Conti Ransomware Group Goes Dark And Restructures In Move That Mimics Terror Cells

conti ransomware group crumbling and restructuring
In what seems to be the year of security breaches and threat actors thieving or or holding data for ransom, defenders, or blue teamers, cannot seem to catch a break. However, just after announcing that it had hit a major component supplier for Boeing and Lockheed Martin, it appears that the Conti ransomware gang as we know it might be coming to an end.

Technically considered ransomware-as-a-service (RaaS), Conti ransomware is believed by MITRE to have been first spotted in 2019 and is managed by the financially motivated threat-actor group “Wizard Spider.” Colloquially, this group, in tandem with its affiliate members, is known as the Conti ransomware gang, responsible for recent high-profile attacks such as those on Boeing and Lockheed Martin supplier Parker Hannifin Corporation, the government of Costa Rica, and the Irish healthcare system, among others. With this, Costa Rican president Rodrigo Chaves recently announced that the country is at war with Conti, declaring it an “international terrorist group.”

Despite this ongoing “war” and currently active victims posted on the Conti website, it appears some things are changing. Initially announced on Twitter and now backed up by evidence reported to BleepingComputer, Advanced Intel’s Yelisey Boguslavskiy reports that Conti’s internal “panels and hosts are down.” With this intel in mind, Conti’s recent attacks were a ruse to make it seem like Conti was very much alive and well while the group’s members slowly took their leave for other ransomware groups.

conti cr warning
Conti's Warning To The Government of Costa Rica

However, just because the Conti brand may no longer exist, this does not mean the threat is gone; rather, the business model for the ransomware group is merely pivoting. Boguslavskiy further reports that Conti leadership is partnering with smaller ransomware gangs acting as “cells” controlled by central Conti leadership, which is not dissimilar to the structure of terrorist groups like al-Qaeda.

conti structure map
Conti's Revised Structure Courtesy of BleepingComputer and Advanced Intel

This change should not come as a surprise to anyone, as the group has come under much scrutiny in the past several months. With Conti publicly backing Russia during the Ukrainian war and continually attacking or provoking high-profile targets, the threat group’s members are likely under tremendous amounts of pressure.

In any event, we would like to interpret this as a glass-half-full situation, in that investigators were likely getting close to the group. The heat evidently became too much, and Conti members have likely gone underground inside other groups, making them harder to track. Despite this, the new Conti structure and affiliates should open opportunities for investigation, all of which will be quite interesting to follow.