Pavlo KryvenkoDespite the leak of information (chat messages and ContiLeaks files), members of the Conti cyber group, who have connections with the Russian FSB and are acutely aware of the operations of military hackers from the cyber unit of The Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Unit 74455), have taken certain measures that allow them maintain relative stability and partially continue their activities.
Analysts have found signs of overlap in tactics, techniques and procedures with some ransomware groups, including Black Basta, which began operating a month before the Conti group announced its shutdown.
However, despite the similarities in the data leak blogs, payment sites, recovery portals, victim communications and negotiation methods, experts cannot fully confirm that this group is a rebrand launched by former members of the Conti group.
Another ransomware BlackByte, which has been active since August 2021 and has a “worm” capability similar to Ryuk (Conti’s predecessor) and deletes shadow volume storage by resizing it (a technique previously used by Conti and Ryuk), shows an overlap between its own operations and Conti.
Analysts speculate that BlackByte may be a rebranded Conti operation designed solely to capitalize on previous phishing schemes and provide affiliates with a ransomware option that aligns with their already established tactics, techniques, and procedures.
Another cybercriminal group that positions itself as a RaaS (Ransomware-as-a-Service) group, but is primarily responsible for data theft and extortion schemes and has ties to former Conti members, is Karakurt.
This cyber group targets large organizations with significant revenues and does not encrypt files or machines, but steals data and threatens to publish it unless a cryptocurrency ransom is received.
Analysts found significant overlap between the Karakurt intrusions and repeated Conti extortions, the use of identical hostnames, hijacking and remote access methods, and cryptocurrency transfers between related wallets.
Conti cyber group affiliates and managers were found to have collaborated with LockBit 2.0, Maze, and Ryuk ransomware teams, and some threat actors formed alliances with other active RaaS programs: ALPHV (BlackCat), AvosLocker, Hive, and HelloKitty (FiveHands).
It is likely that members of all these groups are now deploying these exact ransomware variants instead of the earlier Conti versions.
Additionally, other cybercriminals could use the Conti source code leak to compile their own ransomware or add their own development to one of the other active ransomware schemes listed above.
The most prolific members of the Conti group will continue to operate, successfully carrying out illegal cyber activities, and when the negative media attention on them fades, the group’s operators will try to regroup.
Members of the Conti group would add their own tactics, techniques, and procedures to other RaaS groups to distance themselves from a perceived pro-Russian stance, with the logic that victim campaigns would pay ransoms to groups not subject to US sanctions.