Given the fact that the infamous Conti ransomware gang recently threatened to topple the newly elected Costa Rican government, it may come as a surprise that the ransomware group has just shutdown its operations.

In a press conference on Monday, May 16th, Costa Rica’s President Rodrigo Chaves reminded listeners that the Conti ransomware cartel had infiltrated 27 government institutions, and stated, “We are at war and that’s not an exaggeration.”

Conti ransomware shutdown

According to reports, the Conti gang recently removed their infrastructure from the internet. Conti leaders have indicated that the ‘brand’ will disappear.

The public-facing ‘Conti News’ data leak site and the group’s ransom negotiation sites remain ‘live’. However, the Tor admin panels previously used by members are now offline. Reports also indicate that the group’s rocket chat servers will be decommissioned shortly.

A smoke and mirrors act

Researchers have theorized that Conti may have conducted the attack on Costa Rica’s government in order to create a façade of a live operation while group members gradually dispersed, formed new alliances, and moved to smaller ransomware units.

Internal Conti group documents show that the attack on Costa Rica largely functioned as a publicity stunt.

“…The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” explains an Advanced Intel report.

Members move elsewhere

Despite the Conti brand’s collapse, the cyber crime crew members will continue to play a significant role in the ransomware industry. Former Conti leaders are focused on partnering with smaller ransomware gangs to conduct attacks.

The partnerships enable smaller ransomware gangs to gain an influx of experienced Conti intel analysts, pentesters, negotiators and operators, while the Conti members continue to evade law enforcement.

Conti ransomware gang members are partnering with well-known smaller ransomware groups, including:

Further research shows that new, autonomous groups of Conti members have also emerged. These groups focus activities on data exfiltration, and not data encryption. Names of such groups include Karakurt and the Bazarcall Collective.

Conti ransomware history

The Conti ransomware group (and their ransomware) first appeared during the summer of 2020. It took the place of the Ryuk ransomware gang.

As with Ryuk, Conti’s ransomware saw distribution via partnerships with other ransomware gangs. In time, Conti transformed into the largest known ransomware operation, slowly morphing into a syndicate as they absorbed new members, and capitalized on new opportunities.

The group gained notoriety through attacks against against local government groups, public school systems, and national health organizations.

Conti leadership takes a side

Some contend that the beginning of the end for the Conti ransomware gang started to unfold shortly after the group openly declared approval of Russia’s invasion of Ukraine. The group noted that it would pool all of its resources to defend Russia from cyber attacks.

Subsequently, a Ukrainian security researcher leaked over 170,000 of the group’s internal chat messages, along with the source code for Conti’s ransomware encryptor. The encryptor was then used in attacks against Russian systems.

Further information 

According to the US government, Conti’s ransomware represented one of the costliest strains of ransomware ever created. Officials count thousands of victims. They also report that organizations have made more than $150 million in corresponding ransom payments.

The ferocity of the Conti ransomware gang’s exploits recently prompted the US government to announce a $15 million reward for information leading to the identification and location of Conti leadership. The bullseye is thought to be one of the main incentives for the group’s ‘burning’ of the Conti identity and for new alliances with smaller gangs.

For more information about the inner-workings of the Conti ransomware gang, please see CyberTalk.org’s past coverage. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.