On Wednesday 20th of June 2022, the Conti ransomware gang finally closed the book on their operation after taking down the last two Tor servers which were used to leak data and negotiate with victims. It was first reported in May, that Conti had started to shut down their operations and had told its members that the operations were going to be decommissioned. However, Conti left one member to continue the appearance of the operation still running by continuing to leak data and taunt Costa Rica, to allow for the other members to quietly move to other ransomware gangs.
“The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” – The May Report by Advanced Intel.
Even though the operation seems to be still active, no attacks were conducted by the gang and any data leaked by the remaining Conti member was from older attacks. Furthermore, the member looked to confuse researchers and law enforcement, by releasing the same victim’s data on their sites as well as Hive’s data leak site, where he is also known as an affiliate.
In terms of the other members of Conti, many of them have been seen joining other well-known gangs including Hive, AvosLocker, BlackCat, Hello Kitty, and Quantum. Although some members instead have launched their own data extortion operations such as Karakurt, BlackByte, and the Bazarcall collective. Therefore, it is highly recommended that organisations remain vigilant and practice good cybersecurity habits as the highly experienced Conti members are still actively targeting victims worldwide but just under other ransomware operations.
© 2021 CyberEnsō – Nihon Cyber Defence Co., Ltd. All Rights Reserved.