Conti ransomware gang allegedly exists within its affiliates

November 28, 2022
Conti Ransomware Gang Affiliates Dark Web

The threat ecosystem of Conti ransomware gang grows stronger each day, retaining its status as one of the most productive malware strains in the cybercriminal landscape worldwide. Based on a recent study, the Conti operators are slowly moving away from the United States and concentrating on NATO-affiliated countries, especially in Europe.

Conti’s alleged shutdown is not entirely a fact since many experts believe that they have just moved their operations to their affiliates like Black Basta and BlackByte.

Moreover, these groups have been aggressively sending many cybercriminal attacks against the critical infrastructure segments in Europe and other organisations globally.

 

The Conti ransomware gang and its affiliates have been on a tear during the first half of this year.

 

The latest tally regarding cybercriminal activity has shown that the affiliates of the Conti ransomware gang have listed more than 80 victim organisations on its data leak websites. Nearly 50% of the targets were firms connected to critical infrastructures such as energy, government pharmaceuticals, food, education, facilities, and transportation in Europe.

The remaining infected targets were in the industries of manufacturers, construction organisations, and small retailing businesses in the United States.

The recent activities of the Black Basta operation showed that its operations are using multiple distribution strategies to launch several malware strains, such as SmokeLoader, Emotet, and Ratel.

In addition, cybersecurity experts have discovered a possible connection between the FIN7 hacking group and the Black Basta campaign. This discovery implies that the two groups are aiding and sharing impairment tools and proves that the same threat actors could develop their tools.

For the BlackByte operation, a separate researcher spotted a new exfiltration tool called Exbyte that its operators used to exploit ProxyShell vulnerabilities. According to the ones who spotted the tool, its operators were abusing authentic drivers with Bring Your Own Drive (BYOD) method to avoid security detection products.

Currently, the Conti group is gradually increasing the number of its allies, developing new TTPs, and compromising different organisations worldwide. These increased activities from the group imply that they have a growing ransomware-as-a-service (RaaS) industry. Therefore, the group could offer numerous opportunities for thousands of cybercriminals with different expertise.

About the author

Leave a Reply