New Conti ransomware source code leaked

The individual responsible is targeting Conti after the group announced its loyalty to Russia during the invasion of Ukraine.
Written by Charlie Osborne, Contributing Writer

New versions of Conti's ransomware source code have been reportedly leaked by a researcher displeased with the group's public declaration of support to Russia. 

As reported by Bleeping Computer, a cybersecurity researcher took umbrage when the cybercriminals publicly said they supported Russia's invasion of Ukraine. 

In revenge, the individual, believed to hail from Ukraine, has been giving the ransomware operators a taste of their own hacking medicine. 

Conti is a Russian-speaking ransomware group that also operates a ransomware-as-a-service (RaaS) business model. While some ransomware payments are made in the millions, Coveware estimates that the average demand made by Conti members is just over $765,000

Over the weekend, a link to the new package was published under the "Conti Leaks" Twitter handle. The source code has been uploaded to VirusTotal and while password-protected, the information required to open the file is available to cybersecurity teams. 

Previously, the pro-Ukraine individual leaked an older version of the ransomware. 

Stealing and releasing the ransomware's source code gives cybersecurity researchers and vendors the opportunity to analyze the malware and potentially create denylists, defenses, and decryptors. However, on the flip side, attackers could also grab and adapt the code for their own malware campaigns. 

Conti's declaration of support for Russia's invasion of Ukraine also led to the leak of the group's internal chat logs.

According to the logs, Conti is made up of individuals tasked with different duties – including malware coders, tests, system administrators and 'HR' personnel who deal with hires, as well as negotiators who deal with victims and try to ensure a blackmail payment is made. 

Check Point researchers analyzed the leaked data and came to an interesting conclusion concerning the Conti hiring process: while some members are recruited through underground forums, others aren't even told that they are interviewing with cybercriminals. Instead, some potential hires were told that they would be helping in the development of software for legitimate penetration testers and analytics.

Conti is known for its devastating cyberattack on Ireland's Health Service Executive in May 2021, and while the country's healthcare system refused to pay the millions of dollars demanded as a ransomware payment, reports suggested that the HSE is footing a bill of over $48 million to recover.  

The US Cybersecurity and Infrastructure Security Agency (CISA) and FBI have previously warned organizations of Conti activity. It is estimated that hundreds of organizations in the United States alone have fallen prey to Conti.

Last week, Google exposed the inner workings of Exotic Lily, an initial access broker (IAB) that sells network access to threat groups including Conti and Diavol.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards