ArchiveOODA OriginalSecurity and Resiliency

Is the Conti Ransomware Gang Stronger Apart Then Together?

On May 9, 2022, the newly-elected Costa Rican president declared a state of national cybersecurity emergency after important government and financial institutions suffered a series of ransomware attacks from the notorious Conti ransomware gang.  The attacks initiated on April 18 and officially impacted the following organizations: the Finance Ministry, the Ministry of Science, Innovation, Technology, and Telecommunications, the Labor and Social Security Ministry, and the Social Development and Family Allowances Fund, among others. The attack expanded on April 25 with Conti successfully targeting the systems of electricity manager of a Costa Rican town.

Over a 24-hour period, Costa Rica suffered an onslaught of attacks that may or may not have been tied to the Conti attacks. According to Costa Rica’s Ministry of Science, Innovation, Technology and Telecommunications, more than four million cyberattacks including malware-driven attacks, phishing, cryptocurrency mining, and command-and-control activities.  Conti claimed to have stolen 672.19 GB of government data, allegedly leaking 97% of it. Initially asking USD 10 million, Conti doubled its ransom demands to USD 20 million after claiming to have infiltrated the Costa Rican government with insiders, intimating its desire to overthrow the Costa Rican government if not paid.

However, in a misstep, the brazen nature of the seditious threat likely encouraged Conti leadership to disband before garnering the attention of the international community. Like DarkSide who took down the Colonial Pipeline, Conti had crossed a line of what might have been “tolerated” as typical cybercrime.  The threats to overthrow the Costa Rican government, while unlikely, created enough of a concern that Conti leadership probably thought it better to retreat then suffer the full attention of the law enforcement and government agencies.  Conti saw the writing on the wall when on May 6, the U.S. Department of State issued a USD 10 million reward for any information that led to the identification or location of those individuals connected to the Conti ransomware gang, as well as a USD 5 million reward for information leading to the arrest/conviction of any individual attempting to participate in Conti ransomware attack.  Conti leadership knew what happened to groups like REvil when targeted by the U.S. government and decided to remove itself from the scene.

When it comes to ransomware gangs, those that have demonstrated adaptability have been the most resilient.  While it operated, the Conti had been an elite ransomware gang run by Russian-based threat actors and considered one of the most active cybercrime operations. The group recognized the importance of innovation, like implementing a cross-platform Linux variant of its ransomware to increase its ability to compromise and encrypt as many of these systems as possible. Such developments inspired other ransomware groups (e.g., BlackCat, HelloKitty) to follow suit. The group also operated like a legitimate business, actively recruiting skilled talent, providing salaries, giving bonuses, and providing performance evaluations for its employees. Each Conti employee worked a 5-day workweek with schedules staggered so that some number of staff was always on hand 24/7 to address technical problems, or to respond to ransom negotiations with a victim organization. It employed a dual-threat model to extort victims into paying, both encrypting data and stealing it to be posted on a leak site if ransoms were not paid. Conti’s business model and ransomware operations proved very successful, making the group nearly USD 180 million in 2021.

Though the specific targeting of a country led to its downfall, it further revealed that Conti leadership kept thinking out of the box with respect to its attack planning. Indeed, Conti took Big Game Hunting – a term to characterize a cyber attack that usually leverages ransomware to go after high-value organizations or high value entities – to a new level. How it selected Costa Rica remains uncertain, but it might have something to do with the fact that with the country’s weak cybersecurity posture. Costa Rica ranks 59 in the world on the National Cyber Security Index (NCSI), an Estonia-based organization that maintains a global live index that measures the preparedness of countries to prevent cyber threats and manage cyber incidents. Per that scale, it was considerably deficient in cyber threat analysis and information; protection of digital services; protection of essential services; and contributing to the global cyber security environment.

While it targeted Costa Rica, Conti executed an attack against  Peru’s National Intelligence Directorate in late April. Notably, Peru ranks considerably lower than Costa Rica on the NCSI at 81, deficient in many of the same areas as Costa Rica. Conti may have been testing the waters regionally, prepping a future attack environment should its extortion of a government have proven successful. Based on its operational history, Conti would probably have targeted other Peruvian organizations shortly thereafter, applying lessons-learned to enhance its prospects of receiving a ransom payment from Peru. If this model bore out, other smaller governments in the world with similar cybersecurity shortcomings might have been in the group’s crosshairs sometime in the future.

Even now Conti has taken the road less travelled again. Instead of rebranding under a new ransomware, Conti members splintered, going to other ransomware groups, a move that is particularly noteworthy given Conti’s reputation for being operationally innovative.  By partnering with smaller, and in some cases, lesser-known ransomware groups like HelloKitty, AvosLocker, Hive, BlackCat, and BlackByte, Conti fulfills two significant objectives: 1) it immediately injects these groups with proven individuals of various skillsets (ransom negotiators, pentesters, and ransomware operators) giving their new gang a wealth of knowledge and experience; and 2.) it gives the decentralized former Conti members knowledge of and influence into the operations of other groups.

Furthermore, Conti members’ presences in other groups facilitates the possibilities of group collaboration and cooperation with trusted, vetted individuals. The prospect of two established ransomware gangs coordinating activities is deeply disconcerting.  More worrisome is how geopolitical events have influenced nonstate and criminal actors to join sides. Conti had initially supported Russia at the onset of the Ukraine conflict, a position it softened when affiliates pushed back. Perhaps another geopolitical crisis in the future would be less contentious, making any inter-group collaboration a potential cyber force multiplier deployed against a victim state.

The better ransomware gangs persevere because of their ability to adapt to changing times. Conti has chosen a course of action that may ultimately prove its most strategic move yet. By disbanding, Conti removed itself from the public eye, scurrying to the safe harbors of other gangs. Its ultimate strength may be in this thoughtful decentralization where it cand diversify its capabilities while providing an opportunity to regroup in the future.

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.