The Conti ransomware gang quickly dismantled back-end and command-and-control infrastructure Wednesday night following a week-long revolt by its affiliates after the gang signalled its support for Russia during Ukrainian hostilities.
Conti generated $180 million in revenue in 2021 according to a Chainalysis report, making it the most active ransomware group for the year.
Radoje Vasovic, founder of the European cybersecurity firm Cybernite, noted internal chatter from Conti’s chat servers discussing the tear-down of the group’s infrastructure.
“All VM farms are cleared and deleted, all servers are disabled,” wrote one member in Russian.
The abrupt shutdown of infrastructure follows a rough week for the criminal nuisance. On Friday, Conti issued a statement saying that it would retaliate against Western critical infrastructure if Western nations targeted Russian infrastructure during the Ukraine conflict. That proved to be a misstep with many of Conti’s business partners.
Conti, a ransomware-as-a-service provider (RaaS), licenses the use of the ransomware it codes to separate hacker groups, many of whom are based in Ukraine or otherwise backing the Ukraine side of the conflict. One group retaliated by leaking source code and internal chat logs, implicating Conti as taking orders from Russian intelligence during one operation. After the damage to Conti became clear, rival RaaS group LockBit issued its own statement, declaring neutrality.
Allan Liska, a ransomware intelligence expert with Recorded Future, audited around 25 back-end and command-and-control servers mentioned in the leaks, all of which were offline.
Dismantling internal infrastructure is not a good sign for the group, but many ransomware groups have successfully rebranded and relaunched in the past. Ransomware groups have been resilient before, but we’ve also never seen a disaster like this