According to MalwareHunterTeam, “While both the clearweb and Tor domains of the Conti ransomware gang’s leak site are online and working, both their clearweb and Tor domains for the payment site (which is obviously more important than the leak) are down.”
Conti, which first appeared on the cybercrime landscape in October 2019, is thought to be the work of the Russia-based threat group Wizard Spider, which is also the operator of the infamous TrickBot banking malware. Since then, at least 567 different companies’ critical data has been exposed on the victim shaming site, with the ransomware cartel receiving over 500 bitcoin ($25.5 million) in payments since July 2021.
The Conti ransomware group’s clearnet and dark web payment portals have gone down in what appears to be an attempt to migrate to new infrastructure after details about the gang’s inner workings and members were made public.
While ransomware attacks work by encrypting the victims’ sensitive information and making it inaccessible, threat actors have increasingly adopted a two-pronged strategy known as double extortion, in which they demand a ransom payment for decrypting the data and threaten to publicly publish the stolen information if the payment is not received by a specific deadline.
The researchers noted that “Conti customers – sponsor threat actors – use [a digital] management panel to create new ransomware samples, manage their victims, and collect data on their attacks.” the syndicate’s attack kill chain that utilised PrintNightmare (CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958) and FortiGate (CVE-2018-13374 and CVE-2018-13379) vulnerabilities to compromise unpatched systems.
A Team Cymru investigation into Conti’s ransomware negotiation process published last month uncovered a similar open web URL named “contirecovery[.]info. “PRODAFT also claimed to have gained access to the group’s recovery service and an admin management panel hosted as a Tor hidden service on an Onion domain, revealing extensive details of a clearnet website called “[contirecovery[.]ws]” that contains instructions for purchasing decryption keys from affiliates.
Finally the researchers concluded that . “To address the complex challenge of disrupting cybercriminal organisations, public and private forces must collaborate to better understand and mitigate the threat’s broader legal and commercial impact.”