Conti’s Dangerous New Phase
On Friday, February 25, two days after Russia invaded Ukraine, the ransomware group Conti released this message.
Who is Conti?
Conti is a major name in the ransomware space, with a long history that includes roots in big-game ransomware groups of the past (i.e., Ryuk) and inclusion in the Maze cartel1. It is operated by the Wizard Spider group, which created TrickBot2. Wizard Spider has been identified as a Russian group.
Historically, the sole motivation for ransomware operators has been money. Wizard Spider/Conti and groups like it are well-organized and can be ruthless. Simple pattern – get access, steal “sensitive” data (sensitive in the sense of Personal Identifiable Information(PII) or items that are valuable to the victim), encrypt everything, and demand a ransom. Without a ransom, the data is posted for the world to see to embarrass the victim and cause reputational damage.
In the past, occasionally, ransomware operators have posted splashy mission statements, named enemies, etc. But for the most part, the groups have shied away from the spotlight. Groups that have ended up in the spotlight, for example, DarkSide due to the Colonial Pipeline attack, have often scattered like cockroaches and rebranded and regrouped under a different name.
Conti’s Major Shift
When this message was released on Friday, February 25, 2022, it represented a major shift. Money is no longer the motive, and the spotlight is no longer a deterrent. The gloves are off. This likely means a new plan of attack. Instead of stealing valuable documents from the company, they may now steal documents that have intelligence value. Previously they demanded a ransom, now they will wreak havoc. Instead of demanding a ransom, they can throw away the keys and cripple their victims.
The new danger is that this means they will no longer hold back and will start to pick targets that are critical infra or vital services without worrying about a payday.
Retraction or Misdirection?
A few hours after they issued the above message, they issued this message
This partial retraction was likely issued so that they can continue running their ransomware business without aligning themselves so firmly with an atrocity. Or at least to give that appearance. The original statement is likely closer to the truth. Someone said the quiet parts out loud.
Be Prepared
With the increasing number of attacks, all companies require strengthening their security infrastructure to prevent potential threats. While times are uncertain, the best protection is preparedness. Build your strong cybersecurity foundation follow our Cybersecurity Practices for Secure Infrastructure.
Written by Sean Cordes, BreachQuest’s Associate Director of Incident Response.