The Conti ransomware operation has undergone some significant organizational structure changes in the past months after the brand became toxic due to its affiliation with the Russian government.
The Conti operation has been highly successful, helping cybercriminals make billions of dollars after breaching the systems of hundreds of major organizations. While it appeared to be very active, threat intelligence company AdvIntel says the group has been in the process of shutting down the Conti brand and switching to a different organizational structure that involves multiple subgroups.
The Conti brand’s downfall appears to have started in late February, after Russia launched an invasion of Ukraine. Shortly after the war began, Conti pledged its support for the Russian government and threatened to attack the critical infrastructure of its enemies.
The initial statement from Conti was revised and toned down, but it was too late. Expressing support for the Russian government sparked internal debate and led to vast amounts of internal data, including chats and source code, getting leaked.
According to AdvIntel, the factor that sealed the fate of the Conti brand was that pledging allegiance to Russia resulted in the group being associated with the Russian government.
Russia’s war against Ukraine drew significant sanctions from the West, meaning that any payment made to the cybercriminals could be considered a payment to Russia and implicitly a violation of sanctions.
“As a result of these limitations, Conti had essentially cut itself from the main source of income,” AdvIntel explained. “Our sensitive source intelligence shows that many victims were prohibited to pay ransom to Conti. Other victims and companies who would have negotiated ransomware payments were more ready to risk the financial damage of not paying the ransom than they were to make payments to a state-sanctioned entity.”
While Conti has become a toxic brand, the operation was too big and too profitable to just completely scrap. However, Conti leadership decided that instead of suddenly disappearing — REvil tried that approach and it did not go well — they would gradually shift to a new strategy put into practice well before the Conti brand would be shut down.
AdvIntel said the Conti operation was officially shut down on May 19, when their site’s admin panel and negotiations service went offline, and the rest of the infrastructure was reset.
However, before the shutdown, the group continued to appear active and made a grand exit by hacking into the systems of Costa Rica, claiming that their goal was to overthrow the government.
While only a handful of new victims were announced on Conti’s leak website in May, the group made political statements and commented about other ransomware, claiming that they were inexperienced or scammers. They made comments including about ransomware that AdvIntel has confirmed to be affiliated with Conti.
Now that the Conti brand has been terminated, the group’s leaders have switched to what AdvIntel describes as a “network organizational structure” that is more “horizontal and decentralized” compared to the previous hierarchy, which has been described as “rigid.”
“This structure will be a coalition of several equal subdivisions, some of which will be independent, and some existing within another ransomware collective. However, they will all be united by internal loyalty to both each other and the Conti leadership, especially [Conti project frontman] ‘reshaev’,” the cybersecurity firm explained.
The company says the Conti network now includes fully autonomous groups, such as Karakurt, Black Basta and BlackByte, which do not use data-encrypting malware and instead only rely on the theft of valuable information to extort victims. Researchers previously noted that some of these groups seemed to be linked to Conti.
The new Conti network also includes semi-autonomous groups that use locker malware such as AlphV (BlackCat), HIVE, HelloKitty (FiveHands), and AvosLocker.
There are also some independent affiliates who work on their own but continue to be loyal to the organization. In addition, Conti leadership has taken over smaller ransomware brands, keeping their name but boosting their capabilities.
“This is different from Ransomware-as-a-Service, since this network, at least at the time of writing, does not seem to be accepting new members as part of its structure. Moreover, unlike RaaS, this model seems to value operations being executed in an organized, team-led manner. Finally, unlike RaaS, all the members know each other very well personally and are able to leverage these personal connections and the loyalty that comes with them,” AdvIntel explained.
“This model is more flexible and adaptive than the previous Conti hierarchy but is more secure and resilient than RaaS,” it added.
The United States is offering up to $15 million for information on leaders of the Conti gang.