Conti Shuts Down Infrastructure, Splits into Smaller Units

A publicity stunt

• As it appears, Conti wanted to use the Costa Rica attack as a platform for publicity, to declare their shutdown and rebirth in the most believable way.
• The attack on Costa Rica was rather to gain publicity instead of ransom, announced internally by the Conti leadership. Hence, the requested ransom payment was below $1 million, even though the initial claims were suspected to be around $10 to $20 million.

Details of the Conti shutdown

• The Tor admin panels used by the operators to perform negotiations and publish news on their data leak site are offline.
• Other internal services, such as rocket chat servers, are being decommissioned. However, the public-facing 'Conti News' data leak and ransom negotiation sites are online.
• The researcher claims that instead of rebranding Conti as another group, the existing members—experienced pentester, operators, and negotiators—would be joining other ransomware operations to carry out attacks.

Is Conti still active?

• Even though the Conti ransomware brand is no more, the cybercrime enterprise is expected to remain active for a long time.
• The Conti leadership has previously been linked with other smaller ransomware groups such as HelloKitty, Hive, BlackCat, AvosLocker, and BlackByte to conduct attacks.

Conclusion