The clearnet and darkish internet fee portals operated by the Conti ransomware group have gone down in what seems to be an try to shift to new infrastructure after particulars in regards to the gang’s interior workings and its members had been made public.
In line with MalwareHunterTeam, “whereas each the clearweb and Tor domains of the leak web site of the Conti ransomware gang is on-line and dealing, each their clearweb and Tor domains for the fee web site (which is clearly extra necessary than the leak) is down.”
It is not clear what prompted the shutdown, however the improvement comes as Swiss cybersecurity agency PRODAFT provided an unprecedented look into the group’s ransomware-as-a-service (RaaS) mannequin, whereby the builders promote or lease their ransomware know-how to associates employed from darknet boards, who then perform assaults on their behalf whereas additionally netting about 70% of every ransom fee extorted from the victims.
The end result? Three members of the Conti workforce have been recognized to this point, every enjoying the roles of admin (“Tokyo”), assistant (“it_work_support@xmpp[.]jp”), and recruiter (“IT_Work”) to draw new associates into their community.
Whereas ransomware assaults work by encrypting the victims’ delicate data and rendering it inaccessible, risk actors have more and more latched on to a two-pronged technique known as double extortion to demand a ransom fee for decrypting the info and threaten to publicly publish the stolen data if the fee isn’t acquired inside a particular deadline.
“Conti prospects – affiliate risk actors – use [a digital] administration panel to create new ransomware samples, handle their victims, and acquire information on their assaults,” famous the researchers, detailing the syndicate’s assault kill chain leveraging PrintNightmare (CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958) and FortiGate (CVE-2018-13374 and CVE-2018-13379) vulnerabilities to compromise unpatched methods.
Rising on the cybercrime panorama in October 2019, Conti is believed to be the work of a Russia-based risk group known as Wizard Spider, which can also be the operator of the notorious TrickBot banking malware. Since then, no less than 567 completely different corporations have had their business-critical information uncovered on the sufferer shaming web site, with the ransomware cartel receiving over 500 bitcoin ($25.5 million) in funds since July 2021.
What’s extra, an evaluation of ransomware samples and the bitcoin pockets addresses utilized for receiving the funds has revealed a connection between Conti and Ryuk, with each households closely banking on TrickBot, Emotet, and BazarLoader for really delivering the file-encrypting payloads onto sufferer’s networks by way of e-mail phishing and different social engineering schemes.
PRODAFT stated it was additionally capable of acquire entry to the group’s restoration service and an admin administration panel hosted as a Tor hidden service on an Onion area, revealing intensive particulars of a clearnet web site known as “contirecovery[.]ws” that comprises directions for buying decryption keys from the associates. Curiously, an investigation into Conti’s ransomware negotiation course of revealed by Group Cymru final month highlighted an identical open internet URL named “contirecovery[.]data.”
“With a view to deal with the advanced problem of disrupting cybercriminal organizations, private and non-private forces have to work collaboratively with each other to higher perceive and mitigate the broader authorized and industrial influence of the risk,” the researchers stated.