,

Conti Ransomware Shuts Down Operation, Splinters into Smaller Groups

The notable ransomware gang known as Conti has taken its infrastructure offline and shut down its ransomware operations.
computers in a dark room

Summary

The notable ransomware gang known as Conti has, according to security firm Advanced Intel (AdvIntel), taken its infrastructure offline and shut down its ransomware operations. While public-facing ‘Conti News’ data leak and the ransom negotiation sites are still online, the Tor admin panels used by Conti members to perform negotiations, publish news, and generate announcements on their data leak site is now offline, according to a Twitter post of a AdvIntel security researcher.

Conti, who is currently engaged in a notable long-term campaign against the Costa Rican government, is splintering and rebranding into smaller, affiliated groups to avoid increased attention from US law enforcement entities.

Context and Impact

Conti, which has been active since 2020, has attacked several notable public entities before initiating a large-scale ransomware campaign targeting multiple offices, departments, and services within the Costa Rican government, which eventually led to the Costa Rican government declaring a state of emergency. The scale and notoriety of the attack directly lead to a increase in attention from US law enforcement agencies, who offered 15 million dollars as a reward for information that would lead to the identification and arrest of key Conti members.

The increased attention the US reward brought upon the organization, and a previous data leak of their operational infrastructure in retribution to their support of the Russian invasion of Ukraine, has compelled the highly sought-after group to rebrand and splinter itself into a variety of smaller hacking groups to potentially avoid a major law enforcement operation that would lead to arrest and disruption of the Conti network.

According to AdvIntel, while the Costa Rican operation remained ongoing, Conti conducted its secret transition to multiple, smaller groups, either by establishing a new group or by cooperating with an affiliate ransomware operation. Evidence that Conti has been operating through other, smaller gangs first became known in February of 2022, when The San Francisco 49ers America football team was infected with a ransomware attack during Superbowl weekend, thought to have been carried out by the hacking gang BlackByte. However, evidence appears to suggest that BlackByte is not a real gang but was created for the sole purpose of maximizing Conti’s monetary data extortion, AdvIntel researchers say. AdvIntel researchers further suggests that the Costa Rican operation was conducted and delayed by Conti actors to “buy time” to complete a total transition before dismantling the official Conti operations.

Conti has now partnered with numerous ransomware operations, including HelloKitty, AvosLocker, Hive, BlackCat, BlackByte, Bazarcall, among others, to distribute their ex-Conti members. The ex-Conti members, including negotiators, intel analysts, pen testers, and developers, are being spread throughout other ransomware operations to further develop the Conti syndicate for future operations.

Indicators of Compromise (IOCs)

The following domains have registration and naming characteristics similar to domains used by groups that have distributed Conti ransomware. The United States Cybersecurity and Infrastructure Security Agency (CISA) released these domains for public ingestion on March 9, 2022:

Indicators

  • badiwaw[.]com
  • balacif[.]com
  • barovur[.]com
  • basisem[.]com
  • bimafu[.]com
  • bujoke[.]com
  • buloxo[.]com
  • bumoyez[.]com
  • bupula[.]com
  • cajeti[.]com
  • cilomum[.]com
  • codasal[.]com
  • comecal[.]com
  • dawasab[.]com
  • derotin[.]com
  •  dihata[.]com
  • dirupun[.]com
  • dohigu[.]com
  • dubacaj[.]com
  • fecotis[.]com
  • fipoleb[.]com
  • fofudir[.]com
  • fulujam[.]com
  • ganobaz[.]com
  • gerepa[.]com
  • gucunug[.]com
  • guvafe[.]com
  • hakakor[.]com
  • hejalij[.]com
  • hepide[.]com
  • hesovaw[.]com
  • hewecas[.]com
  • hidusi[.]com
  • hireja[.]com
  • hoguyum[.]com
  • jecubat[.]com
  • jegufe[.]com
  • joxinu[.]com
  • kelowuh[.]com
  • kidukes[.]com
  • kipitep[.]com
  • kirute[.]com
  • kogasiv[.]com
  • kozoheh[.]com
  • kuxizi[.]com
  • kuyeguh[.]com
  • lipozi[.]com
  • lujecuk[.]com
  • masaxoc[.]com
  • mebonux[.]com
  • mihojip[.]com
  • modasum[.]com
  • moduwoj[.]com
  • movufa[.]com
  • nagahox[.]com
  • nawusem[.]com
  • nerapo[.]com
  • newiro[.]com
  • paxobuy[.]com
  • pazovet[.]com
  • pihafi[.]com
  • pilagop[.]com
  • pipipub[.]com
  • pofifa[.]com
  • radezig[.]com
  • raferif[.]com
  • ragojel[.]com
  • rexagi[.]com
  • rimurik[.]com
  • rinutov[.]com
  • rusoti[.]com
  • sazoya[.]com
  • sidevot[.]com
  • solobiv[.]com
  • sufebul[.]com
  • suhuhow[.]com
  • sujaxa[.]com
  • tafobi[.]com
  • tepiwo[.]com
  • tifiru[.]com
  • tiyuzub[.]com
  • tubaho[.]com
  • vafici[.]com
  • vegubu[.]com
  • vigave[.]com
  • vipeced[.]com
  • vizosi[.]com
  • vojefe[.]com
  • vonavu[.]com
  • wezeriw[.]com
  • wideri[.]com
  • wudepen[.]com
  • wuluxo[.]com
  • wuvehus[.]com
  • wuvici[.]com
  • wuvidi[.]com
  • xegogiv[.]com
  • xekezix[.]com.

Subscribe to the Blog

Receive news and RH‑ISAC updates for cybersecurity practitioners from retail, hospitality, and other customer-facing companies, straight to your inbox.

Subscribe Now

More Recent Blog Posts

View All Blogs