The infamous ransomware group known as Conti has continued its onslaught against entities despite suffering a massive data leak of its own earlier this year, according to new research.
Conti, attributed to a Russia-based threat actor known as Gold Ulrick, is one of the most prevalent malware strains in the ransomware landscape, accounting for 19% of all attacks during the three-month-period between October and December 2021.
One of the most prolific ransomware groups of the last year along the likes of LockBit 2.0, PYSA, and Hive, Conti has locked the networks of hospitals, businesses, and government agencies, while receiving a ransom payment in exchange for sharing the decryption key as part of its name-and-shame scheme.
But after Russia’s invasion of Ukraine in February, a cybercriminal cartel backed Russia, an anonymous Ukrainian security researcher using the Twitter handle ContiLeaks started leaking source code and private conversations among its members. This gave an unparalleled insight into the workings of the group.
“The chats reveal a mature cybercrime ecosystem across multiple threat groups with frequent collaboration and support,” Secureworks said in a report published in March. The groups include Gold Blackburn (TrickBot and Diavol), Gold Crestwood (Emotet), Gold Mystic (LockBit), and Gold Swathmore (IcedID).
Indeed, Intel 471’s technical monitoring of Emotet campaigns between December 25, 2021, and March 25, 2022, identified that over a dozen Conti ransomware targets were, in fact, victims of Emotet malspam attacks, highlighting how the two operations are intertwined.
That said, the leaks don’t seem to have put a dampener on the syndicate’s activities, with the number of Conti victims posted in March surged to the second-highest monthly total since January 2021, according to the cybersecurity firm.
What’s more, the group is said to have added 11 victims in the first four days of April, even as the operators continue to “evolve its ransomware, intrusion methods, and approaches” in response to the public disclosure of their arsenal.
The findings have also been corroborated by NCC Group late last month, which said that “Conti operators continue their business as usual by proceeding to compromise networks, exfiltrating data and finally deploying their ransomware. “
A web of connections between Conti and Karakurt
The development comes as financial and tactical overlaps have been uncovered between Conti and the Karakurt data extortion group based on information published during the ContiLeaks saga, weeks after TrickBot’s operators had been subsumed into the ransomware cartel.
An analysis of blockchain transactions associated with cryptocurrency addresses belonging to Karakurt has shown “Karakurt wallets sending substantial sums of cryptocurrency to Conti wallets,” according to a joint investigation by researchers from Arctic Wolf and Chainalysis.
The shared wallet hosting is also said to involve the now-defunct TrickBot gang’s Diavol ransomware, with a “Diavol extortion address hosted by a wallet containing addresses used in Conti ransomware attacks,” indicating that Diavol is being deployed by the same set of actors behind Conti and Karakurt.
Further investigation of an unnamed victim that was subject to extortion after a Conti ransomware attack revealed that another group of attackers used the Cobalt Strike backdoor, which Conti left behind. This suggests a strong connection between cybercrime actors seemingly different.
” Whether Karakurt was a side hustle of Conti or Diavol operatives, or an authorized enterprise by the organization is still to be determined,” Arctic Wolf stated.
“This connection perhaps explains why Karakurt is surviving and thriving despite some of its exfiltration-only competitors dying out,” the researchers said, adding, “Or, alternatively, perhaps this was the trial run of a strategic diversification authorized by the main group. “