Ransomware Gang Conti Has Re-Surfaced and Now Operates as Three Groups: TRM Labs

The sanctioned hacking group with Russian origins is now operating as Black Basta, BlackByte and Karakurt, blockchain intel firm says in a new report.

AccessTimeIconFeb 23, 2023 at 12:51 p.m. UTC
Updated Feb 23, 2023 at 5:27 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

The world of cybercrime saw some notable changes over the past year: new darknet marketplaces took the place of the shut down Hydra and operators of the notorious Conti ransomware group rebranded under new names, said the blockchain analytics firm TRM Labs.

In a new report analyzing the re-shaping of cybercrime industry since the beginning of the Russian war in Ukraine, TRM named alleged successors of Conti, a once-notorious ransomware gang that extorted hundreds of bitcoins from the U.S. corporations, including health-care organizations during the COVID-19 pandemic. According to TRM, Conti “rebranded into at least three smaller groups: Black Basta, BlackByte and Karakurt.”

Conti has been successfully attacking multiple organizations in the U.S. encrypting their IT systems and demanding large ransom to unlock the files. In 2022, the group pledged its allegiance to Russia in the recently started war in Ukraine. Soon after that, allegedly, an insider unhappy about the decision leaked gigabytes of the group members’ messages to each other, discussing the hacks, payouts, ways to cash out crypto and just their everyday life.

But soon, either because of the leak of for some other reasons, Conti reportedly ceased operations. However, the hackers did not quit and the crypto wallets linked to Conti operators remained active and likely switched to other ransomware strains.

In January, Chainalysis published a report saying that wallets of Conti’s alleged leader Stern “transacted with addresses linked to strains like Quantum, Karakurt, Diavol, and Royal in 2022 following Conti’s demise,” as ransomware operators are, apparently, usually work with multiple malware variants, simultaneously collaborating with a bunch of hacker collectives at once.

TRM says the main successor of Conti is most likely the ransomware group known as Karakurt. The link between the two was previously suggested by cybersecurity experts. According to a cybersecurity firm Avertium, Karakurt usually attacks organizations that have already been compromised before.

Just like Conti, Karakurt has been not above attacking health-care organizations, in particular a billing vendor Practice Resources, that’s been hit with an attack in August 2022. However, unlike Conti, Karakurt did not encrypt victims’ files but only stole them and threatened victims to leak it if a ransom wasn’t paid.

According TRM Labs, Karakurt has been active since at least October 2021. Both Conti and Karakurt used the same address to sent the ransomware payments they received in October 2021, TRM says, and later than address sent the money to a “high-risk exchange.”

“The timeline of Karakurt's off-chain and on-chain activity confirms that the group was active long prior to Conti's official shutdown that occurred in May 2023. Karakurt appears to have been set up by Conti in 2021 and became fully operational under its new brand in 2022,” TRM Labs head of legal and government affairs Ari Redbord told CoinDesk. He added that most likely, the same people were behind Conti and Karakurt.

As for cash-out methods for cybercriminals, darknet marketplaces, where anonymous vendors offer illegal drugs, fake documents and other shadow goods and services, are becoming a popular money laundering channel, TRM Labs said in the report. In a sense that these platforms merge together their users funds on centralized wallets, they serve partly as a kind of mixer, the reports said.

This money laundering option has been attracting even more cybercriminals recently, in particular, those that profit from the child sexual abuse materials (CSAM), or child pornography, TRM said. The firm registered an uptick of CSAM-related crypto inflows to Russia-associated darknet platforms, the report said.

The war could help that trend as Russia has become increasingly isolated from the West in the political and economical sense, TRM said. “It is possible that Russia’s political and economic estrangement from the West has fuelled perceptions that the country is a friendly jurisdiction for criminals seeking to evade Western law enforcement.” it added.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.

Anna Baydakova

Anna Baydakova was CoinDesk's investigative reporter with a special focus on Eastern Europe and Russia. Anna owns BTC and an NFT.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.