The clearnet and dark web payment portals operated by the Conti ransomware group have gone down in what appears to be an attempt to shift to new infrastructure after details about the gang’s inner workings and its members were made public.
According to MalwareHunterTeam, “while both the clearweb and Tor domains of the leak site of the Conti ransomware gang is online and working, both their clearweb and Tor domains for the payment site (which is obviously more important than the leak) is down.”
It’s not clear what prompted the shutdown, but the development comes as Swiss cybersecurity firm PRODAFT offered an unprecedented look into the group’s ransomware-as-a-service (RaaS) model, wherein the developers sell or lease their ransomware technology to affiliates hired from darknet forums, who then carry out attacks on their behalf while also netting about 70% of each ransom payment extorted from the victims.
The result? Three members of the Conti team have been identified so far, each playing the roles of admin (“Tokyo”), assistant (“it_work_support@xmpp[.]jp”), and recruiter (“IT_Work”) to attract new affiliates into their network.
While ransomware attacks work by encrypting the victims’ sensitive information and rendering it inaccessible, threat actors have increasingly latched on to a two-pronged strategy called double extortion to demand a ransom payment for decrypting the data and threaten to publicly publish the stolen information if the payment is not received within a specific deadline.
images from Hacker News