article featured image


The infamous ransomware gang known as the Conti group has effectively brought an end to their operation by taking their infrastructure down and informing their team leaders that the brand no longer exists.

What Happened?

Yelisey Boguslavskiy of Advanced Intel tweeted this afternoon that the gang’s internal infrastructure had been shut down, which is where we learned this piece of information.

According to BleepingComputer the Tor admin panels that members used to undertake negotiations and post “news” on their data leak site are now down. This is despite the fact that the public-facing ‘Conti News’ data leak and the ransom negotiation website are still accessible.

It is possible that Conti created a facade of a live operation while its members slowly migrated to other, smaller ransomware operations.

According to AdvIntel, Conti just intended to exploit the platform as a marketing tool, simulating their own death and subsequent rebirth in the most believable manner possible.

The agenda to conduct the attack on Costa Rica for the purpose of publicity instead of ransom was declared internally by the Conti leadership. Internal communications between group members suggested that the requested ransom payment was far below $1 million USD (despite unverified claims of the ransom being $10 million USD, followed by Conti’s own claims that the sum was $20 million USD).


Despite the fact that the Conti ransomware brand has been abandoned, the cybercrime syndicate will continue to play an important part in the ransomware sector for a substantial amount of time to come.

Conti leadership has worked with other minor ransomware gangs to carry out assaults rather than rebranding themselves as another huge ransomware operation.

The smaller ransomware gangs benefit from this relationship by receiving an infusion of skilled Conti pentesters, negotiators, and operators. By subdividing into smaller “cells” that are all supervised by the central leadership, the Conti cybercrime syndicate is able to increase its mobility and its ability to evade law enforcement more effectively.

According to the study published by Advanced Intel, Conti has collaborated with a wide variety of well-known ransomware operations, some of which include HelloKitty, AvosLocker, Hive, BlackCat, and BlackByte, amongst others.

The current members of Conti, who include negotiators, intelligence analysts, pentesters, and coders, are dispersed among a number of different ransomware operations. Even though these individuals will now utilize the encryptors and negotiation sites used by the other ransomware operation, they are still a part of the bigger Conti criminal organization.

This fragmentation into smaller units that are either fully or partially autonomous is shown in the picture that was provided by Advanced Intel and can be found below.

According to Advanced Intel, new independent groups of Conti members have been formed recently, and the primary objective of these groups is data exfiltration rather than data encryption. Karakurt, BlackByte, and the Bazarcall collective are just a few examples of this type of grouping.

The current cybercrime syndicate is able to continue its operations as a result of these actions; however, it will no longer operate under the Conti brand.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.