Skip links

Conti ransomware group’s source code leaked

Infamous ransomware group Conti is now the target of cyberattacks in the wake of its announcement late last week that it fully supports Russia’s ongoing invasion of neighboring Ukraine, with the latest hit being the leaking of its source code for the public to see.

The move comes just days after the same anonymous person – believed to be a Ukrainian researcher –leaked more than a year’s worth of chat logs between members of Russia-linked Conti, containing more than 400 files and tens of thousands of internal chat logs written in Russian. The internal communication files include messages that run from January 2021 to Feb. 27 of this year.

Along with the source code, the Ukrainian researcher, through the Twitter handle @ContiLeaks, also leaked other information, including more internal chats and the source of administration panels. The researcher leaked 393 JSON files containing more than 60,000 internal messages that reported were taken from the Conti and Ryuk ransomware gang’s private XMPP chat server.

The ransomware group Ryuk rebranded as Conti last year.

Conti posted a blog post on Feb. 25 that it was giving its “full support” to Russia’s attack on Ukraine, adding the threat that “If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.”

In an updated blog post, the group said it was not affiliated with any government but repeated the threat that it would “strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression.”

The first leak came two days later, delivering messages from almost two dozen chat handles. It was delivered to VX-Underground, an organization that collects malware source code, samples and data, where people could download it.

Security researcher Bill Demirkapi translated the Russian chats into English. The leaks gave researchers a deep view into the ransomware group, including how it runs attacks and evades detection, how it’s organized as a business and even bitcoin addresses.

In the second round, the leaks included such items as screenshots of storage servers and the BazarBackdoor API. The source code for Conti’s ransomware encryptor, decryptor and builder were contained in a password-protected archive. Another researcher reportedly quickly broke cracked the password and broke into the archive, giving everyone access to Conti’s closely-held file source codes.

Such information is key for a ransomware-as-a-service [RaaS] group like Conti, which not only launches its own ransomware attacks but also allows other threat actors to use its technology to launch their own attacks. Cybersecurity firm McAfee in a report last year highlighted the rise in RaaS campaigns, which researchers said has led to fewer ransomware families but allow groups to launch attacks on fewer but larger organizations and demand higher payments.

Conti has been behind a broad range of ransomware attacks, many of which have focused on critical infrastructure such as healthcare facilities and first-responder organizations. In May 2021, the gang took down Ireland’s national healthcare service, an event that is projected to cost the government more than $100 million to recover from. Conti also has attacked such large businesses as Shutterfly and Fat Face.

In May, the FBI issued a five-page notice to U.S. businesses warning about Conti ransomware attacks on healthcare and first-responder networks, noting at least 16 such attacks by Conti over a 12-month span and ransom demands as high as $25 million.

Russia’s invasion has caused cybercrime groups like Conti to take sides, with the understanding that many such groups are linked to Russia and possibly to Russian intelligence. The Record is keeping a running total of the various gangs and where they are falling in the war, with Anonymous leading the list of those siding with Ukraine – and reportedly already attacking Russia government organizations – Conti at the top of those supporting Russia.

Brett Callow, a threat analyst at New Zealand-based cybersecurity firm Emsisoft, noted in Twitter that “taking political positions is not without risk for RaaS operations as some affiliates may not be pro-Russian.”