More Conti Ransomware Source Code Leaks Online As Ukraine-Russia Invasion Progresses
The Conti ransomware gang made headlines in the past few weeks, but in a way few people expected. After the gang posted a zealous pro-Russian message in obvious support of the war in Ukraine, a member of the group whose sympathies were with Ukraine leaked significant amounts of internal correspondence of Conti members as well as the source code of older releases of the ransomware.
Now the person managing the Twitter account called ContiLeaks has published more leaks, including source code of more recent versions of the group's ransomware.
Who are the Conti crew?
Conti is a circle of Russian-speaking cybercriminals that has scored a number of successful ransomware attacks over the last couple of years, with estimated payouts in the millions of dollars.
The newly published source code leaked by the ContiLeaks account on Twitter has already been uploaded to VirusTotal. The package is password-protected, but the password was made available too.
The latest available source code leak appears to be considerably more recent, with a timestamp of early 2021. Even though this date is still a year ago, this leak is much more recent than the previously available source code.
The internal Conti member chat logs that were previously leaked were too extensive to be analyzed quickly, but security researchers have been picking those apart gradually. Further analysis sheds light on the internal structure of the ransomware gang and shows that they operate similar to a regular business, with different departments responsible for different tasks. Those range from hiring new associates, to producing malware code, to negotiating with victims to ensure that payments are eventually made.
Are there more leaks to come?
A curious quirk discovered by Check Point researchers who are analyzing the chat logs is that a number of people who ended up working for Conti were actually hired normally, never realizing they are being recruited by criminals. Those unfortunate hires were led to think they were doing legitimate work on tools used for network penetration testing.
There is no way to tell if there will be more leaks to come, but the person operating the Twitter account promises much more after the initial leak and seems to be as good as his word so far. Whether the more up-to-date source code will help in the creation of any decryption tools for the current versions of the ransomware is also not clear.