The Conti ransomware group is rebranding as multiple other ransomware groups, according to Friday research from threat intelligence vendor AdvIntel.
AdvIntel's research blog, titled "DisCONTInued: The End of Conti's Brand Marks New Chapter For Cybercrime Landscape," used internal investigations to posit that the downfall of the Conti ransomware gang has been developing since February, when the gang declared public support for Russia in its invasion of Ukraine and suffered major leaks as a consequence.
The gang has been credited with a number of major ransomware attacks since it was first tracked two years ago. Most notably, the U.S. government offered a $10 million bounty after Conti conducted a massive cyber attack against the Costa Rican government in mid-April.
Last Thursday, aspects of Conti's leak site went down, including the admin panel, negotiation site and victim data upload components. However, certain aspects of the site remained live, including its blog. In a Friday post, Conti operators called the United States "a cancer on the body of the Earth" and appeared to lash out at the country for apparently preventing Conti from getting paid a ransom from Costa Rica.
The shutdown "was not a spontaneous decision," AdvIntel researchers Yelisey Bogusalvskiy and Vitali Kremez said in the vendor's Friday post. Rather, "it was a calculated move, signs of which were evident since late April."
Because Conti pledged allegiance to Russia and got involved in state matters, AdvIntel's post claimed the gang has not received any ransom payments since February. Conti victims did not pay due to the threat of being sanctioned by the U.S. government, and the threat actor's malware became "highly detectable." Thus, Conti was forced to rebrand because, as AdvIntel wrote, "the group can no longer sufficiently support and obtain extortion."
"Our sensitive source intelligence shows that many victims were prohibited to pay ransom to Conti," the blog post said. "Other victims and companies who would have negotiated ransomware payments were more ready to risk the financial damage of not paying the ransom than they were to make payments to a state-sanctioned entity."
To rebrand, Conti operators used preexisting subsidiaries like KaraKurt, BlackByte and BlackBasta alongside new subdivisions that "either utilized existing Conti alter egos and locker malware, or took the opportunity to create new ones," Bogusalvskiy and Kremez wrote. This occurred two months before Conti shut down, the research claimed.
"The rebranded version of Conti -- the monster splitting into pieces still very much alive -- ensured that whatever form Conti's ex-affiliates chose to take, they would emerge into the public eye before news of Conti's obsolescence could spread, controlling the narrative around the dissolution as well as significantly complicating any future threat attributions," AdvIntel's blog post read.
A key part of this plan was to draw as much public attention to Conti as possible while the core gang was gutted in exchange for smaller actors. AdvIntel claimed the Costa Rica attack was less about money than it was to further this larger rebrand.
"The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived," Bogusalvskiy and Kremez wrote. "The attack on Costa Rica indeed brought Conti into the spotlight and helped them to maintain the illusion of life for just a bit longer, while the real restructuring was taking place."
AdvIntel did not respond to SearchSecurity's request for comment.
Alexander Culafi is a writer, journalist and podcaster based in Boston.