HomeNewsHow Russian Cybercrime Group, Conti, Terrorized Latin America and Vanished
NEWS

How Russian Cybercrime Group, Conti, Terrorized Latin America and Vanished

COSTA RICA / 27 JUN 2022 BY SCOTT MISTLER-FERGUSON EN

Two months ago, Conti, one of the most feared cybercrime operations in the world, unleashed a blitz of raids against government websites in Costa Rica and Peru. Why has it now disappeared off the radar?

Last April, the Russian cybercrime group targeted numerous institutional websites in several countries, stealing troves of data and threatening to release them unless a ransom was paid. Costa Rica was the worst-hit. And while the government refused to pay up, its online infrastructure has been very slow to recover.

The website for its social security agency was still down in late June and services offered on the Ministry of Finance's website only began to return on June 13, according to local media. Furthermore, senior IT officials have been temporarily suspended as investigations continue.

This capped a period of global fame for Conti, who claimed to have pulled off more ransomware attacks than any other group in 2021. But since April, the group has been comparatively quiet and experts have said it planned to dismantle itself.

InSight Crime considers why such an infamous criminal group might decide to break up, and what might come next.

SEE ALSO: Major Ransomware Attacks in Peru and Costa Rica Spell More Trouble for Region

Out With the Old

The Conti cybergang specialized in the theft and encryption of sensitive data, which it used to extort "big game prey" like large-scale corporations or governments. Latin American institutions were a favorite target due to substandard cybersecurity practices. Conti was only too happy to announce the weaknesses it found in targets, such as revealing Peru's National Directorate of Intelligence had no data encryption on its network. Throughout 2021 and into 2022, the cybergang gained notoriety.

But in February this year, Conti's public statement in support of Russia's re-invasion of Ukraine propelled two key changes in its fortune. First, companies became increasingly unwilling to pay the organization's ransom demands, likely to avoid risking violating sanctions by paying an organization associated with the war in Ukraine, or drawing the ire of the US government.

Second, a member of the Conti gang, allegedly of Ukrainian origin, leaked roughly two years of chat logs between members of the organization, providing a treasure trove of intel on the gang's inner workings.

This was the point of no return for Conti, according to cybersecurity expert Yelisey Boguslavskiy. Yet this was no cause for celebration. After the group released the statement in support of Russia, "they were simply not being paid," said Boguslavskiy. These difficulties triggered a rebranding of the gang that "made them more dangerous than they used to be," he added.

Diluting a Brand

Recognizing that the Conti brand had become geopolitically entangled, the organization set about forming partnerships, loose attachments or full-scale mergers with other cybergangs to adjust to a more federated and decentralized model.

Just as the behemoth drug cartels of yesteryear have diluted and splintered into swarms of smaller drug trafficking cells across much of Latin America, the most adaptive player in cybercrime appeared to be fragmenting too.

The fall of Conti is not the end of a cybercrime giant, but just a dilution marking a significant change in its modus operandi. According to Boguslavskiy, Conti's leadership saw the writing on the wall and formed partnerships with many well-known ransomware gangs like ALPHV/BlackCat, KaraKurt, BlackByte and others.

In the midst of this rebranding exercise, the organization launched, with great fanfare, its attack on Costa Rica. Despite the serious damage inflicted, prompting the government to declare a state of national emergency, no payment was ever given.

According to Boguslavskiy, Conti never expected to receive any money. "They wanted to create this framework in which Conti technically still exists and is still operational and powerful and is capable of large-scale attacks." In reality, Boguslavskiy claims their initial ransom demand was less than $1 million simply because they knew they'd never be paid, and the attack was simply a distraction from the reality that Conti's leadership had already found new homes among its new affiliates.

The cybergang's attack on Costa Rica was no accident. Steph Shample, a cybersecurity expert and fellow at the Middle East Institute, told InSight Crime that when it comes to preparation, Conti is a cut above the rest. "They are more careful and deliberate in their research. They tailor [their efforts] to their victims," said Shample.

SEE ALSO: Latin America Under Threat of Cybercrime Amid Coronavirus

Ransomware Evolved

So who are the leading players in cybercrime now? As of mid-June, two criminal federations appear to stand above the rest: Conti and its multitudes of affiliate organizations, and those associated with LockBit.

