HomeNewsHow Russian Cybercrime Group, Conti, Terrorized Latin America and Vanished
NEWS

How Russian Cybercrime Group, Conti, Terrorized Latin America and Vanished

CYBERCRIME / 27 JUN 2022 BY SCOTT MISTLER-FERGUSON EN

Two months ago, Conti, one of the most feared cybercrime operations in the world, unleashed a blitz of raids against government websites in Costa Rica and Peru. Why has it now disappeared off the radar?

Last April, the Russian cybercrime group targeted numerous institutional websites in several countries, stealing troves of data and threatening to release them unless a ransom was paid. Costa Rica was the worst-hit. And while the government refused to pay up, its online infrastructure has been very slow to recover.

The website for its social security agency was still down in late June and services offered on the Ministry of Finance's website only began to return on June 13, according to local media. Furthermore, senior IT officials have been temporarily suspended as investigations continue.

SEE ALSO: Major Ransomware Attacks in Peru and Costa Rica Spell More Trouble for Region

This capped a period of global fame for Conti, who claimed to have pulled off more ransomware attacks than any other group in 2021. But since April, the group has been comparatively quiet and experts have said it planned to dismantle itself.

InSight Crime considers why such an infamous criminal group might decide to break up, and what might come next.

Out With the Old

The Conti cybergang specialized in the theft and encryption of sensitive data, which it used to extort "big game prey" like large-scale corporations or governments. Latin American institutions were a favorite target due to substandard cybersecurity practices. Conti was only too happy to announce the weaknesses it found in targets, such as revealing Peru's National Directorate of Intelligence had no data encryption on its network. Throughout 2021 and into 2022, the cybergang gained notoriety.

But in February this year, Conti's public statement in support of Russia's re-invasion of Ukraine propelled two key changes in its fortune. First, companies became increasingly unwilling to pay the organization's ransom demands, likely to avoid risking violating sanctions by paying an organization associated with the war in Ukraine, or drawing the ire of the US government.

Second, a member of the Conti gang, allegedly of Ukrainian origin, leaked roughly two years of chat logs between members of the organization, providing a treasure trove of intel on the gang's inner workings.

This was the point of no return for Conti, according to cybersecurity expert Yelisey Boguslavskiy. Yet this was no cause for celebration. After the group released the statement in support of Russia, "they were simply not being paid," said Boguslavskiy. These difficulties triggered a rebranding of the gang that "made them more dangerous than they used to be," he added.

Diluting a Brand

Recognizing that the Conti brand had become geopolitically entangled, the organization set about forming partnerships, loose attachments or full-scale mergers with other cybergangs to adjust to a more federated and decentralized model.

Just as the behemoth drug cartels of yesteryear have diluted and splintered into swarms of smaller drug trafficking cells across much of Latin America, the most adaptive player in cybercrime appeared to be fragmenting too.

The fall of Conti is not the end of a cybercrime giant, but just a dilution marking a significant change in its modus operandi. According to Boguslavskiy, Conti's leadership saw the writing on the wall and formed partnerships with many well-known ransomware gangs like ALPHV/BlackCat, KaraKurt, BlackByte and others.

In the midst of this rebranding exercise, the organization launched, with great fanfare, its attack on Costa Rica. Despite the serious damage inflicted, prompting the government to declare a state of national emergency, no payment was ever given.

According to Boguslavskiy, Conti never expected to receive any money. "They wanted to create this framework in which Conti technically still exists and is still operational and powerful and is capable of large-scale attacks." In reality, Boguslavskiy claims their initial ransom demand was less than $1 million simply because they knew they'd never be paid, and the attack was simply a distraction from the reality that Conti's leadership had already found new homes among its new affiliates.

The cybergang's attack on Costa Rica was no accident. Steph Shample, a cybersecurity expert and fellow at the Middle East Institute, told InSight Crime that when it comes to preparation, Conti is a cut above the rest. "They are more careful and deliberate in their research. They tailor [their efforts] to their victims," said Shample.

Ransomware Evolved

So who are the leading players in cybercrime now? As of mid-June, two criminal federations appear to stand above the rest: Conti and its multitudes of affiliate organizations, and those associated with LockBit.

