Post-Breakup, Conti Ransomware Members Remain Dangerous

The gangs members have moved into different criminal activities, and could regroup once law-enforcement attention has simmered down a bit, researchers say.

Two months after the infamous Conti ransomware gang ceased operations, several of its members remain as active as ever either as part of other ransomware groups or as independent contractors focused on data theft, initial network access, and other criminal endeavors.
Separately, they remain as dangerous to organizations as they used to be as members of a single gang, according to Intel 471. Its researchers have been tracking Conti actors as they have moved in different directions since the group dissolved in May.
The cessation of operations appears to be a bid by the groups operators to distance themselves from the brand more than anything else. In a new report, the threat intelligence firm speculates that once law-enforcement attention around the Conti group wanes, its likely that its now-scattered members will
regroup and form another criminal organization
similar in structure to the original.
In order to defend their enterprises, security practitioners need to understand how cybercriminals organize their operations, says Brad Crompton, director of intelligence for Intel 471s shared services group. Even though Conti is defunct, former operators are still using similar [tactics, techniques, and procedures], which means security teams can still use their prior strategies in stopping similar attacks rather than ignoring them altogether in light of Contis demise.
The Conti group is widely regarded within the security industry as one of the most destructive ransomware operations of all time. The predominantly Russia-based group first surfaced in 2020, and has used a variety of tactics to break into victim networks — including via spear-phishing campaigns, stolen Remote Desktop Protocol credentials, software vulnerabilities, and poisoned software.
The FBI estimated that by January, the gang had collected some $150 million in ransom payouts from more than 1,000 victims worldwide—including more than 400 in the US. The scale of its destruction prompted the US State Department in May to announce a
$10 million reward
for information leading to the identification and/or location of key individuals of the gang. The State Department offered another $5 million for information leading to the arrest and conviction of individuals participating in attacks involving Conti ransomware incidents.
In May, a Ukrainian member of the gang
publicly released a big trove of Contis internal conversations
after the Conti team officially announced its support for the Russian governments invasion of Ukraine. Information from that leak, and another
previous leak in September 2021
showed the Conti ransomware operation
was structured along the lines of a formal business
complete with a physical office, scheduled working hours, managers at various tiers and separate departments for HR, coding, training, testing, intelligence gathering, and other functions.
The FBI, the National Security Agency (NSA), and the US Cybersecurity and Infrastructure Security Agency (CISA)
earlier assessed that Contis developers used a ransomware-as-a-service model
to distribute their malware. But instead of taking a cut of the ransom from affiliates — as is usually the case with ransomware-as-a-service — Contis developers paid attackers a flat fee for deploying their malware on victims networks.
Significantly, the leaks also appeared to confirm widely held suspicions about a link between Contis developers and Russias Federal Security Service (FSB).
In mid-May, Contis developers seemingly abruptly began shutting down infrastructure — such as admin panels, servers, proxy hosts, chatrooms, and a negotiations service site — likely in response to the high level of attention it had managed to attract from law enforcement and media. A few weeks later, it also shut down a site it had used to name-and-shame victims that refused to pay a ransom.
One analysis by AdvIntel at the time concluded that the groups main actors had already put in place
plans to continue the operation under various guises
a few months before its official shutdown.
The Black Basta ransomware gang, which started operations in April, or one month before Contis official exit from the ransomware scene appears to be one such operation. Intel 471 said its analysis of the groups activities show that Black Bastas infrastructure — such as its payment and data leak sites, its payment site, recovery portals, and communication and negotiation methods — have overlaps with Contis operations.
Intel 471 also has identified two other ransomware operations — BlackByte and Karakurt — that have similar, significant overlaps with Conti and in fact may simply be rebranded Conti operations. In addition, some Conti affiliates and managers have forged alliances with other ransomware teams, including Ryuk, Maze,
LockBit 2.0
, BlackCat, Hive, and HelloKitty. According to Intel 471, it is possible also that other actors could use leaked Conti source code to developer their own ransomware and decryption tools.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Post-Breakup, Conti Ransomware Members Remain Dangerous