An unknown individual, believed to be a member of the Conti ransomware gang, has leaked sensitive internal Conti ransomware communications and the source code of its encryptor, decryptor, builder, BazarBackdoor APIs, and TrickBot C&C infrastructure.
This week has seen the Conti ransomware gang suffer a series of damaging data leaks. First came the publication of internal communications between gang members that had been stolen from the gang’s private XMPP chat server, then the source code was leaked for its administrative panel and BazarBackdoor API, along with further internal communications and screenshots. Included in the latest leak was a password-protected archive that included the source code of the Conti encryptor, decryptor, and builder.
The Conti ransomware gang is currently one of the most prolific ransomware operations and is the successor to the Ryuk ransomware operation. The Conti gang is believed to have recently brought in the developers of the TrickBot Trojan, with that malware now having been retired. The Conti ransomware gang has conducted thousands of ransomware attacks and has been paid hundreds of millions in ransom payments.
The leaks have come from a pro-Ukraine individual under the handle @ContiLeaks. The leaks came after the Conti ransomware gang announced its support for the Russian government in light of the current conflict and publicly stated that “if any body will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.”
ContiLeaks initially leaked more than 390 JSON files that included over 60,000 internal messages dating from January 21, 2021 to February 27, 2022. The leaked data included bitcoin addresses and information about how the gang operates and stays one step ahead of law enforcement. A further 148 JSON files were then leaked that included 107,000 internal messages from June 2020.
ContiLeaks did not provide the password for the password-protected archive containing the source code, but the password has since been cracked and the source code of the encryptor, decryptor, and builder has now been released publicly. The release of the source code could allow other threat actors to develop their own ransomware variants based on Conti. It remains to be seen what effect the leaks will have, if any, on the Conti ransomware operation but as with any business data breach there can be considerable reputation damage. Affiliates of the Conti ransomware operation may take this as an opportunity to jump ship and join another ransomware operation.