Conti's Trails

Category: Ransomware News | Industry: Global | Level: Strategic | Source: @BushidoToken

In May 2022, the notorious Conti ransomware group shut down its operations however, despite their disbanding, traces of their influence stills looms in cyberspace. In a blog post by a security researcher, @BushidoToken Conti's continuity is explored through ransomware groups, and malware associated with Conti. Quantum, Black Basta, and Royal ransomware are all exceptionally proficient ransomware groups and their successes can be attributed to influences provided by Conti. An initial access broker, tracked as EXOTIC LILY by Google TAG, has been observed to provide access to attacks leading to the deployment of both Conti and Quantum ransomware malware. Overlaps, in tactics, techniques, and procedures (TTPs) as well as C2 infrastructure for malware such as BumbleBee, Cobalt Strike, and Brute Ratel support Conti's ties to Black Basta and Royal ransomware. In addition, the ability of Black Basta to swiftly amass a victim count exceeding 90, since their emergence in April 2022, is likely due to the work of experienced threat actors. The same can be said for the Royal ransomware group, which does not operate under a ransomware-as-a-service (RaaS) model, preferring to operate as a closed group. A prominent tactic used by Conti and Royal ransomware is BazarCall campaigns using a combination of phishing emails with an audio call to a call center resulting in the installation of remote access software. As observed by @BushidoToken and AdvIntel, Conti's operations whilst disbanded have likely only dispersed into other groups, due to the large ransomware ecosystem. "The Conti leaks further highlighted that sophisticated Russian cybercrime businesses can continue to operate despite major disruptions, albeit in separate clusters and splinter groups."

‍