A hacker who claims to be Ukrainian has leaked the source code of the notorious Conti ransomware after the cybercrime gang expressed its support for Russia.
Shortly after Russia sent its troops into Ukraine and most of the world started showing its support for Ukraine, the Conti ransomware group issued a statement warning that it was prepared to hit the critical infrastructure of Russia’s enemies in retaliation for potential attacks on Russia.
They later clarified that they condemn the war and denied being the allies of any government, but said they are prepared to respond to “American cyber aggression” impacting the safety and wellbeing of peaceful citizens.
Shortly after, someone created a Twitter account called “conti leaks” and started leaking files associated with the Conti ransomware operation. Some say the individual behind the leaks is a Ukrainian security researcher, while others say he/she is a Ukrainian member of the Conti group.
The first files contained tens of thousands of messages exchanged by Conti members since January 2021. The exposed information included Bitcoin addresses, conversations with victims, IP addresses and other infrastructure data.
The “conti leaks” account has continued releasing files, including more Conti chat logs, credentials, email addresses, screenshots, C&C server details, and information on servers used to store stolen files. They also leaked what appears to be source code for the Conti ransomware and other malware associated with the group, including some TrickBot code.
The files also appear to contain the source code of a Conti decryptor, but Emsisoft ransomware specialist Fabian Wosar noted that it’s not the latest version and — even if it was the latest version — it’s useless without the victim’s private key.
The leaker has also published the name of a Russian software engineer who was allegedly involved in the development of Conti.
While a detailed analysis of all the leaked files might reveal something useful for the cybersecurity community, the fact that the Conti source code has been made available could cause more harm than good, according to many members of the community.
For instance, the leaked source code could be used by less experienced cybercriminals to create their own ransomware. It’s not uncommon for open source malware allegedly created for educational purposes to be leveraged by malicious actors looking to make a profit.
It’s worth noting that the leaker placed the Conti source code in a password-protected archive and claimed they would only share the password with trusted individuals “to avoid more damage,” but someone quickly managed to crack the archive.