Conti’s Legacy: What’s Become of Ransomware’s Most Wanted? – Source: www.govinfosecurity.com

Group Lives on in the Form of More Agile Offshoots Such as Royal and Black Basta

Mathew J. Schwartz
(euroinfosec)

•
June 1, 2023    

Former members of the defunct Russian-speaking Conti ransomware group are continuing to ply their trade under a variety of other guises.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

Thanks to their more compartmentalized and agile approaches, “post-Conti is stronger than ever,” said Yelisey Bohuslavskiy, chief research officer at threat intelligence firm Red Sense, in a report released this week.

Leaks of internal Conti communications early last year revealed a hierarchically run organization that employed about 120 individuals. The FBI estimates that by January 2022, the gang had amassed over $150 million in ransom payments via more than 1,000 victims.

Today, Conti lives on in the form of five smaller and more agile offshoots with a mix of management styles. “Operationally, the division into multiple groups has fueled innovation within Conti,” Bohuslavskiy said. “Each group pursues its own tactics and strategies tailored to their specific objectives.”

The post-Conti operations demonstrate that the most successful ransomware operators remain keen innovators who aren’t afraid to tear up their business plan and start fresh when profits head south. While the spawn of Conti aren’t the only ransomware players in town, the relative success of spinoffs Royal and Black Basta in particular demonstrate how criminals are continuing to find fresh ways to profit via extortion.

Criminal Deception

The decline and fall of Conti began after its leadership’s decision in February 2022 to publicly back Russian President Vladimir Putin’s war against Ukraine. Likely on the advice of legal counsel and concerns over violating sanctions imposed on Russia, victims soon stopped paying ransoms to Conti. In short, its brand was burned.

Fast-forward to May 2022, when security researchers reported that Conti had shut down its data leak and ransom negotiation sites. The move came just days after the U.S. government posted rewards of up to $10 million to anyone who could identify key Conti leaders and up to $5 million for key affiliates. There’s no sign the rewards altered criminals’ behavior.

Until its exit, Conti appeared to remain a going concern, engaging until the last minute in a very public shakedown of Costa Rica’s government.

This appeared to be a smokescreen. The group’s leadership had already launched a number of smaller groups under different names, as demonstrated in part by Conti spinoff Hive taking over the extortion attempt against Costa Rica. Shortly thereafter, law enforcement infiltrated Hive and in January disrupted its servers, perhaps fatally.

Post-Conti Groups’ Extortion

One year after Conti pulled the plug, other offshoots continue to amass fresh victims and illicit profits via extortion. Here’s how Bohuslavskiy’s report describes the multiple groups or collectives that comprise post-Conti operations:

• Royal: Formerly Conti Team Two, this very successful operation features 60 hackers, aka pentesters, drawn from the ranks of Conti or newly recruited – including former affiliates of REvil, Hive, HelloKitty/FiveHands – who work in small teams of four to five people. Typical attacks begin with Emotet, IcedID or its own loader and rely on Cobalt Strike alternatives such as Sliver to hack into targets, after which the group uses Royal or BlackSuit crypto-locking malware.
• Black Basta: Formerly Conti Team Three, the group typically uses QBot to gain initial access, followed by Black Basta’s crypto-locking malware. The BlackByte and Karakurt groups handle data exfiltration.
• Zeon: Formerly Conti Group Team One, the group ran TrickBot, which appears to have been retired owing to poor results. Zeon has been less successful than other post-Conti operations.
• Silent Ransom Group: Formerly an arm of Royal, SRG has experimented with callback phishing campaigns but has not been very successful.
• AvosLocker: This is an affiliated group of English speakers.

The groups’ use of different tools, infrastructure and key personnel helps them find fresh ways to stay lean, mean and tougher to track or disrupt en masse. “Each group maintains its own dedicated lockers, precursor malware and blogs,” Bohuslavskiy said, referring to data leak sites. “If one group is taken down, the other four remain untouched.”

Post-Conti ransomware surges on.