The Conti ransomware group claims to have shut down its operation; its infrastructure was taken offline. The team leaders have apparently declared that the brand is no more and its members are believed to have migrated to other groups carrying out smaller ransomware operations.
A publicity stunt
The news of the shutdown came in the middle of their recent attack on Costa Rica.
As it appears, Conti wanted to use the Costa Rica attack as a platform for publicity, to declare their shutdown and rebirth in the most believable way.
The attack on Costa Rica was rather to gain publicity instead of ransom, announced internally by the Conti leadership. Hence, the requested ransom payment was below $1 million, even though the initial claims were suspected to be around $10 to $20 million.
Details of the Conti shutdown
A researcher from Advanced Intel tweeted that Conti’s internal infrastructure was turned off.
The Tor admin panels used by the operators to perform negotiations and publish news on their data leak site are offline.
Other internal services, such as rocket chat servers, are being decommissioned. However, the public-facing 'Conti News' data leak and ransom negotiation sites are online.
The researcher claims that instead of rebranding Conti as another group, the existing members—experienced pentester, operators, and negotiators—would be joining other ransomware operations to carry out attacks.
Is Conti still active?
Even though the Conti ransomware brand is no more, the cybercrime enterprise is expected to remain active for a long time.
The Conti leadership has previously been linked with other smaller ransomware groups such as HelloKitty, Hive, BlackCat, AvosLocker, and BlackByte to conduct attacks.
Conclusion
The Conti group's attack on the Costa Rican government now seems to be a publicity facade created by the group for its own goals. Besides. researchers say that this is a common technique for ransomware gangs to disappear after a significant attack to avoid sanctions and scrutiny by law enforcement agencies.