The notorious ransomware gang Conti went out with a bang earlier this month, taking down key pieces of its infrastructure and initiating a massive reset of operations. The decommissioning came just weeks after it attacked Costa Rica’s government and demanded a regime change in the Central American nation.
Conti reached toxic status as a brand after it aligned itself with the Russian government following the invasion of Ukraine and initiated multiple ransomware attacks in Latin America. The U.S. State Department earlier this month offered a $15 million reward for information on the group’s leadership.
The syndicate has been extraordinarily dangerous, having targeted the IT systems of many enterprises around the globe. Conti’s tactics and success offer further evidence that the ransom extortion model has turned serious.
The FBI describes the Conti ransomware variant as “the costliest strain of ransomware ever documented.” It estimates more than 1,000 victims have suffered attacks associated with Conti ransomware and total victim payouts exceed $150 million as of January 2022. The FBI also alleges the Conti group is responsible for hundreds of ransomware attacks during the last two years.
Now the Conti brand, not the organization itself, is dead, according to AdvIntel researchers Yelisey Boguslavskiy and Vitali Kremez. Conti shut down some of its infrastructure and is restructuring its operations after heightened scrutiny and ties to Russia impacted its bottom line. Members of the group still pose a significant threat as Conti reconstitutes itself.
The FBI declined to comment on Conti's operational status and the group's reorganization effort. "As this is an ongoing matter, we do not have any additional information to provide at this time," a spokesperson said via email.
“They might come up under a new name, which happens from time to time, where they kind of rebrand in order to escape some of the reputation or the law enforcement scrutiny on the group,” said Adam Meyers, SVP of intelligence at Crowdstrike.
Falling under the spotlight, whether intended or not, fueled Conti’s brashness and what John Shier, senior security advisor at Sophos, described as “performance art.”
Conti’s leadership remains at large and it plans to continue targeting organizations, he and multiple analysts told Cybersecurity Dive.
“While any threat should be taken seriously, criminals like Conti are not above using them as attention-grabbing, infantile taunts,” Shier wrote in an email.
The Russia-based group’s allegiance to the Russian government fractured loyalties among the threat actor’s ranks. Soon after, a leak at Conti exposed information from the group’s chat servers about who it interacted with and how it operated.
The exposure likely caused Conti leadership to rethink its operating model, increase its operational security and stand up new infrastructure, Meyers said. Conti’s association with Russia also became a practical burden as mounting sanctions made ransom payments a potentially serious criminal violation.
Brashness, calls for violence preempt Conti’s flame-out
Conti stands out for its fearless attacks on nations and it might feel justified going after government targets because of its ties to Russia, said Allie Mellen, a Forrester analyst.
“It’s still quite baffling to see a ransomware group target a country like this and to also make threats to other countries,” she said.
Last month’s attack on Costa Rica’s government infrastructure hit at least 27 institutions.
Within weeks of the attack, newly elected Costa Rica President Rodrigo Chavez declared a national emergency in one of his first official acts in office. Conti responded by doubling its initial ransom demand to $20 million.
After Conti isolated itself with Russia it felt emboldened to lash out at other governments, but the backlash has been tough for the group, Michela Menting, research director at ABI Research, wrote in an email.
It remains difficult, as Conti ransomware hits multiple organizations around the world, to determine which attacks are sanctioned by the group’s leadership. Conti’s attacks in Latin America, for example, may have been the work of an affiliate using a ransomware as a service program the group operates under a revenue-sharing model, according to Meyers.
That program is probably closed or being tamped down, he said. “It does have some brand and reputational impact for the criminal enterprise,” and Conti has seen what happens to other cyber threat actors that have run afoul of the U.S. government and Western law enforcement, Meyers said.
Some of Conti’s seemingly erratic activities of late appear to be a diversion by design, according to Boguslavskiy and Kremez. The attack on Costa Rica “helped [Conti] to maintain the illusion of life for just a bit longer, while the real restructuring was taking place,” the AdvIntel researchers wrote in their report.
This isn’t the first and likely won’t be the last rebirth for Conti. The group emerged in 2016 as a botnet and began repurposing its infrastructure for ransomware attacks in 2018. Its data exfiltration activities commenced in 2019 and it started loading different malware packages designed as ransomware as a service in 2020, Meyers said.
The group was creating new tools as recently as last month, he said.
The number of ransomware attacks on large organizations jumped 10% in the first 18 weeks of 2022 and the average initial ransom demand per incident stands at $6.1 million, according to Crowdstrike data.
Conti, or whatever it calls itself now, isn’t going to willingly let that go, Meyers said.
What’s next for Conti?
Conti’s brazen pursuit of high-level targets and blustery statements are worrying for those charged with protecting sensitive infrastructure, Shier said. “Then again, these are criminals who wouldn’t think twice about lying and cheating to make a buck,” he said.
Meyers echoed that sentiment. “It’s all kind of a 'no honor amongst thieves' type of situation where you can believe what they say, but still take it with a grain of salt.”
Conti might be regrouping for more high-level attacks on critical infrastructure or governments, but analysts and researchers are quick to point to its ransom haul is the group’s ultimate objective.
“For any organized business, cybercriminal or not, the bottom line is very often always more important than political positioning,” Menting said.
The U.S. government and others need to take these threats seriously and prepare adequately because cyberattacks on government institutions or political leaders can have geopolitical ramifications, according to Mellen.
At what point, she asked, does a cybercriminal outright targeting government officials and infrastructure become a combatant?
Meyers maintains Conti’s mandate is to make money, he said. “They’re a significantly large organization, they’ve got a lot of mouths to feed. And as long as there’s money to be made doing these types of data extortion and ransomware operations, they’re not going to shut down.”