Conti Ransomware Group Leak Expands

A few days ago, we covered the leak of the personal communication between Conti ransomware gang members. The original incident was spurred on by the Conti gang making a vehement pro-Russian post on their site and declaring their unwavering support for Russia in the ongoing Ukrainian invasion. Now the same person who started the initial leak has provided a lot more information, including a decryption tool and source code for malicious tools.

Conti leak expands with new info, source code

A Ukrainian member of the Conti ransomware gang stepped up a few days ago, disgruntled by the group's official stance on the war in Ukraine, and leaked many pages worth of .json formatted communication between members of the ransomware outfit. Along with the initial dump, the same member promised there would be more to come and he kept his promise.

The new leaks are being published through vx-underground - a portal collecting source code, samples, and information on malware. The second info dump of leaked Conti and related files includes the admin panel code of the platform Conti use. A quick glance indicates that the admin panel is based on an open-source solution.

There is also abundant new information about the group's tactics, techniques, and procedures, including information on active directory enumeration, creating NTDS dumps via Vssadmin, and details on using tools including Cobalt Strike, ShareFinder, and AnyDesk.

The source code to the Conti v2 ransomware and its decryptor were also contained in the leak. Despite this fact, researchers reiterated that this is not the most current version of the ransomware toolkit and the decryptor will not be of use to victims who were recently infected by Conti.

Decryptor not useful for current victims

Included in the leaked Conti dump are also video tutorials recorded in Russian, instructing would-be members and affiliates on various techniques such as using Cobalt Strike, using PowerShell for penetration testing, and reverse engineering applications.

A slew of information on TrickBot is also included in the second Conti info leak. This includes not just a source code of a TrickBot release, but also information about methods used when employing the malware and specifics and shared know-how between gang members.

Despite the abundance of information, Threatpost quoted a security researcher with Advanced Intelligence, who stated that the leak would not impact the Conti group as much as some might hope. The leaked information concerned just one of the six bodies of people inside the gang and it was not the central and most important one. The ransomware gang has also reportedly relaunched its operations and is moving on.