A new report today from Intel471 Inc. has detailed how hackers linked to the Conti ransomware gang are active again in the months following ContiLeaks.

Conti was a prolific ransomware gang with a long list of victims. Conti victims include Ireland’s health service, Advantech Co. Ltd., voice-over-internet-protocol hardware and software maker Sangoma Technologies Corp., hospitals in Florida and Texas, Tesla Inc. and Apple Inc. supplier Delta Electronics Inc. in January, and kitchenware maker Meyer Corp. U.S. in February.

The ransomware gang announced earlier this year that it was stopping operations in the wake of ContiLeaks. Described by some as the “Panama Papers of ransomware,” ContiLeaks involved an unknown member of Conti leaking internal documentation of the gang after in came out in support of Russia’s invasion of Ukraine.

The leaked material offered a rare insight into the workings and activities of a major ransomware gang. Files leaked include chat logs, infrastructure and the economics of how the gang operates. Some of the correspondence shows that Conti had links to the Russian government.

Forward to July, and although some Conti actors may be still lying low, others have splintered and moved in different directions within the cybercrime underground. Intel471 researchers found that some actors have leaned into side projects that take advantage of Conti’s prior operations, such as network access or data theft. Others have allegedly formed alliances with other ransomware-as-a-service groups.

Actors associated with Conti are also said to have branched out as independent contracts or small syndicates, using skills or schemes previously used to support Conti operations.

One ransomware group known as Black Basta, which started a month before Conti announced its shutdown, is described as showing signs of overlap with its tactics, techniques and procedures. Black Basta data leak blogs, payment sites, recovery portals, victim communications and negotiation methods all bear similarities with Conti operations. That said, the researchers do note that they cannot fully confirm that Black Basta is solely a rebrand launched by former Conti group members.

Another ransomware group, BlackByte, active since August 2021, also has signs of being linked to Conti operators. A form of ransomware used by BlackByte has been found to have a worm capability similar to Conti’s predecessor Ryuk ransomware and also undertakes similar techniques.

BlackByte took credit for a ransomware attack that resulted in the theft of data from the San Francisco 49ers American football team Feb. 14 and was also named in a cybersecurity advisory by the U.S. Federal Bureau of Investigation and the Secret Service on Feb. 11.

A third ransomware group, Karakurt, is also believed to have ties to ex-Conti members. Karakurt, subject to a government warning on June 2, also has similarities to Conti, although it is noted to be primarily involved in data theft and extortion schemes.

“The ContiLeaks were a mortal blow to the Conti group, exposing enough information to make the group’s continued operation untenable,” the researchers write. “Yet even with the leaks, there were steps Conti took that enabled the ransomware group to remain resilient and continue parts of its operation.”

The researchers add that Intel 471 believes it is highly likely the most prolific members of the group will continue to operate, successfully conducting illicit cyber activity. “Furthermore, once the negative media attention dissipates, it is probable that Conti operators will seek to regroup into an organization similar to the structure it once held,” they write.

Image: Needpix