Pro-Ukrainian demonstrators gather outside of the White House to protest the Russian invasion on Feb. 25, 2022, in Washington. Russian President Vladimir Putin launched a full-scale invasion of Ukraine on Feb. 24. (Photo by Samuel Corum/Getty Images)
The Conti ransomware gang quickly dismantled back-end and command-and-control infrastructure Wednesday night following a week-long revolt by its affiliates after the gang signaled its support for Russia during Ukrainian hostilities.Conti generated $180 million in revenue in 2021 according to a Chainalysis report, making it the most active ransomware group for the year.Wednesday evening, Radoje Vasovic, founder of the European cybersecurity firm Cybernite, noted internal chatter from Conti's chat servers discussing the tear-down of the group's infrastructure."All VM farms are cleared and deleted, all servers are disabled," wrote one member in Russian.
The abrupt shutdown of infrastructure follows a rough week for the criminal nuisance. On Friday, Conti issued a statement saying that it would retaliate against Western critical infrastructure if Western nations targeted Russian infrastructure during the Ukraine conflict. That proved to be a misstep with many of Conti's business partners.Conti, a ransomware-as-a-service provider (RaaS), licenses the use of the ransomware it codes to separate hacker groups, many of whom are based in Ukraine or otherwise backing the Ukraine side of the conflict. One group retaliated by leaking source code and internal chat logs, implicating Conti as taking orders from Russian intelligence during one operation. After the damage to Conti became clear, rival RaaS group LockBit issued its own statement, declaring neutrality.Allan Liska, a ransomware intelligence expert with Recorded Future, audited around 25 back-end and command-and-control servers mentioned in the leaks, all of which were offline.Conti's clients appear to be jumping ship. "Affiliates are already hopping to other RaaS offerings," said LiskaConti's extortion server, at present, is still online.Dismantling internal infrastructure is not a good sign for the group, but many ransomware groups have successfully rebranded and relaunched in the past."Ransomware groups have been resilient before, but we've also never seen a disaster like this," said Liska."There is an assumption they will rebrand. But I think they will have trouble earning anyone's trust," he added.
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.
The Cloak ransomware operation has laid claim on a significant cyberattack against the Virginia Attorney General's Office last month, reports SecurityWeek.
Oracle has dismissed the purported compromise of its Oracle Cloud single sign-on servers after threat actor 'rose87168' claimed to exfiltrate six million records belonging to the firm's customers, including encrypted Oracle Cloud SSO and LDAP passwords, Java KeyStore files, and Enterprise Manager JPS keys, among others, reports The Register. "There has been no breach of Oracle Cloud.
Organizations and individuals have been warned by the FBI's Denver office regarding the increasing prevalence of scams that use fake online file converter sites to facilitate the spread of malware, ransomware, and other malicious payloads, CBS News reports.
