Conti: End or Transformation?

Despite the leak of information (chat messages and ContiLeaks files), members of the Conti cyber group, who have connections with the Russian FSB and are acutely aware of the operations of military hackers from the cyber unit of The Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Unit 74455), have taken certain measures that allow them maintain relative stability and partially continue their activities.

Analysts have found signs of overlap in tactics, techniques and procedures with some ransomware groups, including Black Basta, which began operating a month before the Conti group announced its shutdown.

However, despite the similarities in the data leak blogs, payment sites, recovery portals, victim communications and negotiation methods, experts cannot fully confirm that this group is a rebrand launched by former members of the Conti group.

Another ransomware BlackByte, which has been active since August 2021 and has a “worm” capability similar to Ryuk (Conti’s predecessor) and deletes shadow volume storage by resizing it (a technique previously used by Conti and Ryuk), shows an overlap between its own operations and Conti.

Analysts speculate that BlackByte may be a rebranded Conti operation designed solely to capitalize on previous phishing schemes and provide affiliates with a ransomware option that aligns with their already established tactics, techniques, and procedures.

Another cybercriminal group that positions itself as a RaaS (Ransomware-as-a-Service) group, but is primarily responsible for data theft and extortion schemes and has ties to former Conti members, is Karakurt.

This cyber group targets large organizations with significant revenues and does not encrypt files or machines, but steals data and threatens to publish it unless a cryptocurrency ransom is received.

Analysts found significant overlap between the Karakurt intrusions and repeated Conti extortions, the use of identical hostnames, hijacking and remote access methods, and cryptocurrency transfers between related wallets.

Conti cyber group affiliates and managers were found to have collaborated with LockBit 2.0, Maze, and Ryuk ransomware teams, and some threat actors formed alliances with other active RaaS programs: ALPHV (BlackCat), AvosLocker, Hive, and HelloKitty (FiveHands).

It is likely that members of all these groups are now deploying these exact ransomware variants instead of the earlier Conti versions.

Additionally, other cybercriminals could use the Conti source code leak to compile their own ransomware or add their own development to one of the other active ransomware schemes listed above.

The most prolific members of the Conti group will continue to operate, successfully carrying out illegal cyber activities, and when the negative media attention on them fades, the group’s operators will try to regroup.

Members of the Conti group would add their own tactics, techniques, and procedures to other RaaS groups to distance themselves from a perceived pro-Russian stance, with the logic that victim campaigns would pay ransoms to groups not subject to US sanctions.

Pavlo Kryvenko

Head of AI and Cyber Security Section

He has been working as a Head of the Information and Cyber Security Section, Coordinator of the Artificial Intelligence Platform at the Center for Army, Conversion and Disarmament Studies (Kyiv, Ukraine). Pavlo is the Founder of GODDL company.

He has worked as a member of the delegation of the Communication Administration of Ukraine at the World Radiocommunication Conference (Geneva, Switzerland), as a Cyber Security Consultant at the Bar Association Defendo Capital (Kyiv, Ukraine).

Pavlo has collaborated with the National Communications and Informatization Regulatory Commission and the Ukrainian State Radio Frequency Center for International Frequency Coordination.

He studied at the Institute of International Relations of the Kyiv International University (Ukraine), the Joint Frequency Management Center of the US European Command, the LS telcom AG Training Center (Grafenwöhr, Germany), the UN International Peacekeeping and Security Center (Kyiv, Ukraine).

Contact Us
July 2022
Translate »