Ransomware Gang Conti Has Re-Surfaced and Now Operates as Three Groups: TRM Labs
The sanctioned hacking group with Russian origins is now operating as Black Basta, BlackByte and Karakurt, blockchain intel firm says in a new report.
The world of cybercrime saw some notable changes over the past year: new darknet marketplaces took the place of the shut down Hydra and operators of the notorious Conti ransomware group rebranded under new names, said the blockchain analytics firm TRM Labs.
In a new report analyzing the re-shaping of cybercrime industry since the beginning of the Russian war in Ukraine, TRM named alleged successors of Conti, a once-notorious ransomware gang that extorted hundreds of bitcoins from the U.S. corporations, including health-care organizations during the COVID-19 pandemic. According to TRM, Conti “rebranded into at least three smaller groups: Black Basta, BlackByte and Karakurt.”
Conti has been successfully attacking multiple organizations in the U.S. encrypting their IT systems and demanding large ransom to unlock the files. In 2022, the group pledged its allegiance to Russia in the recently started war in Ukraine. Soon after that, allegedly, an insider unhappy about the decision leaked gigabytes of the group members’ messages to each other, discussing the hacks, payouts, ways to cash out crypto and just their everyday life.
But soon, either because of the leak of for some other reasons, Conti reportedly ceased operations. However, the hackers did not quit and the crypto wallets linked to Conti operators remained active and likely switched to other ransomware strains.
In January, Chainalysis published a report saying that wallets of Conti’s alleged leader Stern “transacted with addresses linked to strains like Quantum, Karakurt, Diavol, and Royal in 2022 following Conti’s demise,” as ransomware operators are, apparently, usually work with multiple malware variants, simultaneously collaborating with a bunch of hacker collectives at once.
TRM says the main successor of Conti is most likely the ransomware group known as Karakurt. The link between the two was previously suggested by cybersecurity experts. According to a cybersecurity firm Avertium, Karakurt usually attacks organizations that have already been compromised before.
Just like Conti, Karakurt has been not above attacking health-care organizations, in particular a billing vendor Practice Resources, that’s been hit with an attack in August 2022. However, unlike Conti, Karakurt did not encrypt victims’ files but only stole them and threatened victims to leak it if a ransom wasn’t paid.
According TRM Labs, Karakurt has been active since at least October 2021. Both Conti and Karakurt used the same address to sent the ransomware payments they received in October 2021, TRM says, and later than address sent the money to a “high-risk exchange.”
“The timeline of Karakurt's off-chain and on-chain activity confirms that the group was active long prior to Conti's official shutdown that occurred in May 2023. Karakurt appears to have been set up by Conti in 2021 and became fully operational under its new brand in 2022,” TRM Labs head of legal and government affairs Ari Redbord told CoinDesk. He added that most likely, the same people were behind Conti and Karakurt.
As for cash-out methods for cybercriminals, darknet marketplaces, where anonymous vendors offer illegal drugs, fake documents and other shadow goods and services, are becoming a popular money laundering channel, TRM Labs said in the report. In a sense that these platforms merge together their users funds on centralized wallets, they serve partly as a kind of mixer, the reports said.
This money laundering option has been attracting even more cybercriminals recently, in particular, those that profit from the child sexual abuse materials (CSAM), or child pornography, TRM said. The firm registered an uptick of CSAM-related crypto inflows to Russia-associated darknet platforms, the report said.
The war could help that trend as Russia has become increasingly isolated from the West in the political and economical sense, TRM said. “It is possible that Russia’s political and economic estrangement from the West has fuelled perceptions that the country is a friendly jurisdiction for criminals seeking to evade Western law enforcement.” it added.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.