Security researchers have identified and exposed the real IP address of one of the servers hosting the payment portal used by the Conti ransomware group to conduct negotiations with victims.

“Our team detected a vulnerability in the recovery servers that Conti uses, and leveraged that vulnerability to discover the real IP addresses of the hidden service hosting the group’s recovery website,” said researchers at security firm Prodaft in an in-depth analysis of Conti ransomware operation.

The team begun their investigation into Conti in September 2021 after they noticed a surge in Conti ransomware attacks. Prodaft’s goal was to identify the Conti affiliates, retailers, developers and servers.

According to the researchers, they were able to obtain insider data on the Conti RaaS group and its platform, including information on its management panel and access the console for more than a month. They gained access to the gang’s recovery service and an admin management panel hosted as a TOR hidden service and located the the subject management panel mainly used for managing victims, affiliate accounts, and uploaded files.

“One of the most valuable pieces of threat intelligence we discovered is the the real IP address of Conti’s TOR hidden service and contirecovery[.]ws, and 217[.]12[.]204[.]135,” the researchers wrote.

Prodaft researchers were able to compromise the server and monitor network traffic for incoming connections, including SSH connections used by Conti members to access the server. The team was also able to determine the operating system details of the server behind the hidden service, a Debian server with host name ”dedic-cuprum-617836”. The researchers believe that the numeric value at the end of the host name is an invoice number for the server, assigned by the hosting company ITLDC.

Prodaft researchers said they shared their findings with law enforcement authorities. The team also shared the contents of htpasswd file of the subject host that can be used in future investigations on the Conti operations.

According to a researcher known as MalwareHunterTeam, shortly after Prodaft’s report was published, the Conti’s payment portal went offline, but after more than 24 hours of downtime was brought back online.