Finally in April 2022, the group launched a major attack that crippled 27 Costa Rican government organizations causing disruptions in the country’s customs and taxes platforms, impacting foreign trade and payroll payments. In response, the US State Department put up a $10 million reward for information about the identity or location of Conti’s leaders, as well as $5 million for information leading to the arrest of any Conti co-conspirator from any country. This likely sealed the group’s fate and made being associated with it highly undesirable for any cybercriminal.

With Conti affiliates abandoning ship and joining other RaaS operations, BlackByte, Black Basta, and KaraKurt quickly stood out as three new groups that adopted code, tools, and tactics very similar to those previously associated with Conti. If BlackByte is indeed run by former Conti members, it wouldn’t be surprising that they don’t want to attract too much attention to themselves.

While BlackByte has maintained the same tactics, techniques and procedures (TTPs) since its inception, the most recent attacks have revealed new tactics and the evolution of others. For example, the group is known for deploying a self-propagating wormable ransomware encryptor customized for each victim with hardcoded SMB and NTLM credentials stolen from inside the targeted network.