A security researcher aggrieved by the Conti ransomware’s support to the Russian government has been leaking its data regularly.
The trove data contained Conti ransomware’s internal messages, backdoor malware APIs, servers screenshots, and the source code for their malware builder, encryptor, and decryptors. All these are now public and could be used by other threat actors for making their own ransomware.
Leaking Conti Ransomware Source Code
Last month, Conti ransomware siding with Russia in its war against Ukraine had provoked many affiliates, especially the Ukrainian ones. As they express grievance in underground forums, a security researcher who’s been tracking the Conti gang for a while has decided to expose the ransomware’s secrets to the public.
BREAKING: @HoldSecurity tells me Conti's systems have been infiltrated by cybercrime researchers for some time. The data was dumped by a Ukrainian cyber security researcher pissed off after Conti expressed support for Russia in the conflict. #infosecurity
— The Ransomware Files (@ransomwarefiles) February 28, 2022
On Sunday, he started sharing a trove of data belonging to Conti ransomware on Twitter through his @ContiLeaks handle. He initially leaked 393 JSON files containing over 60,000 internal messages from the private XMPP chat server of Conti and Ryuk ransomware gangs.
All those messages were from January 21st, 2021 to February 27th, 2022, and have senstive details like the Conti gang’s modus operandi, bitcoin addresses, plans on evading law enforcement, etc.
The very next day, more data kept flowing in in the form of 148 additional JSON files having over 107,000 internal messages since June 2020 – a time when Conti ransomware started its operation.
These also include the gang’s source code for the gang’s administrative panel, the BazarBackdoor API, screenshots of storage servers, etc. However, what’s really exciting among them is a password-protected archive containing Conti ransomware’s source code, encryptor, decryptor, and builder.
Though it’s protected, another researcher managed to break open it and publish the code for the public! As all these created ruckuses in the Conti ransomware, we may see many of its affiliates migrating to other ransomware groups.
Though the data leaked now affects the Conti gang, this could turn out to be bad for the security community, as we may see more threat actors using this publicized source code for building their own ransomware operations soon.