The Conti ransomware leaks
,

The Conti ransomware leaks

Mark Stockley

On February 27, an individual with insights into the Conti ransomwaregroup started leaking a treasure trove of data beginning with internal chat messages. Conti is responsible for a number of high profile attacks, including one against the Irish Healthcare system which has cost more than $48 millionand more importantly has had an unprecedented human impact.

Only shortly before, the Conti gang had announced its support for the Russian government despite international outrage for the invasion and war on Ukraine. We believe this triggered a strong emotional reaction from either a threat actor or someone with unique access to Conti’s infrastructure.

The Twitter handle @ContiLeakshas been posting extremely valuable data about Conti and its members. The tweets include screenshots, raw data files and even the ransomware source code. In between data dumps the actor — who is likely a Ukrainian national — is seen expressing his disgust and anger.

Due to the sheer volume of data and the fact that a large portion of chats are in Russian, it will take some time to process and analyze. What we know already is that there is extremely valuable information about the Conti ransomware group, in particular about how they work as an organization and how they target their victims.

While Conti is quite resourceful and will probably rebound, there is no doubt that these leaks will cost them a great deal of money and possibly instill fear about their identification as individuals.

The Malwarebytes Threat Intelligence team continues to track and analyze this data dump as well as other cyber threats related to the war in Ukraine. Any intelligence that is collected is passed on and used to protect our customers.

