Conti ransomware source code, documentation leaked

Nancy J. Delong


The Conti ransomware leak escalated Monday and Tuesday as an nameless leaker printed extra of the gang’s communications as perfectly as interior documentation and resource code.

The Conti ransomware gang, to start with tracked in 2020, has created a level of infamy in recent years subsequent substantial-profile ransomware attacks like the one particular in opposition to backup vendor ExaGrid previous 12 months. The prison outfit attained extra notoriety very last 7 days when it pledged assist for Russia soon just after it invaded Ukraine Conti threatened to goal essential infrastructure versus any Western country that deployed cyber attacks versus Russia.

The leaks started on Feb. 27, when a Twitter person named “Conti Leaks” posted a file dump of Jabber fast messages allegedly from Conti operators. The documents contained a bevy of information referencing inner Conti functions, which includes sufferer particulars. The condition escalated on Monday and Tuesday, as the Conti Leaks posted supply code, internal documentation, discussion board and chat messages spanning various years, and substantially more.

Though threat analysts are in typical settlement that the leaked data seems to be Conti’s, the leak’s information ought to be taken with a grain of salt thanks to the general unreliability of cybercriminals.

Infosec scientists have ongoing to comb as a result of leak details given that it was published. Two of the most noteworthy examples of this involve malware archival site VX-underground and threat intelligence service provider The DFIR Report. The latter designed a lengthy, ongoing Twitter thread to share notable findings.

A single of the most noteworthy conclusions arrived in the variety of Conti ransomware source code for multiple variations. Whilst folders reportedly carrying decryption keys were discovered in the leak, they seem to be password-secured.

Parts of TrickBot resource code, precisely its command dispatching and data assortment resources, were being also found in the new cache of leaked information, suggesting a hyperlink concerning the malware and Conti operators. TrickBot is an notorious banking Trojan-turned-botnet that was initial noted in 2016 and has reportedly contaminated nicely around 100,000 equipment due to the fact late 2020.

An attention-grabbing obtain arrived in the sort of Conti’s main Bitcoin address in accordance to the leaks, the gang acquired around 65,000 BTC (very well about $2 billion USD) in between April 2017 and Feb. 28 of this 12 months.

Little is known about the leaker other than their clear sympathy to Ukraine. For case in point, the leaker’s Twitter profile includes various condemnations of Russia and its invasion.

“My opinions are coming from the bottom of my heart which is breaking around my pricey Ukraine and my individuals,” they wrote in just one tweet. “Searching of what is happening to it breaks my heart and from time to time my coronary heart needs to scream.”

Chester Wisniewski, principal exploration scientist at Sophos, stated the leaks are probable to prove damaging to Conti, but the over-all photograph is a lot more intricate.

“Ransomware teams are kind of reverse brand names,” he explained. “They are a label for their status and operational abilities — not to the victims, but instead other criminals who may select to freely affiliate with them to coordinate further more crimes. In this fashion, these leaks are most likely pretty destructive to the general ‘brand,’ as associating with them will be perceived to be hazardous if you want to stay nameless. “

Wisniewski continued, “The negative news, though, is that like quite a few other ransomware teams, like Ryuk who we imagine to be the precursor to Conti, they might disband and reincarnate as just one or much more new manufacturers to start out anew with a clear reputation no unique than corporate brand names do on celebration. We are not Google, we are Alphabet. Who’s read of Fb? We’re Meta!”

Alexander Culafi is a writer, journalist and podcaster dependent in Boston.

Next Post

Nvidia confirms breach, proprietary data leaked online

&#13 Nvidia confirmed some of the statements produced by a ransomware team that stated it compromised the chip maker’s company community and stolen proprietary info. The graphics card big claimed in a statement to SearchSecurity that it had experienced a cyber assault final 7 days, but standard functions and enterprise […]