Conti source code leaked by Ukrainian researcher

The researcher who leaked the Conti ransomware group’s internal discussions has now released its source code and appears to have doxxed one of its developers.

The backer, under the Twitter name @Contileaks, originally posted internal group chats on Sunday in response to its statement of support for the Russian invasion of Ukraine. They followed it by releasing the source code overnight.

The researcher released the code as a password-protected file, prompting a flurry of access requests. They explained that they would release the password to trusted parties, saying in a tweet: “conti src password only shared with trusted people for now. to prevent more damage!”

However, earlier this week another researcher appears to have cracked the password and shared the code online.

Other code published in ContiLeaks dumps appears to include the source for the TrickBot command dispatcher and data collector. The researcher also published access details to several storage servers used by the Conti Group yesterday.

The leak also extended to personal information. The researcher tweeted what they claim is the GitHub page and Gmail address gleaned from the code. The address is flagged in the code as a Conti Group developer, but replies to the tweet suggest the developer was unaware that they were writing back-end code for a ransomware operation.

Amid the data releases, the researcher continued to criticize the Russian government for its attack on Ukraine, posting, “no more sanctions! they’re destroying hospitals, and a lot of people are dead! even some of my friends!”

Screenshots have appeared of the Conti recovery dashboard and the BazarLoader command and control panel used to control infected devices.

Others claims that the source code is not the latest version. The leaked code is said to date back to September 2020.

Since the first leaks, various scans have appeared online detailing the bitcoin addresses used by the group, as well as lists of email addresses found in their correspondence. Other information now freely available online includes hundreds of data points detailing the domains used in the ransomware’s command-and-control infrastructure, as well as the gang’s active dark chat IDs.

Featured Resources

Software Defined Storage For Dummies

Control storage costs, enable hybrid cloud, and simplify storage management

Free download

EMA: The State of IAOps

The Benefits of Driving AIOps Adoption

Free download

Successful Enterprise Application Modernization Requires Hybrid Cloud Infrastructure

Maximize business results with a secure and reliable modern infrastructure

Free download

Extending APM to Observability

Understand the new world of automated observability

Free download

Comments are closed.