Conti Ransomware Ended: They Operate With Other Groups Now

The Conti ransomware gang had taken its infrastructure offline and ceased operations. According to the news of Advanced Intel’s Yelisey Boguslavskiy, the Tor admin panel, where Conti held the ransom negotiations and published new data leak news, has been closed.

Experts believe that the process ended like this because Conti took the side of Russia in the Russia-Ukraine war, and critical information about the gang’s operations was disclosed.

Build a strong security posture against ransomware attacks with SOCRadar Extended Threat Intelligence. Discover AttackMapper, RiskPrime, and ThreatFusion modules that work wonders together!

A New Strategy?

Boguslavsky's tweet that Conti has ceased operations. — Boguslavsky’s tweet that Conti has ceased operations.

Conti, which has recently come to the fore with a 672 GB data leak allegedly belonging to the Costa Rican government, surprised cybersecurity researchers by announcing its ending operations. Still, it is widely believed that this may be a new strategy. According to Boguslavskiy, Conti has already started partnering with other smaller ransomware groups.

The Conti brand is doomed, but the gang members’ role in the ransomware environment will continue. Members of famous ransomware groups such as REvil and BlackMatter, which had previously stopped their operations, continued their activities under other names or partnerships with different groups.

Conti Forms Partnerships With Other Ransomware Groups

According to cybersecurity experts, this move by Conti will mobilize both the gang members and the ransomware industry. It will also make it harder for the group to be identified by official authorities. The group’s decision can be better understood given that the US government has placed a $15 million reward for gang leaders.

According to Advanced Intel’s report, Conti members partner with known ransomware gangs such as AvosLocker, Hive, HelloKitty, BlackByte, and BlackCat. Some gang members form groups such as Bazarcall and Karakurt, which only focus on data theft.

Who’s Next?

With the end of the Conti brand, it can be said that among the ransomware groups, LockBit and Lapsus$ have reached the top. Cybersecurity researchers think these gangs may follow a similar tactic.

As cybercrime groups gain popularity, they attract the attention of law enforcement and often end up in prison. Conti’s strategy can set an example for other gangs. Thus, a cybercrime network may be formed that is more difficult to track and detect.

Conti IoCs

Initial Access
T1566	Phishing
T1190	Exploit Public-Facing Application

Execution
T1106	Execution through API
T1059.003	Command and scripting interpreter: Windows command shell
T1047	Windows Management Instrumentation
T1204	User execution
T1053.005	Scheduled task/job: scheduled task

Persistence
T1053.005	Scheduled task/job: Scheduled task

Privilege Escalation
T1078.002	Valid accounts: domain accounts
T1083	File and directory discovery
T1018	Remote system discovery
T1057	Process discovery
T1016	System network configuration discovery
T1069.002	Permission groups discovery: domain groups
T1082	System information discovery
T1033	System owner/user discovery
T1012	Query registry
T1063	Security software discovery

Credential Access
T1003	OS credential dumping
T1555	Credentials from password stores
T1552	Unsecured credentials

Lateral Movement
T1570	Lateral tool transfer
T1021.002	Remote services: SMB/Windows admin shares

Defense Evasion
T1562.001	Impair defenses: disable or modify tools
T1140	Deobfuscate/Decode files or information
T1055	Process injection