Conti Criminals Resurface as Splinter RaaS Groups

Conti Criminals Resurface as Splinter RaaS Groups


Conti—one of the most ruthless and successful Russian ransomware groups—has been quiet since the group publicly announced it would cease operations in the wake of the ContiLeaks data breach. In early 2022, the cybercriminal gang fall victim to an attack that published insider data and revealed to the world how the nation-state-sponsored, multimillion-dollar group operated.To get more news about RaaS, you can visit glprobotics.com official website.


However, research from Intel 471 suggests the group’s former members were anything but dormant, with some actors branching out into side projects that leveraged their experience in segments of Conti’s prior operations, including data theft or network access.These include the Black Basta ransomware gang, whose tactics, techniques and procedures (TTPs) Intel 471 researchers said showed signs of overlap with those used by Conti.


Although the report conceded it could not directly confirm the link, it noted that Black Basta’s data leak blogs, payment sites and negotiation methods all bore similarities to Conti’s operations.


The same was true for BlackByte ransomware and its “worm” capabilities that appeared similar to Conti’s, which led Intel 471 to conclude that BlackByte is possibly a rebranded Conti operation created solely to maximize its previous data extortion schemes.


Brad Crompton, director of intelligence for Intel 471’s Shared Services, said individuals working as freelancers or joining up with other ransomware-as-a-service (RaaS) groups allowed other criminal groups to become that much stronger.


“Think of it the same way as a company looking to recruit talent after a competitor goes out of business: There are skills that can be applied to their own operations which only serves to strengthen their attacks,” he said. “Moreover, new activities may highlight business sectors that these RaaS groups seek to target or new TTPs that are being used.”


Crompton said by monitoring for specific targeting of sectors or looking for specific TTPs used, businesses can remain prepared and stay one step ahead of pending threats.


“Given that former Conti actors or affiliates have branched out to some of the most active RaaS groups currently operating, the threat is serious,” he added. “Conti had some skilled operators well-versed in the various steps of a ransomware attack. By integrating those people into their own schemes, other RaaS groups like LockBit 3.0 or ALPHV only grow stronger.”


He said it’s important to follow these threat actors because it’s highly likely that they will resurface as part of some other criminal undertaking, use specific TTPs that may enable tracking new aliases under which these threat actors may choose to operate or enable mitigation of specific TTPs.


“The public saw Conti fracture and eventually cease operations once ContiLeaks exposed their inner workings,” Crompton said. “By continuing to follow their actions, it continually makes it more difficult for them to remain operationally secure, brings unwanted attention to their schemes and makes it much harder for them to operate successfully.”


He added that this splintering and resurgence of Conti-affiliated malicious actors is a perfect example of how financially-motivated cybercriminals are opportunistic above all else.


“Their first loyalty is to money, and these actors will gravitate toward whatever is the easiest path to that end,” he said. “We would expect the same shift if a different group, like LockBit 3.0 or ALPHV, were doxxed; those actors would move to other groups that would allow them to make money as quickly and easily as possible.”