Recent research has revealed that the notorious ransomware group known as Conti continues to target various organizations despite experiencing a substantial data breach of its own earlier this year. This information underscores the resilience of Conti, which is believed to be orchestrated by a Russian cyber actor identified as Gold Ulrick. In the last three months of 2021, Conti was responsible for approximately 19% of all ransomware attacks.
Operating alongside other significant ransomware groups such as LockBit 2.0, PYSA, and Hive, Conti has been implicated in attacks on a range of entities, including hospitals, private businesses, and government agencies. Their modus operandi often involves locking down critical networks and demanding ransom payments for decryption keys, reflecting a calculated approach to extortion.
After expressing support for Russia during its invasion of Ukraine, an anonymous Ukrainian security researcher released internal communications and source code from Conti, revealing previously unknown aspects of the group’s operations. This move provided crucial insights into the collaborative nature of cybercriminal enterprises, particularly as it highlighted communication across different threat groups.
A report from Secureworks noted that the leaked chats exposed a sophisticated cybercrime ecosystem in which various financially motivated cyber actors, including Gold Blackburn, Gold Crestwood, Gold Mystic, and Gold Swathmore, were seen collaborating frequently. Such interactions indicate a level of integration in the cybercrime space that goes beyond isolated incidents.
These intelligence findings align with additional research from Intel 471, which tracked Emotet campaigns revealing that numerous Conti targets were also affected by Emotet malspam—a sign of intertwined operations between these groups. Intriguingly, the leak of sensitive information has not impeded Conti’s activities; rather, reports showed a spike in victims in March, suggesting that the group has adapted and evolved its tactics in light of public attention.
As of early April, Conti had already compromised 11 new victims. Experts suggest that the group continuously refines its ransomware and intrusion methodologies, demonstrating not only persistence but also adaptability in its operations. A report from NCC Group corroborated these claims, confirming that Conti’s operators resume business as usual, exfiltrating data and deploying ransomware.
Simultaneously, investigations have surfaced connections between Conti and the Karakurt data extortion group, which emerged during the ContiLeaks incident, indicating that Karakurt may represent a branch of the overall ransomware-as-a-service model that Conti employs. The financial transactions associated with these groups illustrate a complex intersection of criminal activities, including shared resources and techniques.
Analysis of cryptocurrency transactions has shown that funds are being transferred between Karakurt and Conti wallets, suggesting a strategic intertwining of their operations. Moreover, forensic analysis of a victim’s environment revealed that a significant portion of the attacks involved overlapping tactics, implying a high level of coordination among these cybercriminal entities.
In summary, the persistence of the Conti ransomware group amidst internal upheaval highlights a significant concern for businesses, particularly those in sectors deemed critical infrastructure. Business owners must remain vigilant and equip their cybersecurity frameworks to address potential threats effectively, considering the evolving landscape of cybersecurity risks encompassed by these interconnected criminal networks.
