Conti Ransomware Operation Shuts Down and Restructures

The prolific Conti ransomware-as-a-service operation appears to have shut down. According to Advanced Intel, the internal infrastructure of the gang has been shut down, including the Tor admin panels that are used to negotiate with victims and to publish data on the leak site; however, the actual data leak and ransom negotiation sites remain online. The operation looks like it is splitting up and will operate as a collection of much smaller units in the future, with the Conti brand shut down for good.

The Conti gang has been prolific and grew into the leading ransomware operation in terms of the number of attacks. Attacks increased significantly in the first quarter of 2022, and the gang incorporated exploits for a further 27 vulnerabilities in Q1, according to the Ivanti Ransomware Index Report for Q1, 2022. Recently, the Conti ransomware gang conducted a sustained attack on government systems in Costa Rica in April, the severity of which prompted President Rodrigo Chaves to declare a national emergency – the first time any government has done so following ransomware attacks. The attacks in Costa Rica have had a major impact on foreign trade and tax collection, with many employees unable to be paid due to systems being down. Reuters reports that 27 organizations in Costa Rica have fallen victim to the attacks.

The shutdown of the Conti RaaS operation at a time when the attacks in Costa Rica are ongoing suggests the shutdown was planned. Yelisey Boguslavskiy of Advanced Intel suggests that such a major and very public attack gives the impression that the Conti ransomware gang is still highly active, when behind the scenes the operation was shutting down and restructuring and members of the gang were moving to other ransomware operations.

According to a recently published report from Advanced Intel, “The agenda to conduct the attack on Costa Rica for the purpose of publicity instead of ransom was declared internally by the Conti leadership. Internal communications between group members suggested that the requested ransom payment was far below $1 million USD (despite unverified claims of the ransom being $10 million USD, followed by Conti’s own claims that the sum was $20 million USD).”

It is not unusual for ransomware gangs to shut down their operations then rebrand and continue conducting campaigns under a different name. The Conti gang, aka Wizard Spider, has done this before, with the core members of the group believed to be behind the notorious Ryuk ransomware-as-a-service operation. Ryuk ransomware first appeared in August 2018 and was used for around two years. Conti was launched in the summer of 2020 following the shutdown of Ryuk, so a rebrand was due.

Boguslavskiy said Wizard Spider does not appear to be planning to launch another major ransomware operation such as Ryuk or Conti, instead, the gang has partnered with several other, smaller ransomware operations such as AvosLocker, BlackCat, BlackByte, Hive, and HelloKitty, which will continue to conduct attacks, helped by the experienced members of the Conti gang. The core members of the gang are expected to focus on data exfiltration rather than data encryption.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of