The notorious ransomware group often known as Conti has continued its onslaught in opposition to entities regardless of struggling an enormous data leak of its personal earlier this yr, in response to new analysis.
Conti, attributed to a Russia-based risk actor often known as Gold Ulrick, is likely one of the most prevalent malware strains within the ransomware panorama, accounting for 19% of all assaults in the course of the three-month-period between October and December 2021.
One of essentially the most prolific ransomware teams of the final yr alongside the likes of LockBit 2.0, PYSA, and Hive, Conti has locked the networks of hospitals, companies, and authorities companies, whereas receiving a ransom cost in trade for sharing the decryption key as a part of its name-and-shame scheme.
But after the cybercriminal cartel got here out in help of Russia over its invasion of Ukraine in February, an nameless Ukrainian safety researcher underneath the Twitter deal with ContiLeaks started leaking the supply code in addition to non-public conversations between its members, providing an unprecedented perception into the group’s workings.
“The chats reveal a mature cybercrime ecosystem across multiple threat groups with frequent collaboration and support,” Secureworks mentioned in a report printed in March. The teams embody Gold Blackburn (TrickBot and Diavol), Gold Crestwood (Emotet), Gold Mystic (LockBit), and Gold Swathmore (IcedID).
Indeed, Intel 471’s technical monitoring of Emotet campaigns between December 25, 2021, and March 25, 2022, recognized that over a dozen Conti ransomware targets have been, actually, victims of Emotet malspam assaults, highlighting how the 2 operations are intertwined.
That mentioned, the leaks do not appear to have put a dampener on the syndicate’s actions, with the variety of Conti victims posted in March surged to the second-highest month-to-month whole since January 2021, in response to the cybersecurity agency.
What’s extra, the group is alleged to have added 11 victims within the first 4 days of April, even because the operators proceed to “evolve its ransomware, intrusion methods, and approaches” in response to the general public disclosure of their arsenal.
The findings have additionally been corroborated by NCC Group late final month, which mentioned that “Conti operators continue their business as usual by proceeding to compromise networks, exfiltrating data and finally deploying their ransomware.”
An internet of connections between Conti and Karakurt
The growth comes as monetary and tactical overlaps have been uncovered between Conti and the Karakurt data extortion group primarily based on info printed in the course of the ContiLeaks saga, weeks after TrickBot’s operators had been subsumed into the ransomware cartel.
An evaluation of blockchain transactions related to cryptocurrency addresses belonging to Karakurt has proven “Karakurt wallets sending substantial sums of cryptocurrency to Conti wallets,” in response to a joint investigation by researchers from Arctic Wolf and Chainalysis.
The shared pockets internet hosting can be mentioned to contain the now-defunct TrickBot gang’s Diavol ransomware, with a “Diavol extortion address hosted by a wallet containing addresses used in Conti ransomware attacks,” indicating that Diavol is being deployed by the identical set of actors behind Conti and Karakurt.
Further forensic examination of an unnamed consumer that was hit with a subsequent wave of extortion assaults following a Conti ransomware an infection has revealed that the second group used the identical Cobalt Strike backdoor left behind by Conti, implying a powerful affiliation between seemingly disparate cybercrime actors.
“Whether Karakurt is an elaborate side hustle by Conti and Diavol operatives or whether this is an enterprise sanctioned by the overall organization remains to be seen,” Arctic Wolf mentioned.
“This connection perhaps explains why Karakurt is surviving and thriving despite some of its exfiltration-only competitors dying out,” the researchers mentioned, including, “Or, alternatively, perhaps this was the trial run of a strategic diversification authorized by the main group.”