Intel 471 Tracking Conti Ransomware Group

While the Conti group may have publicly announced that it was stopping operations, that doesn’t mean the group has totally disappeared.

Since the announcement in May, Intel 471 researchers have observed Conti-loyal actors splinter and move in different directions within the cybercrime underground. Some actors have leaned into side projects that take advantage of segments of Conti’s prior operations, like network access or data theft. Others have allegedly forged alliances with other RaaS groups, building upon individual relationships that were cultivated during Conti’s existence.

Whatever path former Conti-affiliated actors have chosen, they are still focused on making profits and staying out of law enforcement custody as they move past the information leaks and subsequent media attention of the last few months.

The Black Basta ransomware gang, which started operations a month before Conti announced its shutdown, has shown signs of overlap with its TTPs, Intel 471 said. Black Basta’s data leak blogs, payment sites, recovery portals, victim communications and negotiation methods all bear similarities with Conti’s operations. Despite those similarities, Intel 471 can’t fully confirm that Black Basta is solely a rebrand launched by former Conti group members.

Brad Crompton is director of intelligence for Intel 471‘s Shared Services.

“It’s important to follow these threat actors because it’s highly likely that they will resurface as part of some other criminal undertaking, or will use specific TTPs that may enable tracking new aliases that these threat actors may choose to operate under, or enable mitigation of specific TTPs,” he said. “The public saw Conti fracture and eventually cease operations once the ContiLeaks exposed their inner workings. By continuing to follow their actions, it continually makes it more difficult for them to remain operationally secure, bringing unwanted attention to their schemes, and making it much harder for them to operate successfully.”

By working as freelancers or joining other RaaS groups, it allows other criminal groups to become that much stronger, Crompton said.

“Think of it the same way as a company looking to recruit talent after a competitor goes out of business,” he said. “There are skills that can be applied to their own operations, which only serves to strengthen their attacks. Moreover, new activities may highlight business sectors that these RaaS groups seek to target, or new TTPs that are being used. By monitoring for specific targeting of sectors or TTPs used, businesses can remain prepared and stay one step ahead of pending threats.”

Given that former Conti actors or affiliates have branched out to some of the most active RaaS groups currently operating, the threat is serious, Crompton said.

“Conti had some skilled operators along the various steps of a ransomware attack,” he said. “By integrating those people into their own schemes, other RaaS groups like LockBit 3.0 or ALPHV only grow stronger. This is a perfect example of how financially-motivated cybercriminals are opportunistic above everything else. Their first loyalty is to money, and these actors will gravitate towards whatever is the easiest path to that. We would expect the same shift if a different group like LockBit 3.0 or ALPHV were doxxed, with those actors moving to other groups that would allow them to make money as quickly and easily as possible.”