LockBit is a Ransomware-as-a-Service (RaaS) provider renting out its programs to a host of clients while taking a cut of their profits. Like Conti, LockBit has opted for a more decentralized model than its predecessors, serving more as a principal node for a larger network of semi-autonomous cybergangs than a single hierarchical organization.

Where groups like Conti strive for quality, both in the execution of their theft and the negotiating process with their victims, groups like LockBit opt for quantity.

As a RaaS organization, LockBit has followed a less sophisticated approach of simply renting out its ransomware programs to lower level criminal actors. Such a strategy lowers the barriers of entry for such cybercrimes and LockBit attacks have been detected in Chile, Colombia and Brazil. In April, Rio de Janeiro's Secretariat of Finance was attacked, with about 420 gigabytes of information stolen.

However, this does not mean successful payouts have been forthcoming.

“At the end of the day, the leadership of LockBit are not getting paid because they’re supposed to be getting a percentage of the ransom payments that their affiliates are getting,” stated Boguslavskiy. “If the affiliates are not successful, if they can’t get money, then LockBit is also not getting any money.”

In short, while RaaS and the proliferation of smaller ransomware gangs elevates the risks of attacks, countries like Brazil, Chile and Colombia will likely see companies on their soil paying out less and less as they devote more resources to cybersecurity legislation.

Bigger players, like Conti, which adapt with greater sophistication in terms of target selection and data exfiltration, will likely be the criminal actors seeing real profits. 

Conti’s affiliates continue to strike at Latin American targets, with Peru’s Comptroller General announcing an attack from BlackByte on June 15. Already, the cybergang has placed the institution on its “shame list” of victims, according to the firm BetterCyber.

share icon icon icon

Was this content helpful?

We want to sustain Latin America’s largest organized crime database, but in order to do so, we need resources.

DONATE

What are your thoughts? Click here to send InSight Crime your comments.

We encourage readers to copy and distribute our work for non-commercial purposes, with attribution to InSight Crime in the byline and links to the original at both the top and bottom of the article. Check the Creative Commons website for more details of how to share our work, and please send us an email if you use an article.

Was this content helpful?

We want to sustain Latin America’s largest organized crime database, but in order to do so, we need resources.

DONATE

Related Content

COLOMBIA / 13 FEB 2023

Seizures of creepy marijuana from Colombia are popping around Latin America. But is the situation as creepy as it looks?…

COCAINE / 24 NOV 2021

An unusually drawn-out feud between two rival gangs in northern Costa Rica has left over 150 people dead in five…

BRAZIL / 15 DEC 2021

A recent study of credit card cloning around the world revealed some startling disparities in the risks customers face across…

About InSight Crime

THE ORGANIZATION

InSight Crime Contributes Expertise Across the Board 

22 SEP 2023

This week InSight Crime investigators Sara García and María Fernanda Ramírez led a discussion of the challenges posed by Colombian President Gustavo Petro’s “Total Peace” plan within urban contexts. The…

THE ORGANIZATION

InSight Crime Cited in New Colombia Drug Policy Plan

15 SEP 2023

InSight Crime’s work on emerging coca cultivation in Honduras, Guatemala, and Venezuela was cited in the Colombian government’s…

THE ORGANIZATION

InSight Crime Discusses Honduran Women's Prison Investigation

8 SEP 2023

Investigators Victoria Dittmar and María Fernanda Ramírez discussed InSight Crime’s recent investigation of a massacre in Honduras’ only women’s prison in a Twitter Spaces event on…

THE ORGANIZATION

Human Trafficking Investigation Published in Leading Mexican Newspaper

1 SEP 2023

Leading Mexican media outlet El Universal featured our most recent investigation, “The Geography of Human Trafficking on the US-Mexico Border,” on the front page of its August 30…

THE ORGANIZATION

InSight Crime's Coverage of Ecuador Leads International Debate

25 AUG 2023

This week, Jeremy McDermott, co-director of InSight Crime, was interviewed by La Sexta, a Spanish television channel, about the situation of extreme violence and insecurity in Ecuador…