Security News > 2021 > November > Experts Expose Secrets of Conti Ransomware Group That Made 25 Million from Victims

The clearnet and dark web payment portals operated by the Conti ransomware group have gone down in what appears to be an attempt to shift to new infrastructure after details about the gang's inner workings and its members were made public.

According to MalwareHunterTeam, "While both the clearweb and Tor domains of the leak site of the Conti ransomware gang is online and working, both their clearweb and Tor domains for the payment site is down."

It's not clear what prompted the shutdown, but the development comes as Swiss cybersecurity firm PRODAFT offered an unprecedented look into the group's ransomware-as-a-service model, wherein the developers sell or lease their ransomware technology to affiliates hired from darknet forums, who then carry out attacks on their behalf while also netting about 70% of each ransom payment extorted from the victims.

While ransomware attacks work by encrypting the victims' sensitive information and rendering it inaccessible, threat actors have increasingly latched on to a two-pronged strategy called double extortion to demand a ransom payment for decrypting the data and threaten to publicly publish the stolen information if the payment is not received within a specific deadline.

Emerging on the cybercrime landscape in October 2019, Conti is believed to be the work of a Russia-based threat group called Wizard Spider, which is also the operator of the infamous TrickBot banking malware.

What's more, an analysis of ransomware samples and the bitcoin wallet addresses utilized for receiving the payments has revealed a connection between Conti and Ryuk, with both families heavily banking on TrickBot, Emotet, and BazarLoader for actually delivering the file-encrypting payloads onto victim's networks via email phishing and other social engineering schemes.

News URL

https://thehackernews.com/2021/11/experts-expose-secrets-of-conti.html