Using cybercrime as cover: How Conti operators are lying low

It's probable that Conti operators will seek to regroup. Here's what they are doing in the meantime.

Jul 19, 2022

The Conti group may have publicly announced that it was stopping operations in the wake of the ContiLeaks, but that doesn’t mean the group has totally disappeared.

Since the announcement in May 2022, Intel 471 researchers have observed Conti-loyal actors splinter and move in different directions within the cybercrime underground. Some actors have leaned into side projects that take advantage of segments of Conti’s prior operations, like network access or data theft. Others have allegedly forged alliances with other Ransomware-as-a-service (RaaS) groups, building upon individual relationships that were cultivated during Conti’s existence.

Whatever path former Conti-affiliated actors have chosen, they are still focused on making profits and staying out of law enforcement custody, as they move past the information leaks and subsequent media attention of the last few months.

Retreat and Rebrand

Having previously managed a variety of underground side businesses, actors associated with Conti have either branched out as independent contractors or small syndicates, using skills and/or schemes previously used to support Conti’s operations.

The Black Basta ransomware gang, which started operations a month before Conti announced its shutdown, has shown signs of overlap with its tactics, techniques and procedures (TTPs). Black Basta’s data leak blogs, payment sites, recovery portals, victim communications and negotiation methods all bear similarities with Conti’s operations. Despite those similarities, we cannot fully confirm that Black Basta is solely a rebrand launched by former Conti group members.

Another ransomware variant that shows overlap between its own operations and Conti is BlackByte. While BlackByte has been active since August 2021, there are hints in the group’s TTPs that link Conti and BlackByte. BlackByte ransomware has a “worm” capability that is similar to Conti’s predecessor, Ryuk. Additionally, BlackByte deletes volume shadow storage by resizing it, which is a technique both Conti and Ryuk have previously used. Given the similarities, Intel 471 assesses that BlackByte ​is ​possibly a rebranded Conti operation created solely to maximize its previous data extortion schemes and give affiliates a ransomware variant that aligns with their already-established TTPs.

A third cybercriminal group that has ties to ex-Conti members is Karakurt, which positions itself as a RaaS group, but is primarily responsible for data theft and data extortion schemes. The Karakurt group does not encrypt files or machines but steals data and threatens to post it on the underground unless a ransom payment is received. The group targets large organizations with significant revenues for high ransom demands, ranging from US $25,000 to US $13 million in cryptocurrency.

Open source evidence suggests there are significant overlaps between Karakurt intrusions and Conti re-extortions. The two groups used the same attacker host name, as well as the same exfiltration and remote access methods. Additionally, Intel 471 has observed cryptocurrency transfers between wallets tied to Karakurt and Conti.

Who wants a partner?

Intel 471 previously reported Conti group affiliates and managers cooperated with the LockBit 2.0, Maze and Ryuk ransomware teams. In May 2022, Conti-associated threat actors allegedly forged alliances with other active RaaS programs: ALPHV aka BlackCat; AvosLocker; Hive; and HelloKitty aka FiveHands. These actors likely now deploy these ransomware variants instead of Conti versions. Additionally, other actors could use the leaked Conti source code to compile their own ransomware locker and decryptor, or fold their own development into one of the other active ransomware schemes listed above. We assess that Conti operators will bring their skills to other RaaS groups to distance themselves from Conti’s perceived pro-Russian stance, with the logic being that companies will be more likely to pay ransoms to groups that do not fall under U.S. sanctions.

Gone (But Not Really)

The ContiLeaks were a mortal blow to the Conti group, exposing enough information to make the group’s continued operation untenable. Yet even with the leaks, there were steps Conti took that enabled the ransomware group to remain resilient and continue parts of its operation. Intel 471 believes it is highly likely the most prolific members of the group will continue to operate, successfully conducting illicit cyber activity. Furthermore, once the negative media attention dissipates, it is probable that Conti operators will seek to regroup into an organization similar to the structure it once held.

Until that happens, we expect Conti actors to fold their own TTPs into other ransomware operations we have listed above or fall back on legacy underground businesses.