The Conti ransomware gang has been thriving days after a Ukrainian security researcher dubbed "ContiLeaks" exposed the Russia-based ransomware group's internal chats on February 27, reports CyberScoop.
"Conti is back and still operational and will pursue more targets. They're safe and sound," said AdvIntel CEO Vitali Kremez, who said that Conti was able to perform successful data breaches at two US-based firms by Monday.
Experts also noted that Conti, which was not completely disabled during the incident, took the first few days after the leaks to move its infrastructure to new systems.
While the leaks have prompted reduced activity from Conti, it remains uncertain whether the group was totally inactive and the past few days have seen a return of botnet and command-and-control activity, said Recorded Future threat analyst Allan Liska.
Returning from significant disruptions is not uncommon among ransomware groups, according to Sophos Senior Security Adviser John Shier.
"Whenever one of these groups gets disrupted, the temptation is to celebrate a little bit, but there's always going to be that okay, well, what's next? Where are they going to pop up next, under what kind of new model potentially are they going to pop up? Because these groups can be fairly resilient," Shier said.
Experts: Conti ransomware thriving after chat leaks
The Conti ransomware gang has been thriving days after a Ukrainian security researcher dubbed "ContiLeaks" exposed the Russia-based ransomware group's internal chats on Feb. 27.
Malicious QR code messages have also been increasingly leveraged to compromise the sector, with Office 365 used to send over 15,000 of such messages to education entities, a Microsoft Threat Intelligence report showed.
Misconfigured Magento or OpenCart instances may have been targeted to facilitate the deployment of Mongolian Skimmer, which uses various event-handling methods to ensure extensive compatibility while hiding malicious activity with heavy Unicode character utilization.