Euro Security Watch with Mathew J. Schwartz

Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime

Conti Ransomware Group Retires Name After Creating Spinoffs

Backing Russia's Invasion of Ukraine Burned the Brand, Researchers Report
Conti Ransomware Group Retires Name After Creating Spinoffs
In a quickly deleted post to its data leak site on Feb. 25, 2022, the Conti group declared its support for Russia's invasion of Ukraine (Source: Advanced Intelligence)

The Russian-language criminal syndicate behind Conti ransomware on Thursday retired that brand name, threat intelligence firm Advanced Intelligence reports.

See Also: How Splunk uses Splunk Observability to Monitor Cloud Apps

To be clear, Conti isn't going away, but has instead already implemented a series of carefully planned business moves designed to diversify its illicit business from both an operational and a branding standpoint, thus making it more difficult to track or disrupt, say security researchers Yelisey Boguslavskiy and Vitali Kremez at New York-based Advanced Intelligence, aka AdvIntel.

"The rebranded version of Conti ... ensured that whatever form Conti's ex-affiliates chose to take, they would emerge into the public eye before news of Conti's obsolescence could spread." 

Conti in effect has already created multiple spinoffs, by using stand-alone strains of malware the group already developed or acquired or by creating new brands entirely, Boguslavskiy and Kremez write in a new report.

"They already had a couple of subsidiaries operating under different names: KaraKurt, BlackByte, BlackBasta," they write, adding that Conti has also formed close alliances with other groups, including Alphv/BlackCat, AvosLocker, Hive and HelloKitty/FiveHands (see: Beg, Borrow, Steal: Conti Leaks Reveal Ransomware Crossover).

"The rebranded version of Conti - the monster splitting into pieces still very much alive - ensured that whatever form Conti's ex-affiliates chose to take, they would emerge into the public eye before news of Conti's obsolescence could spread, controlling the narrative around the dissolution as well as significantly complicating any future threat attributions," they say.

To help make it look as if Conti itself continued to be an ongoing, lucrative concern - and brand name - until the spinoffs were established, the AdvIntel researchers say the criminal syndicate appears to have prepositioned itself inside some large targets and then crypto-locked them when it wanted to maximize publicity.

Chief among these "smokescreens" appears to have been the government of Costa Rica, which they say the group never expected to pay a ransom. Instead, crypto-locking multiple government systems, claiming that it was being assisted by "insiders" and actively seeking out more systems to encrypt was seemingly just a cynical ploy designed to maximize publicity for Conti after the group's leadership had already scheduled a timeline for the brand's demise (see: Secrets and Lies: The Games Ransomware Attackers Play).

Timing Teardown

Why is Conti only doing this now? Many security experts had expected Conti - as in the group that wields that strain of ransomware, among other types of malicious code - to have rebranded itself much sooner, given the heat it's been attracting.

In May 2021, notably, Conti attacked Ireland's Health Service Executive, which disrupted healthcare in the country for months. That and other attacks around that time triggered a political firestorm, as governments - including the Biden administration - began to view ransomware not as an IT nuisance but as a national security threat.

Last December, Interpol Director of Cybercrime Craig Jones reported that, led by Irish police, active efforts to disrupt Conti remained underway. "Interpol facilitated the identification and takeover of the attackers' command-and-control server in the Ukraine and supported the post-event disruption activities led by Ireland on that criminal infrastructure," he said at the time. "That operation is still ongoing, and there is more to come in the future."

Conti, however, continued on, racking up a notable number of targets and appearing to operate with impunity. That seemed true even after late February, when a Ukrainian - by some accounts, a former member or affiliate of Conti - leaked voluminous chat logs and source code, providing an unprecedented, inside look at the operation, which appeared to number about 100 employees. Nevertheless, the leaks didn't appear to damage Conti's business (see: Leaks Fail to Dent Conti's Successful Ransomware Operation).

Support for Russia's Invasion

The leaks, however, can now be seen as a symptom of a problem that Conti created for itself. Namely, Boguslavskiy and Kremez say that after Conti came out in support of Russia's Feb. 24 invasion of Ukraine - via a post to its data leak site that it quickly deleted - the crime syndicate shot itself in the foot. At least some current and former members of the group who are Ukrainian or have Ukrainian family or who simply didn't wish to get mixed up in politics, severed ties or even leaked information from the group.

AdvIntel says it's seen a decline in the number of Conti victims willing to pay a ransom, given the group's apparent ties to the Russian state.

Earlier this month, meanwhile, the U.S. Department of State announced a reward of up to $10 million for information that leads to the identification or location of any key figures in the Conti organization.

Ransomware Playbook: Time to Rebrand

Accordingly, Conti is following in the footsteps of other ransomware operations that opted to rebrand after feeling the heat.

Rewards posted for Conti leaders, owners, operators or affiliates (Source: U.S. Department of State)

One of the best-known such examples is DarkSide, which became a top law enforcement target after hitting Colonial Pipeline in May 2021, sparking the panic buying of fuel in the United States. "The heat from Colonial was such that DarkSide … said, 'Hey, you know what? We're gonna go enjoy our money for a while, and we're out," says Jen Ellis, vice president of community and public affairs at Rapid7.

"Admittedly, we did all kind of go, 'It'll be back under a different name.' And then we see BlackMatter - such a weirdly similar name," she says, which was followed by a rebrand as the similarly named BlackCat, aka Alphv.

"It's very much like a sort of Hydra minus the sort of cool uniforms," she tells me, referring to the fictional Nazi terrorist organization that first appeared in Marvel comic books. "You cut off the head at one end, and there seem to be plenty of others."

So too now with Conti, except that instead of simply rebranding, the group appears to have already built and launched a diversified business model designed be more difficult to track, target or disrupt.

Boguslavskiy and Kremez say the group's leadership obviously studied previous ransomware groups' rebranding efforts and their shortcomings and then developed their own new and innovative approach.

The open question now: Will these astute business moves help Conti's spinoffs, with all of their different brand names, continue to amass huge illicit profits?



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.