ContiLeaks: Conti Ransomware Group’s Chat and Source Code Leaked by Ukrainian Cybersecurity Researcher

March 08, 2022 · 3 min read

One of the fiercest Russia-backed ransomware actors, Conti Group, has become a victim of a data breach. On February 27, 2022, a mysterious Twitter member @ContiLeaks started publishing a series of posts linking to archives with private messages and the source code of Conti. Other posts of a whistleblower make it quite obvious that he is of Ukrainian origin. 

Good news is that now, when the source code for Conti’s ransomware is publicly available, cybersecurity experts on the defense side can perform reverse engineering and create detection and remediation measures. However, on the flip, other adversaries can also potentially use this code to leverage their own attacks.

Conti Ransomware Detection 

SOC Prime’s Team backed by contribution from our crowdsourcing initiative have been continuously developing detection content to defend against Conti ransomware attacks. You can access the dedicated Sigma behavior-based rules along with their translations to multiple SIEM, EDR & XDR formats once you log into your account at SOC Prime’s Detection as Code platform. New users need to sign up for the platform to make the most of detection content.

Deploy the following rules to eliminate any chances of Conti ransomware inside your network:

Behind the Scenes of ContiLeaks

Just a couple of days before the leak, Conti ransomware group declared their full support of the Russian government in the ongoing war against Ukraine. The hackers also threatened to assault critical infrastructures if anyone attempted to execute cyber-attacks on Russia. 

Such statements and actions triggered Ukrainian affiliates within Conti Group, including an unnamed Ukrainian researcher who has been snooping and investigating the gang’s operations secretly. The countermeasure of Ukrainian supporter was quick and rough. The researchers immediately started to leak Conti’s internals via public channels.

The leaked files contain almost two years of internal messaging inside the gang’s private XMPP chat server. ContiLeaks also dumped the source code for Conti’s BazarBackdoor API, admin panel, builder, encryptor, and decryptor for their ransomware. Other security researchers have joined the movement by cracking the passwords to protected archives and translating the chat messages to English.

Notably, after the world has seen the dirty laundry of a Russian threat actor, Conti completely reversed their rhetoric saying on their website that they “condemn the war”. However, the new statement from Conti hasn’t convienced the Ukraininan researcher who proceeds with leaking sensitive data. 

SOC Prime Platform has gathered over 400 prominent cybersecurity professionals that create timely detections for cyber-attacks of any level of sophistication. Our detection content can be deployed across 25+ SIEM, EDR, and XDR platforms and is used by thousands of reputable organizations globally. Our community welcomes InfoSec professionals who would like to participate in building defenses against known and emerging exploits. By joining SOC Prime’s crowdsourcing initiative, researchers and content developers from across the world may submit their detections, receive recurring rewards, and gain recognition among their peers in the cyber domain.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts