Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Researchers Hack Conti Ransomware Infrastructure

Prodaft security researchers exploited a vulnerability in the recovery servers used by the Conti Ransomware-as-a-Service (RaaS), which allowed them to gain insight into the inner workings of the ransomware.

Prodaft security researchers exploited a vulnerability in the recovery servers used by the Conti Ransomware-as-a-Service (RaaS), which allowed them to gain insight into the inner workings of the ransomware.

The flaw also allowed the researchers to identify the real IP addresses of the hidden service hosting the recovery website, including 20 IPs communicating with the Conti servers, and two Tor entry nodes used for the recovery service, all of which were reported to the authorities.

Furthermore, Prodaft discovered victim chat sessions that allowed them to identify accounts used when extorting victims’ data, including connecting IP addresses and the employed software. The investigation also revealed the use of the same Bitcoin wallet addresses for multiple victims.

In a new report, Prodaft’s security researchers provide technical details related to the inner workings of Conti, and also show the close connection between Conti and Ryuk, essentially saying that these appear to be one and the same ransomware family.

“The data contained in this report will help law enforcement authorities act against the Conti ransomware group and its affiliates, which should result in a drastic reduction in the number of victims in the near future,” the cybersecurity firm wrote in its report.

In a statement published on their Tor-based leak website, Conti operators confirmed the breach, but claimed that no important information about its members or networks was exposed.

Believed to be the successor of the Hermes ransomware, Ryuk first emerged in 2018, and has shown a close connection with the TrickBot malware, supposedly being operated by the same cybercriminals.

Conti was first spotted in 2020 and managed to become a prevalent threat within months, with over 400 organizations worldwide likely impacted by May 2021. In September, a U.S. government alert warned of an increase in Conti ransomware attacks.

Advertisement. Scroll to continue reading.

Operating under the RaaS business model, where affiliates share up to 30% of the received payments with the ransomware operators, Conti has helped the perpetrators make over $25 million to date, the security researchers say.

Conti ransomware operator statement

The Conti affiliate panel provides access to an executable generator, a decryption application, a payment gateway for the victims, commission rate calculator, monitoring tools, and secure chat for communication with the victim.

“These tools are designed with non-technical users in mind. Cybercriminals no longer need a great deal of technical expertise to run successful attack campaigns. Instead, they maximize profit using psychological tactics like extortion and victim shaming,” Prodaft explains.

Prodaft also notes that Conti is targeting publicly known vulnerabilities such as PrintNightmare (CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958) and FortiGate remote code execution bugs (CVE-2018-13379 and CVE-2018-13374).

Related: U.S. Issues Conti Alert as Second Farming Cooperative Hit by Ransomware

Related: Researchers Estimate Ryuk Ransomware Operations to Be Worth $150 Million

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Raffi Joukhadarian has been named Managing Director and Chief Financial Officer at MorganFranklin Cyber.

Data security firm Rubrik has appointed Kavitha Mariappan as its Chief Transformation Officer.

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.