Attacking a country, Costa Rica, forcing its president to declare a state of emergency, for a simple diversion. This is what the group of cybercriminals Conti would have been guilty of, according to Yelisey Bogusalvskiy and Vitali Kremez, cybersecurity researchers. The purpose of the operation would be to reorganize behind the scenes and get rid of an identity that is now too heavy to bear. Conti would officially be dead on May 19.
Russian-speaking cybercriminal rule #1, don’t get involved in politics
Conti News, the collective’s public site seems very active. Data stolen from victims is always marked in transit. The post dedicated to Costa Rica was updated on May 21, 2022, about fifteen others appeared on May 23. However, Yelisey Bogusalvskiy of Advanced Intelligence (AdvIntel) considers this to be mere window dressing.
Why are Beijing-backed hackers going after Russia?
He indicated on May 19 that “ Conti News’ crucial operational function of uploading new data in order to intimidate victims into paying no longer exists, as all the infrastructure related to trading, data uploads and hosting stolen data has been closed “.
For the researcher it goes further. This closure would not be a spontaneous decision “, but good ” a calculated move, the signs of which had been evident since the end of April “. The Conti group, adept at ransomware, acquired unprecedented notoriety in the eyes of the general public in 2022.
Created in the summer of 2020, the collective has achieved several media stunts. The first was an attack on the Irish healthcare system. He ended up giving a decryption key graciously. The group is considered to have generated the most revenue in 2021.
It is the invasion of Ukraine for Russia that will definitely expose it. Rare thing in the middle, the group comes out openly in favor of Russia at the beginning of the conflict. This does not sit well with some of its members, anti-war Ukrainians or Russians, and 170,000 internal messages quickly leak.
Despite a backpedal, Conti’s business will become much more difficult to conduct. He violates an unspoken rule of Russian-speaking cybercriminals: do not interfere in state affairs to avoid attracting the attention of Moscow. The FSB, the country’s internal intelligence, reportedly put pressure on the group.
#Conti #ransomware just changed the phrasing of their statement regarding Russia’s support. Claiming that they do not ally with any government and condemn the war.@VK_Intel @malwhunterteam pic.twitter.com/JaLYPlDjwb
— Yelisey Boguslavskiy (@y_advintel) February 25, 2022
Now “Conti” smells of sulphur. According to AdvIntel ransoms are paid less and less. Western victims fear a double penalty, being extorted by cybercriminals on the one hand, being punished by their government for circumventing international sanctions on the other. On May 6, 2022, the US State Department offered $10 million to dismantle the group.
Conti wants to have babies
Conti, aware of the toxicity of his brand, will reorganize to emancipate himself from it. AdvIntel reports that it detected preparations for the attack on Costa Rica as early as April 14. The local authorities were notified the next day, a few days before the first incidents.
This operation, Conti wants her to know. Political declarations, discreet following the pro-Russian positioning, resumed with renewed vigor. On specialized forums, the collective boasts of being in better shape than ever. In fact, the President of Costa Rica had to place his country in a state of national emergency on May 8, 2022.
According to AdvIntel, all of this is actually Conti’s swan song. While a few members show up, the rest cover their tracks and form smaller, more discreet groups, “ The attack on Costa Rica indeed put Conti in the limelight and helped him maintain the illusion of life for a bit longer as the real restructuring was underway. “, explain cybersecurity researchers.
These groups have been classified into several categories by Advintel. Some are autonomous, semi-autonomous, others completely independent, the last finally integrate with other cybercriminals to recover their identity, “mergers and acquisitions”.
Representation of Conti’s reorganization. Credit: AdvIntel
The members of his groups would remain united and loyal to the management of Conti and in particular to “reshaev”, a figure of the collective, as good a coder as an organizer. More horizontal and decentralized, the former seem to work among themselves and remain relatively closed to other cybercriminals according to AdvIntel. The Conti spirit should survive the disappearance of the group as such.