Colins Security Blog

8 object(s)
 

Conti Ransomware Leaks

The Conti Ransomware Leaks

Background

On February 25th 2022 the Conti Ransomware crew declared they support the Russian government:

“The Conti Team is official announcing a full support of Russian government,” the group said in a very aggressive message posted on Friday. “If any body will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.”

Later on the 25th @FellowSecurity and @vxunderground shared a screenshot of Conti ransomware groups private chatroom and all of their affiliates.

“Little did they know some of their “friends” sided with Ukraine.” - @vxunderground

Two days later on Feburary 27th a Twitter user @ContiLeaks leaked private conti ransomware communications (Jabber chat logs). Over the course of 3 days additional conti data sets were leaked publicly by @ContiLeaks. A full timeline of the leaked data publishing was curated and shared by @ex_raritas

Originally it was suspected that @ContiLeaks was operated by a pro- Ukrainian disgruntled ransomware affiliate.

As further data was leaked it became clear that @ContiLeaks had fully compromised Conti infrastructure and shared details of their root access. Given the extensive access obtained and data leaked, some people have theorized that a government intelligence agency is responsible for the leaks. The security company HoldSecurity reported that the leaks were from Ukrainian Security Researchers:

“Conti’s systems have been infiltrated by cybercrime researchers for some time. The data was dumped by a Ukrainian cyber security researcher pissed off after Conti expressed support for Russia in the conflict.” - @ransomwarefiles

This analysis aims to provide a centralized document with links to other resources and analysis.

“The #conti case will be studied for years to come. Such a diversion. And the criminal underground will fear forever the cyber ghost from Kyiv who took down Top 1 #Ransomware group in the world 🌎” - @ddd1ms

The raw data

Originally the leaked data was posted to the file sharing service anonfiles. Fortunately VX Underground took the effort to archive the data on their website.

Public analysis and data enrichments

Data Enrichment

Analysis and Review

Timezone Analysis

Jabber Logs:

Jabber Logs

Notable Quotes

2022-02-23T11:51:30.228Z 2022-02-23-announcements.json rocco: Happy Holidays, Cyber Troops! Let’s bend the Amerians!

2021-04-16T21:33:34.025Z 2021-04-11-conti.json rozetka: need a debag sophos found who the option to bypass?

“Hello world. Who can help with the lock of the net? Rights raised, data pumped out. Main domain (175serves online) + 2 trusts (~40 serv online). The problem is that everywhere there is a sophos with a password. You can’t find a pass from sophos. Any changes in the settings of sofos are limited, the mount will not be able to lock, although there are cars without AV. You need someone who can cut/stop the sophos. Write in the PM who knows how to deal with sophos.”

2021-01-20T11:21:01.685Z 2021-01-11-discussion.json VasyaPypkin: no, there is better not to make noise, but to use something from native utilities, but psexec is clearly locked in sophos and the service itself is not a remote host just does not start