Ransomware, Threat Management

Conti ransomware gang dismantles infrastructure amid Ukraine row

Pro-Ukrainian demonstrators gather outside of the White House to protest the Russian invasion on Feb. 25, 2022, in Washington. Russian President Vladimir Putin launched a full-scale invasion of Ukraine on Feb. 24. (Photo by Samuel Corum/Getty Images)

The Conti ransomware gang quickly dismantled back-end and command-and-control infrastructure Wednesday night following a week-long revolt by its affiliates after the gang signaled its support for Russia during Ukrainian hostilities.

Conti generated $180 million in revenue in 2021 according to a Chainalysis report, making it the most active ransomware group for the year.

Wednesday evening, Radoje Vasovic, founder of the European cybersecurity firm Cybernite, noted internal chatter from Conti's chat servers discussing the tear-down of the group's infrastructure.

"All VM farms are cleared and deleted, all servers are disabled," wrote one member in Russian.

The abrupt shutdown of infrastructure follows a rough week for the criminal nuisance. On Friday, Conti issued a statement saying that it would retaliate against Western critical infrastructure if Western nations targeted Russian infrastructure during the Ukraine conflict. That proved to be a misstep with many of Conti's business partners.

Conti, a ransomware-as-a-service provider (RaaS), licenses the use of the ransomware it codes to separate hacker groups, many of whom are based in Ukraine or otherwise backing the Ukraine side of the conflict. One group retaliated by leaking source code and internal chat logs, implicating Conti as taking orders from Russian intelligence during one operation. After the damage to Conti became clear, rival RaaS group LockBit issued its own statement, declaring neutrality.

Allan Liska, a ransomware intelligence expert with Recorded Future, audited around 25 back-end and command-and-control servers mentioned in the leaks, all of which were offline.

Conti's clients appear to be jumping ship.

"Affiliates are already hopping to other RaaS offerings," said Liska

Conti's extortion server, at present, is still online.

Dismantling internal infrastructure is not a good sign for the group, but many ransomware groups have successfully rebranded and relaunched in the past.

"Ransomware groups have been resilient before, but we've also never seen a disaster like this," said Liska.

"There is an assumption they will rebrand. But I think they will have trouble earning anyone's trust," he added.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.