The infamous ransomware group known as Conti has continued its onslaught against entities despite suffering a massive data leak of its own earlier this year, according to new research.
Conti, attributed to a Russia-based threat actor known as Gold Ulrick, is one of the most prevalent malware strains in the ransomware landscape, accounting for 19% of all attacks during the three-month-period between October and December 2021.
One of the most prolific ransomware groups of the last year along the likes of LockBit 2.0, PYSA, and Hive, Conti has locked the networks of hospitals, businesses, and government agencies, while receiving a ransom payment in exchange for sharing the decryption key as part of its name-and-shame scheme.
But after the cybercriminal cartel came out in support of Russia over its invasion of Ukraine in February, an anonymous Ukrainian security researcher under the Twitter handle ContiLeaks began leaking the source code as well as private conversations between its members, offering an unprecedented insight into the group’s workings.
“The chats reveal a mature cybercrime ecosystem across multiple threat groups with frequent collaboration and support,” Secureworks said in a report published in March. The groups include Gold Blackburn (TrickBot and Diavol), Gold Crestwood (Emotet), Gold Mystic (LockBit), and Gold Swathmore (IcedID).
Indeed, Intel 471’s technical monitoring of Emotet campaigns between December 25, 2021, and March 25, 2022, identified that over a dozen Conti ransomware targets were, in fact, victims of Emotet malspam attacks, highlighting how the two operations are intertwined.
That said, the leaks don’t seem to have put a dampener on the syndicate’s activities, with the number of Conti victims posted in March surged to the second-highest monthly total since January 2021, according to the cybersecurity firm.
What’s more, the group is said to have added 11 victims in the first four days of April, even as the operators continue to “evolve its ransomware, intrusion methods, and approaches” in response to the public disclosure of their arsenal.
The findings have also been corroborated by NCC Group late last month, which said that “Conti operators continue their business as usual by proceeding to compromise networks, exfiltrating data and finally deploying their ransomware.”
A web of connections between Conti and Karakurt
The development comes as financial and tactical overlaps have been uncovered between Conti and the Karakurt data extortion group based on information published during the ContiLeaks saga, weeks after TrickBot’s operators had been subsumed into the ransomware cartel.
An analysis of blockchain transactions associated with cryptocurrency addresses belonging to Karakurt has shown “Karakurt wallets sending substantial sums of cryptocurrency to Conti wallets,” according to a joint investigation by researchers from Arctic Wolf and Chainalysis.
The shared wallet hosting is also said to involve the now-defunct TrickBot gang’s Diavol ransomware, with a “Diavol extortion address hosted by a wallet containing addresses used in Conti ransomware attacks,” indicating that Diavol is being deployed by the same set of actors behind Conti and Karakurt.
Further forensic examination of an unnamed client that was hit with a subsequent wave of extortion attacks following a Conti ransomware infection has revealed that the second group used the same Cobalt Strike backdoor left behind by Conti, implying a strong association between seemingly disparate cybercrime actors.
“Whether Karakurt is an elaborate side hustle by Conti and Diavol operatives or whether this is an enterprise sanctioned by the overall organization remains to be seen,” Arctic Wolf said.
“This connection perhaps explains why Karakurt is surviving and thriving despite some of its exfiltration-only competitors dying out,” the researchers said, adding, “Or, alternatively, perhaps this was the trial run of a strategic diversification authorized by the main group.”