A Ukrainian researcher has dealt blows to the Conti ransomware operation, leaking internal conversations, the source of their ransomware, administrative panels and so much more.
Conti has had a difficult week after siding with Russia on the invasion of Ukraine and offended Ukrainian affiliates, including a researcher who had been spying on their operation.
On Sunday, the Ukrainian researcher with the Twitter handle @ContiLeaks leaked JSON files with over 60,000 internal messages from Conti and Ryuk ransomware gang’s private XMPP chat server.
These conversations occurred from January 21st 2021 to February 27th 2021. It provided important private information on the cybercrime organization, like bitcoin addresses, the gang’s organization as a business, how they conduct their attacks, evade law enforcement and so much more.
On Monday, the researchers leaked an additional 148 JSON files with about 107,000 internal messages from June 2020 when the Conti ransomware operation was first launched.
ContiLeaks released more data throughout the night, including the source code for the gang’s administrative panel, screenshots of storage servers, the BazarBackdoor API, etc.
Among the things leaked was a password-protected archive with the source code for the Conti ransomware encryptor, decryptor and builder.
Although ContiLeaks didn’t release the password, another researcher quickly cracked the code, allowing everyone access to the source code.
The source code provides a lot of insight into how the malware works for those who can program in C, but not really reverse engineer.
While important for security research, the public access to the code has its disadvantages.
With clean code as the Conti ransomware operation, we should be expecting threat actors to launch their own criminal operations using the leaked source code.
However, there is no way to access the control server source code that was released without having access to the threat actor’s infrastructure.
The impact of this ‘data breach’ on Conti is still to be seen. It has no doubt affected their reputation which may result in other affiliates moving on to another ransomware operation.
By Marvellous Iwendi.
Source: Bleeping Computer