will also make it harder for the group to be identified by official authorities. The group’s decision can be better understood given that the US government has placed a $15 million reward for gang leaders.
According to Advanced Intel’s report, Conti members partner with known ransomware gangs such as AvosLocker, Hive, HelloKitty, BlackByte, and BlackCat. Some gang members form groups such as Bazarcall and Karakurt, which only focus on data theft.
As cybercrime groups gain popularity, they attract the attention of law enforcement and often end up in prison. Conti’s strategy can set an example for other gangs. Thus, a cybercrime network may be formed that is more difficult to track and detect.
Exploit Public-Facing Application
Execution through API
Command and scripting interpreter: Windows command shell
Windows Management Instrumentation
Scheduled task/job: scheduled task
Scheduled task/job: Scheduled task
Valid accounts: domain accounts
File and directory discovery
Remote system discovery
System network configuration discovery
Permission groups discovery: domain groups
System information discovery
System owner/user discovery
Security software discovery
OS credential dumping
Credentials from password stores
Lateral tool transfer
Remote services: SMB/Windows admin shares
Impair defenses: disable or modify tools
Deobfuscate/Decode files or information
Command and Control
Application Layer Protocol
Remote access software
Exfiltration over web service: exfiltration to cloud storage
Data encrypted for impact
Inhibit system recovery
With SOCRadar® Free Edition, you’ll be able to:
- Prevent Ransomware attacks with Free External Attack Surface Management
- Get Instant alerts for fraudulent domains against phishing and BEC attacks
- Monitor Deep Web and Dark Net for threat trends
- Get vulnerability intelligence when a critical zero-day is disclosed
- Get IOC search & APT tracking & threat hunting in one place
- Get notified with data breach detection
Free for 12 months for one corporate domain and 100 auto-discovered digital assets.
Get Free Access.