"Conti Ransomware Operation Shut Down After Brand Becomes Toxic"

Security researchers at AdvIntel have discovered that the Conti ransomware operation has undergone some significant organizational structure changes in the past months after the brand became toxic due to its affiliation with the Russian government.  While the group appeared to be very active, researchers stated that the group has been in the process of shutting down the Conti brand and switching to a different organizational structure that involves multiple subgroups.  The researchers noted that the downfall of the Conti brand was when Conti pledged to support Russia.  With sanctions mounting against Russia and their declaration of support, the cybercriminals could be considered a payment to Russia and implicitly a violation of sanctions.  The researchers stated that many victims of Conti were prohibited from paying the ransom.  Other victims and companies who would have negotiated ransomware payments were more ready to risk the financial damage of not paying the ransom than they were to make payments to a state-sanctioned entity.  Instead of suddenly disappearing like REvil tried to do, Conti has decided to gradually shift to a new strategy put into practice well before the Conti brand would be shut down.  The researchers stated that the Conti operation was officially shut down on May 19, when their site's admin panel and negotiations service went offline, and the rest of the infrastructure was reset.  However, before the shutdown, the group continued to appear active and made a grand exit by hacking into the systems of Costa Rica, claiming that their goal was to overthrow the government.  Currently, the Conti brand has been terminated, and the group's leaders have switched to what AdvIntel describes as a "network organizational structure" that is more "horizontal and decentralized" compared to the previous hierarchy, which has been described as "rigid."  The researchers noted that the new structure will be a coalition of several equal subdivisions, some of which will be independent and some existing within another ransomware collective.  However, they will all be united by internal loyalty to both each other and the Conti leadership, especially Conti project frontman 'reshaev', the cybersecurity firm explained.  The researchers stated that the Conti network now includes fully autonomous groups, such as Karakurt, Black Basta, and BlackByte, which do not use data-encrypting malware and instead only rely on the theft of valuable information to extort victims.  The new Conti network also includes semi-autonomous groups that use locker malware, such as AlphV (BlackCat), HIVE, HelloKitty (FiveHands), and AvosLocker.

SecurityWeek reports: "Conti Ransomware Operation Shut Down After Brand Becomes Toxic"