Conti Ransomware Group Goes Dark And Restructures In Move That Mimics Terror Cells
Technically considered ransomware-as-a-service (RaaS), Conti ransomware is believed by MITRE to have been first spotted in 2019 and is managed by the financially motivated threat-actor group “Wizard Spider.” Colloquially, this group, in tandem with its affiliate members, is known as the Conti ransomware gang, responsible for recent high-profile attacks such as those on Boeing and Lockheed Martin supplier Parker Hannifin Corporation, the government of Costa Rica, and the Irish healthcare system, among others. With this, Costa Rican president Rodrigo Chaves recently announced that the country is at war with Conti, declaring it an “international terrorist group.”
Despite this ongoing “war” and currently active victims posted on the Conti website, it appears some things are changing. Initially announced on Twitter and now backed up by evidence reported to BleepingComputer, Advanced Intel’s Yelisey Boguslavskiy reports that Conti’s internal “panels and hosts are down.” With this intel in mind, Conti’s recent attacks were a ruse to make it seem like Conti was very much alive and well while the group’s members slowly took their leave for other ransomware groups.
[FLASH] #Conti Officially DisCONTInued— Yelisey Boguslavskiy (@y_advintel) May 19, 2022
Today the official website of Conti #Ransomware was shut down, marking the end of this notorious crime group; it is truly a historic day in the #intelligence community!
Look forward to today's @AdvIntel with extended analysis!@VK_Intel pic.twitter.com/gMSXhlHVSb
However, just because the Conti brand may no longer exist, this does not mean the threat is gone; rather, the business model for the ransomware group is merely pivoting. Boguslavskiy further reports that Conti leadership is partnering with smaller ransomware gangs acting as “cells” controlled by central Conti leadership, which is not dissimilar to the structure of terrorist groups like al-Qaeda.
This change should not come as a surprise to anyone, as the group has come under much scrutiny in the past several months. With Conti publicly backing Russia during the Ukrainian war and continually attacking or provoking high-profile targets, the threat group’s members are likely under tremendous amounts of pressure.
In any event, we would like to interpret this as a glass-half-full situation, in that investigators were likely getting close to the group. The heat evidently became too much, and Conti members have likely gone underground inside other groups, making them harder to track. Despite this, the new Conti structure and affiliates should open opportunities for investigation, all of which will be quite interesting to follow.