Conti Criminals Resurface as Splinter RaaS Groups
Conti—one of the most ruthless and successful Russian ransomware groups—has been quiet since the group publicly announced it would cease operations in the wake of the ContiLeaks data breach. In early 2022, the cybercriminal gang fall victim to an attack that published insider data and revealed to the world how the nation-state-sponsored, multimillion-dollar group operated.
However, research from Intel 471 suggests the group’s former members were anything but dormant, with some actors branching out into side projects that leveraged their experience in segments of Conti’s prior operations, including data theft or network access.
Ransomware By Any Other Name
These include the Black Basta ransomware gang, whose tactics, techniques and procedures (TTPs) Intel 471 researchers said showed signs of overlap with those used by Conti.
Although the report conceded it could not directly confirm the link, it noted that Black Basta’s data leak blogs, payment sites and negotiation methods all bore similarities to Conti’s operations.
The same was true for BlackByte ransomware and its “worm” capabilities that appeared similar to Conti’s, which led Intel 471 to conclude that BlackByte is possibly a rebranded Conti operation created solely to maximize its previous data extortion schemes.
Brad Crompton, director of intelligence for Intel 471’s Shared Services, said individuals working as freelancers or joining up with other ransomware-as-a-service (RaaS) groups allowed other criminal groups to become that much stronger.
“Think of it the same way as a company looking to recruit talent after a competitor goes out of business: There are skills that can be applied to their own operations which only serves to strengthen their attacks,” he said. “Moreover, new activities may highlight business sectors that these RaaS groups seek to target or new TTPs that are being used.”
Crompton said by monitoring for specific targeting of sectors or looking for specific TTPs used, businesses can remain prepared and stay one step ahead of pending threats.
“Given that former Conti actors or affiliates have branched out to some of the most active RaaS groups currently operating, the threat is serious,” he added. “Conti had some skilled operators well-versed in the various steps of a ransomware attack. By integrating those people into their own schemes, other RaaS groups like LockBit 3.0 or ALPHV only grow stronger.”
He said it’s important to follow these threat actors because it’s highly likely that they will resurface as part of some other criminal undertaking, use specific TTPs that may enable tracking new aliases under which these threat actors may choose to operate or enable mitigation of specific TTPs.
“The public saw Conti fracture and eventually cease operations once ContiLeaks exposed their inner workings,” Crompton said. “By continuing to follow their actions, it continually makes it more difficult for them to remain operationally secure, brings unwanted attention to their schemes and makes it much harder for them to operate successfully.”
He added that this splintering and resurgence of Conti-affiliated malicious actors is a perfect example of how financially-motivated cybercriminals are opportunistic above all else.
“Their first loyalty is to money, and these actors will gravitate toward whatever is the easiest path to that end,” he said. “We would expect the same shift if a different group, like LockBit 3.0 or ALPHV, were doxxed; those actors would move to other groups that would allow them to make money as quickly and easily as possible.”
Transferrable Ransomware Skills
John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, noted that while it is important for law enforcement to see such movements, enterprises should also pay attention. When people with these skillsets move to other groups their tactics and techniques move with them, he said.
“Ultimately, the flow of talent will help predict technical behavior,” he said. “For instance, resizing volume shadow copies is something rarely—if ever—done in any environment. This means that technique is a very effective signal or, more ideally, a behavior you can block in your organization.”
Bambenek added that ultimately, without significant changes in international law enforcement, cybercrime pays—with low risk.
“Individuals involved will stay involved,” he said. “We may do takedowns or leaking events may happen, but the benefits are transient. Ransomware is big business and will remain so. One group going down just means the talent disperses to other existing groups or new threat actors.”
In May, the U.S. Department of State announced a reward of up to $10 million for information leading to the identification or location of key leaders of the Conti ransomware crime group.
On top of that, the State Department said it would put up an additional $5 million for any info leading to the arrest and/or conviction of individuals in any country conspiring to participate in, or attempting to participate in, a Conti variant ransomware incident.
A week later, Conti claimed to have infiltrated Costa Rica’s government and issued a ransom demand of $20 million, along with a threat to overthrow the government of president Rodrigo Chaves.
