Even as the operators of Conti threatened to overthrow the Costa Rican government, the infamous cybercrime gang officially took down their infrastructure in favor of migrating their criminal activities to other ancillary operations, including Karakurt and BlackByte.
“From the negotiations site, chatrooms, messengers to servers and proxy hosts – the Conti brand, not the association itself, is shutting down,” AdvIntel researchers Yelisey Bogusalvskiy and Vitali Kremez said in a report. “However, this does not mean that the threat actors themselves are retiring.”
The voluntary termination, with the exception of its name-and-shame blog, is said to have occurred on May 19, 2022, while an organizational rejig was happening simultaneously to ensure a smooth transition of the ransomware group’s members.
AdvIntel said Conti, which is also tracked under the moniker Gold Ulrick, orchestrated its own demise by utilizing information warfare techniques.
The disbanding also follows the group’s public allegiance to Russia in the country’s invasion of Ukraine, dealing a huge blow to its operations and provoking the leak of thousands of private chat logs as well as its toolset, making it a “toxic brand.”
The Conti team is believed to have been actively creating subdivisions over the course of the last two months. But in tandem, the group began taking steps to control the narrative, sending out “smoke signals” in an attempt to simulate the movements of an active group.
“The attack on Costa Rica indeed brought Conti into the spotlight and helped them to preserve the illusion of life for just a bit longer, while the real restructuring was taking place,” the researchers said.
“The only goal Conti had wanted to meet with this ultimate attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most believable way it could have been conceived.”
The diversion tactics aside, Conti’s infiltration specialists are also said to have forged alliances with other well-known ransomware groups such as BlackCat, AvosLocker, Hive, and HelloKitty (aka FiveHands).
Additionally, the cybersecurity firm said it had seen internal communication alluding to the fact that Russian law enforcement agencies had been putting pressure on Conti to halt its activities in the wake of increased scrutiny and the high-profile nature of the attacks conducted by the crook syndicate.
Conti’s affiliation with Russia has also had other unintended consequences, chief among them being its inability to extract ransom payments from victims in light of severe economic sanctions imposed by the West on the country.
That said, although the brand may cease to exist, the group has adopted what’s called a decentralized hierarchy that involves multiple subgroups with different motivations and business models ranging from data theft (Karakurt, BlackBasta, and BlackByte) to working as independent affiliates.
This is not the first time Gold Ulrick has revamped its inner workings. TrickBot, whose elite Overdose division spawned the creation of Ryuk and its successor Conti, has since been shut down and absorbed into the collective, turning TrickBot into a Conti subsidiary. It has also taken over BazarLoader and Emotet.
“The diversification of Conti’s criminal portfolio paired with its shockingly swift dissolution does bring into question whether their business model will be repeated among other groups,” AdvIntel noted ultimate week.
“Ransomware Inc. is less like the gangs they are often called and much more like cartels as time goes on,” Sam Curry, chief security officer at Cybereason, said in a statement shared with The Hacker News.
“This means partner agreements, specialized roles, business-like R&D and marketing groups and so on. And because Conti is beginning to mirror the sorts of activities we see among lega companies, it’s no surprise they are changing.”