Even as Conti operators threatened to overthrow the Costa Rican government, the notorious cybercrime gang officially shut down its infrastructure to shift its criminal activities to other side operations, including Karakurt and BlackByte.
“From trading sites, chat rooms, messengers to servers and proxy hosts – the Conti brand, not the organization itself, will be shut down,” said AdvIntel researchers Yelisey Bogusalvskiy and Vitaly Kremez. mentioned in a report. “However, that doesn’t mean the threat actors themselves are retiring.”
The voluntary termination, with the exception of the Name and Shame blog, reportedly took place on May 19, 2022, as an organizational restructuring took place at the same time to ensure a smooth transition of members of the ransomware group.
AdvIntel said Conti, who is also being tracked as Gold Ulrick, orchestrated his own disappearance using information warfare techniques.
The breakup also follows the group’s public loyalty to Russia during the country’s invasion of Ukraine, which dealt a blow to its operations and resulted in thousands of private chat logs being leaked, as well as its tools, making it a “toxic brand”. .
It is believed that the Conti team has been actively creating housing developments for over two months. But at the same time, the group began taking steps to control the narrative, sending out “smoke signals” to simulate the movements of an active group.
“The attack on Costa Rica actually put Conti in the spotlight and helped them sustain the illusion of life a little longer while the actual restructuring was underway,” the researchers said.
“The only goal Conti wanted to achieve with this latest attack was to use the platform as a promotional tool to achieve his own death and subsequent rebirth in the most plausible way he could have dreamed up.”
Aside from hijacking tactics, Conti infiltration specialists have also reportedly forged alliances with other well-known ransomware groups such as BlackCat, AvosLocker, Hive, and HelloKitty (aka FiveHands).
Additionally, the cybersecurity firm said it saw an internal communication that alluded to Russian law enforcement pressured Conti to shut down operations after increased surveillance and high-profile attacks by the criminal syndicate. .
Conti’s affiliation with Russia also had other unintended consequences, most notably his inability to extort ransoms from victims in the face of harsh economic sanctions imposed on the country by the West.
Although the brand may no longer exist, the group has adopted what it calls a decentralized hierarchy, comprising several sub-groups with different motivations and business models ranging from data theft (Karakurt, BlackBasta and BlackByte) to working as independent affiliates.
This isn’t the first time Gold Ulrick has revamped its inner workings. TrickBot, whose Elite Overdose Division spawned the formation of Ryuk and his successor Conti, has since been shut down and incorporated into the collective, making TrickBot a subsidiary of Conti. He also took over BazarLoader and Emotet.
“The diversification of Conti’s criminal portfolio, coupled with its incredibly rapid resolution, challenges the replication of its business model with other groups,” AdvIntel said. noticed last week.
“Ransomware Inc. has over time become less like the gangs they are often called and more like cartels,” said Sam Curry, Cybereason’s chief security officer, in a statement shared with The Hacker News.
“That means partnership agreements, specialist roles, business-like R&D and marketing groups and so on. And as Conti is beginning to mirror the types of activity we see at legitimate companies, it’s no surprise that they’re changing.”