It’s not been a great time for ransomware authors recently. Well, some ransomware authors at any rate. While many are making huge amounts of money from their device-locking antics, it’s not a profession without risk. Every so often something can and does go wrong, and ransomware groups get into all manner of trouble. Sometimes they aim too high and generate a huge amount of heat. At that point, the solution is to go into hiding or claim to be leaving the business forever.

Elsewhere, it can be a case of accidentally leaking the decryption key, or making it so that third parties can figure it out.

Sometimes, an incident is just a disaster from start to finish.

Setting the scene

Conti ransomware is perhaps most well known for its use in the HSE healthcare attacks back in May. More than 80,000 endpoints were shut down and the health service had to revert to the pen and paper approach. Providers in the US and New Zealand were also affected.

Conti is created and distributed by “Wizard Spider”, a group which also created the well-known Ryuk ransomware. Conti, offered to affiliates as Ransomware as a Service, ran wild in the first quarter of 2021. RDP brute forcing, phishing, and hardware / software vulnerabilities are the chosen methods for Conti compromise.

Where it gets interesting is that Conti directs victims to Dark Web “support portals” where they talk through the steps to unlocking impacted devices. This is where the current Conti issues have arisen.

A lack of support

Security firm Prodaft discovered a vulnerability in the servers Conti uses for recovery. Essentially, the place they tell victims to go. They discovered the real IP address of the hidden service and were able to monitor network traffic for connections to the server. This is particularly ironic considering the slightly confusing stance on free keys, which still come with a ransom attached. There was also a flurry of news recently when word dropped that they were selling access to victims.

All in all, having access to a support portal swiped is probably not high on the Conti gang’s list of “cool things to have happen”.

Down for the count?

Once word broke that a security firm accessed the server for more than a month, the people behind the ransomware scrambled to fix things. What this meant in practice, is a support portal missing in action, and no way for victims to pay.

In total, the Conti infrastructure here was mostly offline for something like two days. This sounds great in practice. However, it’s worth noting that while the ransomware edifice has temporarily toppled, individuals and organisations affected couldn’t communicate with the attackers. If they decided to pay, they wouldn’t be able to. If they wanted to appeal to their better nature, it’s not a possibility.

To add to this sense of uncertainty, the victims would have no way of knowing if the people responsible for their locked files would even come back. They could have simply cut their losses.

Not a great time to be compromised by ransomware, and that’s taking into account that there’s never a great time to be compromised by ransomware.

An increasingly creaky comeback?

Conti has now, of course, returned with a combative air of defiance:

This isn’t the first thing to go wrong for them recently, however. In August, an ex-pentester for Conti decided to spill several gallons worth of beans on Conti activities. This individual, unhappy with the money they were making, dumped files allegedly handed to affiliates on a forum. Rival factions go to war with one another all the time, but it’s still somewhat unusual to see insider documents posted quite like this.

Still, despite the wheels coming off, it doesn’t seem to stop ransomware groups for long. There’s simply too much money at stake and (probable) decent odds against getting caught by law enforcement. In the game of ransomware whack-a-mole, the mole is most definitely king.