LockBit is a Ransomware-as-a-Service (RaaS) provider renting out its programs to a host of clients while taking a cut of their profits. Like Conti, LockBit has opted for a more decentralized model than its predecessors, serving more as a principal node for a larger network of semi-autonomous cybergangs than a single hierarchical organization.

Where groups like Conti strive for quality, both in the execution of their theft and the negotiating process with their victims, groups like LockBit opt for quantity.

As a RaaS organization, LockBit has followed a less sophisticated approach of simply renting out its ransomware programs to lower level criminal actors. Such a strategy lowers the barriers of entry for such cybercrimes and LockBit attacks have been detected in Chile, Colombia and Brazil. In April, Rio de Janeiro's Secretariat of Finance was attacked, with about 420 gigabytes of information stolen.

However, this does not mean successful payouts have been forthcoming.

“At the end of the day, the leadership of LockBit are not getting paid because they’re supposed to be getting a percentage of the ransom payments that their affiliates are getting,” stated Boguslavskiy. “If the affiliates are not successful, if they can’t get money, then LockBit is also not getting any money.”

In short, while RaaS and the proliferation of smaller ransomware gangs elevates the risks of attacks, countries like Brazil, Chile and Colombia will likely see companies on their soil paying out less and less as they devote more resources to cybersecurity legislation.

Bigger players, like Conti, which adapt with greater sophistication in terms of target selection and data exfiltration, will likely be the criminal actors seeing real profits. 

Conti’s affiliates continue to strike at Latin American targets, with Peru’s Comptroller General announcing an attack from BlackByte on June 15. Already, the cybergang has placed the institution on its “shame list” of victims, according to the firm BetterCyber.

share icon icon icon

Was this content helpful?

We want to sustain Latin America’s largest organized crime database, but in order to do so, we need resources.

DONATE

What are your thoughts? Click here to send InSight Crime your comments.

We encourage readers to copy and distribute our work for non-commercial purposes, with attribution to InSight Crime in the byline and links to the original at both the top and bottom of the article. Check the Creative Commons website for more details of how to share our work, and please send us an email if you use an article.

Was this content helpful?

We want to sustain Latin America’s largest organized crime database, but in order to do so, we need resources.

DONATE

Related Content

COCAINE / 24 NOV 2021

An unusually drawn-out feud between two rival gangs in northern Costa Rica has left over 150 people dead in five…

CYBERCRIME / 31 JAN 2022

Scammers in Venezuela are selling desperate people non-existent government food aid packages – in the latest episode of the handout…

ARGENTINA / 5 JUL 2022

Why did drug trafficking enjoy such a boom during the COVID-19 pandemic…

About InSight Crime

THE ORGANIZATION

Join Us This #GivingTuesday in Exposing Organized Crime

24 NOV 2022

For over twelve years, InSight Crime has contributed to the global dialogue on organized crime and corruption. Our work has provided policymakers, analysts, academics, journalists, and the general public with…

THE ORGANIZATION

Like Crime, Our Coverage Knows No Borders

18 NOV 2022

The nature of global organized crime means that while InSight Crime focuses on Latin America, we also follow criminal dynamics worldwide. InSight Crime investigator Alessandro Ford covers the connections between Latin American and European…

THE ORGANIZATION

Using Data to Expose Crime

11 NOV 2022

Co-director Jeremy McDermott made a virtual presentation at a conference hosted by the United Nations Office on Drugs and Crime (UNODC). The ‘Sixth International Conference on Governance, Crime, and Justice…

THE ORGANIZATION

InSight Crime ON AIR

4 NOV 2022

InSight Crime Co-director Steven Dudley was interviewed for the podcast The Rosenberg Case: A Tale of Murder, Corruption, and Conspiracy in Guatemala, which explores the potential involvement of then president, Álvaro Colom,…

WORK WITH US

Work With Us: Research Internship and Editorial Internship

31 OCT 2022

InSight Crime, a think tank dedicated to the study of organized crime and citizen security in the Americas, is seeking interns and investigators to join its dynamic, multinational team.