
"Whether Karakurt is an elaborate side hustle by Conti and Diavol operatives or whether this is an enterprise sanctioned by the overall organization remains to be seen," Arctic Wolf said. The shared wallet hosting is also said to involve the now-defunct TrickBot gang's Diavol ransomware, with a "Diavol extortion address hosted by a wallet containing addresses used in Conti ransomware attacks," indicating that Diavol is being deployed by the same set of actors behind Conti and Karakurt.įurther forensic examination of an unnamed client that was hit with a subsequent wave of extortion attacks following a Conti ransomware infection has revealed that the second group used the same Cobalt Strike backdoor left behind by Conti, implying a strong association between seemingly disparate cybercrime actors. The findings are significant, not least because they throw the spotlight on the widening web of interconnections in the cybercrime ecosystem, not to mention underscore Conti's aggressive expansion and delivery tactics such as reviving Emotet and subsuming the TrickBot botnet into the ransomware cartel. The development comes as financial and tactical overlaps have been uncovered between Conti and the Karakurt data extortion group based on information published during the ContiLeaks saga, revealing what appears to be an extension of the ransomware-as-a-service (RaaS) business model. The findings have also been corroborated by NCC Group late last month, which said that "Conti operators continue their business as usual by proceeding to compromise networks, exfiltrating data and finally deploying their ransomware." A web of connections between Conti and Karakurt What's more, the group is said to have added 11 victims in the first four days of April, even as the malware authors have persistently worked to "evolve its ransomware, intrusion methods, and approaches" in response to the public disclosure of their arsenal. That said, the leaks don't seem to have put a dampener on the syndicate's activities, with the number of Conti victims posted in March surging to the second-highest monthly total since January 2021, per the Atlanta-headquartered cybersecurity firm. Indeed, Intel 471's technical monitoring of Emotet campaigns between December 25, 2021, and March 25, 2022, identified that over a dozen Conti ransomware targets were, in fact, victims of Emotet malspam attacks, highlighting how the two operations are intertwined.

The groups, besides Gold Ulrick, include other financially motivated cybercrime actors, counting Gold Blackburn ( TrickBot, BazarLoader, Anchor, and Diavol), Gold Crestwood ( Emotet), Gold Mystic ( LockBit), and Gold Swathmore ( IcedID). "Members of groups previously believed to be distinct collaborated and frequently communicated with members of other threat groups." "The chats reveal a mature cybercrime ecosystem across multiple threat groups with frequent collaboration and support," Secureworks said in a report published in March.
I paid for the support for gold backup buddy code#
One of the most prolific ransomware groups of the last year along the likes of LockBit 2.0, PYSA, and Hive, Conti has locked the networks of hospitals, businesses, and government agencies, while receiving a ransom payment in exchange for sharing the decryption key as part of its name-and-shame scheme.īut after the cybercriminal cartel came out in support of Russia over its invasion of Ukraine in February, an anonymous Ukrainian security researcher under the Twitter handle ContiLeaks began leaking the source code as well as private conversations between its members, offering an unprecedented insight into the group's workings.

The infamous ransomware group known as Conti has continued its onslaught against entities despite suffering a massive data leak of its own earlier this year, according to new research.Ĭonti, attributed to a Russia-based threat actor known as Gold Ulrick, is the second most prevalent malware strain in the ransomware landscape, accounting for 19% of all attacks during the three-month-period between October and December 2021.
