Conti ransomware source code, documentation leaked

The Conti ransomware leak escalated Monday and Tuesday as an anonymous leaker published more of the gang's communications as well as internal documentation and source code.

The Conti ransomware gang, first tracked in 2020, has built a level of infamy in recent years following high-profile ransomware attacks like the one against backup vendor ExaGrid last year. The criminal outfit gained additional notoriety last week when it pledged support for Russia shortly after it invaded Ukraine; Conti threatened to target critical infrastructure against any Western nation that deployed cyber attacks against Russia.

The leaks began on Feb. 27, when a Twitter user named "Conti Leaks" published a file dump of Jabber instant messages allegedly from Conti operators. The files contained a bevy of data referencing internal Conti operations, including victim details. The situation escalated on Monday and Tuesday, as the Conti Leaks posted source code, internal documentation, forum and chat messages spanning multiple years, and much more.

While threat analysts are in general agreement that the leaked data appears to be Conti's, the leak's content should be taken with a grain of salt due to the general unreliability of cybercriminals.

Infosec researchers have continued to comb through leak data since it was published. Two of the most notable examples of this include malware archival website VX-underground and threat intelligence provider The DFIR Report. The latter created a lengthy, ongoing Twitter thread to share notable findings.

One of the most notable findings came in the form of Conti ransomware source code for multiple versions. While folders reportedly carrying decryption keys were found in the leak, they appear to be password-protected.

Pieces of TrickBot source code, specifically its command dispatching and data collection tools, were also found in the new cache of leaked data, suggesting a link between the malware and Conti operators. TrickBot is an infamous banking Trojan-turned-botnet that was first reported in 2016 and has reportedly infected well over 100,000 machines since late 2020.

An interesting find came in the form of Conti's main Bitcoin address; according to the leaks, the gang received over 65,000 BTC (well over $2 billion USD) between April 2017 and Feb. 28 of this year.

The Conti ransomware leaks have unveiled Conti's primary Bitcoin address.

From April 21st, 2017 - February 28th, 2022 Conti has received 65,498.197 BTC

That is 2,707,466,220.29 USD. pic.twitter.com/sUdRnkLsoo

— vx-underground (@vxunderground) February 28, 2022

Little is known about the leaker other than their apparent sympathy to Ukraine. For example, the leaker's Twitter profile includes multiple condemnations of Russia and its invasion.

"My comments are coming from the bottom of my heart which is breaking over my dear Ukraine and my people," they wrote in one tweet. "Looking of what is happening to it breaks my heart and sometimes my heart wants to scream."

Chester Wisniewski, principal research scientist at Sophos, said the leaks are likely to prove damaging to Conti, but the overall picture is more complicated.

"Ransomware groups are sort of reverse brands," he said. "They are a label for their reputation and operational capabilities -- not to the victims, but rather other criminals who may choose to freely associate with them to coordinate further crimes. In this fashion, these leaks are likely very harmful to the overall 'brand,' as associating with them will be perceived to be dangerous if you want to remain anonymous. "

Wisniewski continued, "The bad news, though, is that like many other ransomware groups, like Ryuk who we believe to be the precursor to Conti, they may disband and reincarnate as one or more new brands to start anew with a clean reputation no different than corporate brands do on occasion. We're not Google, we're Alphabet. Who's heard of Facebook? We're Meta!"

Alexander Culafi is a writer, journalist and podcaster based in Boston.