Indicators of Compromise

File nameHashDescription
1.tgz938cbbf9061792b6fc9bd2440b8a93f2db1139212f73e4fde30499568cbe75eaJabber chat logs
2.tgzc4c5b77cceb82cd9b5f5e839136313e2fbfc97db731b162bc2e250d10fd62c1a2020 chat logs
Screenshot from 2021-12-15 21-26-28.png3460d66ff62bfccae55a26b499de0f18fc4b2d6efd2283b0278385269b047973Chat with victims
Screenshot from 2021-12-06 22-57-52.png8ac29ab81c98c1b094aa0986a0e66c7473d5b6b7153f7b34ae0e0215eb474e66Chat with victims
bazar_bots_domains_html.7ze6f6fde7839a21807a321b79ac1395489c0eeea9b9187ba4d20c17559ccef608Bazar panel
bazar_bots_comments_html.7zc0941c7c8d162d60f73d56aefe36647a31575a5077392202015f480453024a6bBazar panel
Screenshot from 2021-12-06 22-58-32.png84b8c65ba4cf18f852fd435fc9210f108b090dcd5cc69cf3beaaebff6b8cec2cChat interface
Screenshot from 2021-12-15 17-29-58.png0252a7441f7a2595add46aa89b4bf7d0b5e5a9eb4683550907b03c5917ece5bdCobalt Strike interface
Screenshot from 2021-12-15 17-31-08.pngfca83ce362e14648eb729547e14b06a7f402c98cce2c96a9ab47bf676755bd02Cobalt Strike interface
Screenshot from 2021-12-15 21-26-28.png3460d66ff62bfccae55a26b499de0f18fc4b2d6efd2283b0278385269b047973Chat with victims
conti_locker_v2.zip4f0a7bf521f979afa947001eedd8b18a1ecd1994e1ae0ed90d65739de662684bEncrypted archive with source code
bazar_bots.7z78d588aad48812f4421c22eeccee1a5b0499c41ae41e20ab6186982245719b86
backdoor.js.zipae21a4210486695dbdf514d96250a4e05f0e6e572f7eaad7048b3bdd357b4aad
sendmail-master-0a343a19f4f48dd8efd6c052c092fd5feec916ad.zip5cddda3ccbf63faea37daf019437b760daa627632b986e1d764d11978944757a
backdoor-master-3ad175864899c85021fa04cb24848a2bc66b1d16.zip2191fe7baba338a2b3f5a12a95ea4e42cad96850f2afd4a6c7eaa23289d610c5
import-master-ac16d180c391fce7a644f6c2a30fc3cfb37451f6.zip9de83968d33d896fc2a2629a271fbc9bcaf5bf504e033cfdb1fb99fd55953cde
cadmin-master-b2675af7f27c05513f1fd8374ee7bc35a058f18f.zip041e879548c2839ebb36f642c5a25870ab1b015e875775077b7d8b951d53e0a1
admin-master-deb4694b0e9110ffcf84a42f70874a6e152c0b32.zipae6eef72bba38ab89c5cbe418d839b75b78a9247f06aa3e1df4850f103a6b1dd
spoked-master-cf530950c30b81188d40c56b9a66e7d3bb21710c.zip1eaef39c48fcce2af0bf1ee089dd412d29d1396b31f0536138879cd0421d53ec
storage_ebay_checker-master-599bede833e26b11db10fce55ee08ddd15280a6b.zip2a0f684bb99a9077914961bea16bac5f8baa5368a40a305a0ea0008a4c2f1bdf
srw-master-df4b6eddf7fdd2e07fb75d0492deeeb2e15f959e.zipc5bf64ac95cc82f65205984c8adb107870c71197c767744209bbc4a3e19aede8
storage_go-master-f4617f09d47a978d1128e0e1d77259900d62aac1.zipf15cff9bf29f9098999401b16d73f61fe73789866e51319c7c24c4594ed7367d
storage_ex-master-e4827b099abefd719fc674519ea0d2622ea304e0.zip6065d4b46266a2114dc8363b15ec7f884cbdbed1735f0ca4f1eb60df85d61a9b
storage-master-3607d1f6a72e28efe84b55e8a660ff97db0e79a2.zipf9e47d2cb8ba9a69c9ba8b2bc6017a1e54da68c944ee4324873047b0200546d0
185.25.51.173-20220226.json47d7d2027548f7562b221acdebe3b33d67ddd1dd278b98ad05a5f3ac14dea3fe
185.25.51.173-20220227.jsonc32f2ec819fee8581fbeed9b4eea40cb17efda7284beed5d12ed48e5af45c41c
185.25.51.173-20220228.json234665c66de8541ef8e95cb9ccbcd5ecccb0189d3cf174c4e11a2c60dbc1742e
FMvM2_PXsAMdOof.png1a34ba12130ffff45bb525cce48e5d19e4110e4a4bb06d79ad33d6a816f28927
FMvNB1mWUA4l4ud.png72c55f299c997ec0f5cb87e82141707482067609f1d631ac3cc825af90540b9f
FMvNWvqWYAEZ298.pnga18aab0f358b7b8e23ebf6eb1252172625430e9aa461b3dcebff1de357113626
rocket-chat.tgzb802f944cc6ba9b33c0d58c04295f9f6cf6473ffa602cfa447acb36a97afcc55
trickconti-forum.7zd8aa49acc0b40f52b3ac3027ecc16ee053fd01e383272eca4d0637f24fd51a55
3.tgzdf75243be11b86b6644b671dcfd16fdeaf47a7b64e28bfd3ac179c44a6312b46
FMwnZodWYAE1vDX.pngd9e24d6bd5e118f04bc36fe3cfc314a808119d12190fd9b661b5f871c33fec6b
trickbot-command-dispatcher-backend.tgz6b36a1d647d4de09e7f204f221b3445d499a540823c1c9b9612764e3241cdf62
trickbot-data-collector-backend.tgzfad2f925ad2267c01d604e12081017215fa9e5ca83279064885bd7682400b761
FMw3KrXXEAUXAQJ.pngc1f5a70c2c5bb42ac973558c5c9ef510a2caab8aae19e4f1f68c76d1d10107b9
conti_locker.7zede451e9a65e55d0827e217a25cf895163c46bc42432f7cbed0f46d99769c385
jabber_logs.7z6cd17b4422772c99c93e388bbad4c7c213584e15400fb984d748e4cfecd9dd8d

Categories

Related articles