Conti ransomware gang's source code leaked
Latest info dump days after anonymous outing of 60,000 messages
Infamous ransomware group Conti is now the target of cyberattacks in the wake of its announcement late last week that it fully supports Russia's ongoing invasion of neighboring Ukraine, with the latest hit being the leaking of its source code for the public to see.
This disclosure comes just days after an archive leaked containing more than a year's worth of instant messages between members of Conti, believed to be based in Russia: we're talking 400 files and tens of thousands of lines of internal chat logs written in Russian. The internal communication files include messages that run from January 2021 to February 27 of this year.
Conti announced on February 25 that it was giving its "full support" to Russia's attack on Ukraine, adding the threat that, "If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy."
In an updated blog post, the group said it was not affiliated with any government but repeated the threat that it would "strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression."
The first leak came two days later, delivering messages from almost two dozen chat handles. The material was distributed by VX-Underground, an organization that collects malware source code, samples, and data.
- Microsoft: Russia invasion of Ukraine 'unlawful, unjustified'
- Conti ransomware gang leak: 60,000 messages online
- Tech world's Ukraine response mixes evacuation efforts, ad bans, free phones, infosec FUD
- Ransomware criminals have feelings too: BlackMatter abuse caused crims to shut down negotiation portal
Security researcher Bill Demirkapi translated the Russian chats into English. The leaks gave researchers a deep view into the ransomware group, including how it runs attacks and evades detection, how it's organized as a business, and its Bitcoin addresses.
In the second round, the leaks included such items as screenshots of storage servers and the BazarBackdoor API. The source code for Conti's ransomware encryptor, decryptor, and builder were contained in a password-protected archive. Another researcher reportedly cracked the password and broke into the archive, giving everyone access to Conti's closely-held source code.
Such information is key for a ransomware-as-a-service group like Conti, which not only launches its own ransomware attacks but also allows other threat actors to use its technology to launch their own infections. McAfee in a report last year highlighted the rise in RaaS campaigns, which researchers said has led to fewer ransomware families but allow groups to launch attacks on fewer but larger organizations and demand higher payments.
Conti has been behind a broad range of ransomware outbreaks, many of which have focused on critical infrastructure such as healthcare facilities and first-responder organizations. In May 2021, the gang took down Ireland's national healthcare service, an event that is projected to cost the government more than $100m to recover from. Conti also has attacked such large businesses as Shutterfly and Fat Face.
In May, the FBI issued a five-page notice [PDF] to American businesses warning about Conti ransomware attacks on healthcare and first-responder networks, noting at least 16 such attacks by Conti over a 12-month span, and ransom demands as high as $25m.
Russia's invasion has caused cybercrime groups like Conti to take sides, with the understanding that many such groups are linked to Russia and possibly to Russian intelligence. The Record is keeping a running total of the various gangs and where they are falling in the war, with Anonymous leading the list of those siding with Ukraine – and reportedly already attacking Russia government organizations – Conti at the top of those supporting Russia.
Brett Callow, a threat analyst at New Zealand-based cybersecurity firm Emsisoft, noted on Twitter that "taking political positions is not without risk for RaaS operations as some affiliates may not be pro-Russian." ®