When this publication last covered Conti, the ransomware used by a highly skilled gang infamous for targeting large corporations, it covered how the gang had brought some of TrickBot’s experienced malware developers into the fold to work on making BazarBackdoor more efficient at distributing the ransomware. At the time it was speculated this would propel Conti into the ransomware hall of fame. The recent upheaval Europe seems to have placed a dedicated number of security researchers against the ransomware gang.
Going back to the end of February, the Conti gang announced their unwavering support for Russia and the country’s military invasion of Ukraine.
This of course was not accepted with open arms by many in the InfoSec community. The first retaliation came in the form of a data leak.
On February 25, security firm Hold Security confirmed that a Ukrainian security researcher has leaked over 60,000 internal messages belonging to the Conti ransomware operation. Regarding more detailed figures Bleeping Computer, who also verified the leak, notes,
“In total, there are 393 leaked JSON files containing a total of 60,694 messages since January 21, 2021, through today. Conti launched their operation in July 2020, so while it contains a big chunk of their internal conversations, it is not all of them.”
As to the content of the messages, they cover a wide array of topics discussed by gang members but have been seen to include previously unreported victims, private data leak URLs, bitcoin addresses, and discussions about their operations.
Further, Bleeping Computer discovered conversations about how the publication had discovered their December attack on Shutterfly. The leak of these messages is a severe blow to the ransomware operation, providing sensitive intelligence to researchers and law enforcement about their internal processes.
First Source Code Leak
On March 1, the Ukrainian security researcher who originally leaked the gang’s internal messages now going by the Twitter handle @contileaks not only leaked more messages but some of the ransomware’s source code.
Along with some of the source code details pertaining to BazarBackdoor’s API, screenshots of storage servers, and administrative panel used by the gang.
The big release, however, was the password protected archive containing the source code for the Conti ransomware encryptor, decryptor, and builder. While the leaker did not share the password publicly, another researcher soon cracked it, allowing everyone access to the source code for the Conti ransomware malware files.
Trying to reverse engineer the code may not lead to much success, however, experts have noted how the code provides valuable insight into the gangs operations.
So for those capable of coding in C the leak code will be a treasure trove of threat analysis information. However, it can be expected that not everyone who gets there hands on the code will use it for academic of defensive purposes.
In the recent past, Hidden Tear was leaked and other cyber criminals jumped unto the bandwagon creating their own ransomware variants. Some examples include Qinynore, Nog4yH4n Project, IT.Books, OPdailyallowance, ScorpionLocker, Sorry, and Cyber Police.
This can be exempted in the case of the Conti leaks. While this may may suite the leakers agenda of damaging the Conti business security analysts may be left with dealing with the fallout.
Second Source Code Leak
Subsequent analysis of the source code leaked showed to date back to September 2020. This represents an older version of the ransomware was leaked by Conti Leaks. However, on March 20, Conti Leaks again leaked Conti ransomware source code.
This time of a far newer vintage. The dates of the code show the last modification to the code happened onJanuary 25th, 2021, making it over one year newer than the previously released code. The version leaked appears to be version 3 of the ransomware according to Virus Total scans.
Both leaked versions can allow for a knowledgeable individual the ability to create either a locker or a decryptor. The question remains as to what the impact will be on the ransomware gang, if it will severely impact the business model of the gang or be a minor annoyance. What may prove decisive for the gang is the information gained by security researchers and law enforcement.
In Checkpoint’s analysis of the first source code leak it was revealed how similar Conti’s operation is to a legitimate startup in terms of structure and approach. As to the aftermath of the leak Checkpoint researchers noted,
“Because the leak kept going after the initial dump of leaked data, we all got the unusual privilege of seeing responses to the original leak. Members were seen wiping past activity, removing production VMs and moving to other communication channels…It seems the leak added to the pile of current problems in Conti. As we saw in the chats, the big boss Stern went silent around mid-January, in January-February there we’ve observed multiple reported issues with the salary, and eventually, a few days before the leak Frances in Rocket.Chat tells everyone to take a break for 2-3 months to regroup and reorganize due to wide public attention and the absence of group’s bosses.”
At the time of the initial data leak Malwarebytes was busy analysing the vast amount of data. They concluded that the data leak will result in significant financial loss in the short term but believe that the gang can bounce back.
Given the addition of added talent in TrickBot developers and BazarLoader receiving significant upgrades, Malwarebytes conclusion at the time before the source code was leaked still seems valid despite the recent leaks. The combined experience of the gang suggests they may have lost a few rounds in the ring but still in the fight, sadly.