Howard: Ransomware gangs often rebrand as law enforcement agencies crack down on them. But this week came news that the Conti gang, known for attacking big companies and government departments, is retiring its brand to instead work closely with other gangs. What do you make of this news?
Terry Cutler: We’ve heard this before — a group retires, then they come out of retirement and rebrand. I think what’s happening here is that there’s way too much heat on them [Conti], and some of their members may be getting a little scared. Some are asking the group to like tone it down a little bit. That’s why I think they’re switching now to smaller groups. I think after they threatened the Costa Rican government, that’s where they’d rather work with other operators like Karakurt or BlackByte. Remember, it’s the Conti brand that’s shutting down. The actors are still there. They’re just shutting things down like the negotiation site, the chat rooms, the messenger servers and the proxy servers. That doesn’t mean that the threat actors themselves are retiring.
Howard: The research by Advanced Intel argues that the recent and highly-publicized attack on government departments in Costa Rica has been used as a smokescreen for Conti’s strategy shift. Conti has made us think that it’s trying to overthrow the government in the past couple of weeks, but it’s restructuring. What do you think?
Terry: I think that’s part of their great grand finale, to use this as a publicity stunt. This way, they can perform their death, and maybe, a rebirth. We have to see what’s going to happen with this ransomware gang. But I also heard that things were a little bit toxic, too, because the group pledged their allegiance to Russia and was in favour of the invasion of Ukraine. Maybe that didn’t sit well with other members. That’s why there was some leakage of some private gang chat messages and logs.
Howard: That would appear true according to some interpretation. The leak was a bit of vindictiveness by someone regarding the Conti endorsement of the Russian invasion of Ukraine.