Two months ago, Conti, one of the most feared cybercrime operations in the world, unleashed a blitz of raids against government websites in Costa Rica and Peru. Why has it now disappeared off the radar?
Last April, the Russian cybercrime group targeted numerous institutional websites in several countries, stealing troves of data and threatening to release them unless a ransom was paid. Costa Rica was the worst-hit. And while the government refused to pay up, its online infrastructure has been very slow to recover.
The website for its social security agency was still down in late June and services offered on the Ministry of Finance's website only began to return on June 13, according to local media. Furthermore, senior IT officials have been temporarily suspended as investigations continue.
This capped a period of global fame for Conti, who claimed to have pulled off more ransomware attacks than any other group in 2021. But since April, the group has been comparatively quiet and experts have said it planned to dismantle itself.
InSight Crime considers why such an infamous criminal group might decide to break up, and what might come next.
Out With the Old
The Conti cybergang specialized in the theft and encryption of sensitive data, which it used to extort "big game prey" like large-scale corporations or governments. Latin American institutions were a favorite target due to substandard cybersecurity practices. Conti was only too happy to announce the weaknesses it found in targets, such as revealing Peru's National Directorate of Intelligence had no data encryption on its network. Throughout 2021 and into 2022, the cybergang gained notoriety.
But in February this year, Conti's public statement in support of Russia's re-invasion of Ukraine propelled two key changes in its fortune. First, companies became increasingly unwilling to pay the organization's ransom demands, likely to avoid risking violating sanctions by paying an organization associated with the war in Ukraine, or drawing the ire of the US government.
Second, a member of the Conti gang, allegedly of Ukrainian origin, leaked roughly two years of chat logs between members of the organization, providing a treasure trove of intel on the gang's inner workings.
This was the point of no return for Conti, according to cybersecurity expert Yelisey Boguslavskiy. Yet this was no cause for celebration. After the group released the statement in support of Russia, "they were simply not being paid," said Boguslavskiy. These difficulties triggered a rebranding of the gang that "made them more dangerous than they used to be," he added.
Diluting a Brand
Recognizing that the Conti brand had become geopolitically entangled, the organization set about forming partnerships, loose attachments or full-scale mergers with other cybergangs to adjust to a more federated and decentralized model.
Just as the behemoth drug cartels of yesteryear have diluted and splintered into swarms of smaller drug trafficking cells across much of Latin America, the most adaptive player in cybercrime appeared to be fragmenting too.
The fall of Conti is not the end of a cybercrime giant, but just a dilution marking a significant change in its modus operandi. According to Boguslavskiy, Conti's leadership saw the writing on the wall and formed partnerships with many well-known ransomware gangs like ALPHV/BlackCat, KaraKurt, BlackByte and others.
In the midst of this rebranding exercise, the organization launched, with great fanfare, its attack on Costa Rica. Despite the serious damage inflicted, prompting the government to declare a state of national emergency, no payment was ever given.
According to Boguslavskiy, Conti never expected to receive any money. "They wanted to create this framework in which Conti technically still exists and is still operational and powerful and is capable of large-scale attacks." In reality, Boguslavskiy claims their initial ransom demand was less than $1 million simply because they knew they'd never be paid, and the attack was simply a distraction from the reality that Conti's leadership had already found new homes among its new affiliates.
The cybergang's attack on Costa Rica was no accident. Steph Shample, a cybersecurity expert and fellow at the Middle East Institute, told InSight Crime that when it comes to preparation, Conti is a cut above the rest. "They are more careful and deliberate in their research. They tailor [their efforts] to their victims," said Shample.
So who are the leading players in cybercrime now? As of mid-June, two criminal federations appear to stand above the rest: Conti and its multitudes of affiliate organizations, and those associated with LockBit.
LockBit is a Ransomware-as-a-Service (RaaS) provider renting out its programs to a host of clients while taking a cut of their profits. Like Conti, LockBit has opted for a more decentralized model than its predecessors, serving more as a principal node for a larger network of semi-autonomous cybergangs than a single hierarchical organization.
Where groups like Conti strive for quality, both in the execution of their theft and the negotiating process with their victims, groups like LockBit opt for quantity.
As a RaaS organization, LockBit has followed a less sophisticated approach of simply renting out its ransomware programs to lower level criminal actors. Such a strategy lowers the barriers of entry for such cybercrimes and LockBit attacks have been detected in Chile, Colombia and Brazil. In April, Rio de Janeiro's Secretariat of Finance was attacked, with about 420 gigabytes of information stolen.
However, this does not mean successful payouts have been forthcoming.
“At the end of the day, the leadership of LockBit are not getting paid because they’re supposed to be getting a percentage of the ransom payments that their affiliates are getting,” stated Boguslavskiy. “If the affiliates are not successful, if they can’t get money, then LockBit is also not getting any money.”
In short, while RaaS and the proliferation of smaller ransomware gangs elevates the risks of attacks, countries like Brazil, Chile and Colombia will likely see companies on their soil paying out less and less as they devote more resources to cybersecurity legislation.
Bigger players, like Conti, which adapt with greater sophistication in terms of target selection and data exfiltration, will likely be the criminal actors seeing real profits.
Conti’s affiliates continue to strike at Latin American targets, with Peru’s Comptroller General announcing an attack from BlackByte on June 15. Already, the cybergang has placed the institution on its “shame list” of victims, according to the firm BetterCyber.