Connect with us

Hi, what are you looking for?



Researchers Hack Conti Ransomware Infrastructure

Prodaft security researchers exploited a vulnerability in the recovery servers used by the Conti Ransomware-as-a-Service (RaaS), which allowed them to gain insight into the inner workings of the ransomware.

Prodaft security researchers exploited a vulnerability in the recovery servers used by the Conti Ransomware-as-a-Service (RaaS), which allowed them to gain insight into the inner workings of the ransomware.

The flaw also allowed the researchers to identify the real IP addresses of the hidden service hosting the recovery website, including 20 IPs communicating with the Conti servers, and two Tor entry nodes used for the recovery service, all of which were reported to the authorities.

Furthermore, Prodaft discovered victim chat sessions that allowed them to identify accounts used when extorting victims’ data, including connecting IP addresses and the employed software. The investigation also revealed the use of the same Bitcoin wallet addresses for multiple victims.

In a new report, Prodaft’s security researchers provide technical details related to the inner workings of Conti, and also show the close connection between Conti and Ryuk, essentially saying that these appear to be one and the same ransomware family.

“The data contained in this report will help law enforcement authorities act against the Conti ransomware group and its affiliates, which should result in a drastic reduction in the number of victims in the near future,” the cybersecurity firm wrote in its report.

In a statement published on their Tor-based leak website, Conti operators confirmed the breach, but claimed that no important information about its members or networks was exposed.

Believed to be the successor of the Hermes ransomware, Ryuk first emerged in 2018, and has shown a close connection with the TrickBot malware, supposedly being operated by the same cybercriminals.

Advertisement. Scroll to continue reading.

Conti was first spotted in 2020 and managed to become a prevalent threat within months, with over 400 organizations worldwide likely impacted by May 2021. In September, a U.S. government alert warned of an increase in Conti ransomware attacks.

Operating under the RaaS business model, where affiliates share up to 30% of the received payments with the ransomware operators, Conti has helped the perpetrators make over $25 million to date, the security researchers say.

Conti ransomware operator statement

The Conti affiliate panel provides access to an executable generator, a decryption application, a payment gateway for the victims, commission rate calculator, monitoring tools, and secure chat for communication with the victim.

“These tools are designed with non-technical users in mind. Cybercriminals no longer need a great deal of technical expertise to run successful attack campaigns. Instead, they maximize profit using psychological tactics like extortion and victim shaming,” Prodaft explains.

Prodaft also notes that Conti is targeting publicly known vulnerabilities such as PrintNightmare (CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958) and FortiGate remote code execution bugs (CVE-2018-13379 and CVE-2018-13374).

Related: U.S. Issues Conti Alert as Second Farming Cooperative Hit by Ransomware

Related: Researchers Estimate Ryuk Ransomware Operations to Be Worth $150 Million

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.