The infamous Conti group officially closed down at the end of June following the ContiLeaks incident, when a Ukrainian security researcher infiltrated the Russian ransomware group’s infrastructure and leaked all the information he could find. Conversations, personnel information, tools, and the product’s source code were all exposed.
In a matter of weeks, Conti went from being the world’s biggest ransomware group to rapidly becoming a largely spent force. Although its campaigns in Peru and Costa Rica earlier this year made waves in the mainstream media, it appears that the Conti group itself achieved little more than headlines. But the huge volume of data that was made available regarding Conti’s operations has revealed a complex corporate structure with its own HR department, executing 600 successful campaigns in 2021 and generating total revenue of around $2.7 billion in cryptocurrency.
In Conti’s absence, an upcoming generation of ransomware groups, such as Lockbit, Black Basra, Black Cat, Vice Society, Industrial Spy and Karakurt is now contending for Conti’s crown by developing new methods of attack and extortion. Threat group Lockbit has become the frontrunner by a wide margin. Formerly known as ABCD Ransomware-as-a-Service (RaaS), Lockbit claims to have the fastest encryption process on the ransomware scene. Following the ContiLeaks incident at the beginning of the Russia-Ukraine conflict, Lockbit swiftly became the most dominant ransomware group as it expanded its operations, now making it Conti’s heir apparent.
Newly-launched Lockbit 3.0 includes a bug bounty program that’s similar to the way legitimate companies reward researchers to help them improve their security. LockBit operators claim they are prepared to pay out between $1,000 and $1 million to security researchers and ethical or unethical hackers. Hackers can earn rewards for pinpointing website vulnerabilities, spotting flaws in the ransomware encryption process, or vulnerabilities in the Tor messaging app. They can also earn rewards for identifying vulnerabilities exposing the target’s Tor infrastructure. Lockbit says it’s also prepared to reward “brilliant ideas” on how to improve its site and software or for information on their competitors. Plugging these cybersecurity holes helps protect the ransomware group’s networks from law enforcement agencies.
While still a bit behind Lockbit, we view BlackCat/ALPHV as next in line for the ransomware throne, allegedly a rebrand of the notorious Darkside ransomware group, which was responsible for last year’s Colonial Pipeline incident. After drawing a great deal of attention from the authorities in the U.S., they went off-grid for a couple of months, only to return as BlackMatter, and later on as BlackCat/ALPHV.
BlackCat/ALPHV has produced an advanced RaaS program written in the Rust programming language. The group has also developed new extortion methods designed to force victims to pay faster. BlackCat/ALPHV demonstrated one such method only a few weeks ago. The victim was “The Allison Hotel and Spa” luxury hotel. The data of 1,534 employees, hotel guest lists, including full names, paid amounts, were breached. But, instead of merely threatening to expose the data or revealing it piecemeal, the ransomware gang swiftly upped the ante by openly publishing all the data on a leak site similar to the victim’s original site, but with a different top-level domain (TLD) – “theallison.xyz.”
A major threat to the other contenders in the coming quarter has been relative newcomer Karakurt. Only operational since September, the group mostly maintains a “Living off the Land” approach, in which attackers use legitimate software and functions available in the victim’s system to perform malicious actions against it. The group focuses solely on data exfiltration without major destructive measures and has been growing fast.
At the end of June, Karakurt launched a massive onion-based leaking platform, now holding 34 victims’ data in three different sections: pre-release, in which the group reveals new victims that are unwilling to pay the ransom; release, these are victims whose data resides in the publication process; and released, victims whose data has been fully published. Karakurt’s current infection rate now runs now in line with other A-league threat actors, such as Lockbit, and it’s set to grow fast.
As the highly professional and increasingly sophisticated ransomware groups vie for Conti’s crown by trying to out-innovate one another, organizations of all kinds must secure their rapidly-expanding communications networks against the next-generation ransomware attacks with their advanced TTPs and highly professional execution.
Although companies cannot second guess the next move of these ransomware groups, security teams can leverage real-time AI-driven actionable threat intelligence alerts to keep abreast of the attacks. Ideally, these should also comprise a human element when it comes to research, investigation, and threat intelligence operations. We still need humans who can analyze the data and understand the vectors behind the threat itself, including the threat actor’s motivation, the TTPs in use, third-party vendors involved, and other crucial factors.
Yochai Corem, chief executive officer, Cyberint