22 November 2021

Researchers obtained insider data on the Conti ransomware gang


Researchers obtained insider data on the Conti ransomware gang

Security researchers have identified and exposed the real IP address of one of the servers hosting the payment portal used by the Conti ransomware group to conduct negotiations with victims.

“Our team detected a vulnerability in the recovery servers that Conti uses, and leveraged that vulnerability to discover the real IP addresses of the hidden service hosting the group’s recovery website,” said researchers at security firm Prodaft in an in-depth analysis of Conti ransomware operation.

The team begun their investigation into Conti in September 2021 after they noticed a surge in Conti ransomware attacks. Prodaft’s goal was to identify the Conti affiliates, retailers, developers and servers.

According to the researchers, they were able to obtain insider data on the Conti RaaS group and its platform, including information on its management panel and access the console for more than a month. They gained access to the gang’s recovery service and an admin management panel hosted as a TOR hidden service and located the the subject management panel mainly used for managing victims, affiliate accounts, and uploaded files.

“One of the most valuable pieces of threat intelligence we discovered is the the real IP address of Conti’s TOR hidden service and contirecovery[.]ws, and 217[.]12[.]204[.]135,” the researchers wrote.

Prodaft researchers were able to compromise the server and monitor network traffic for incoming connections, including SSH connections used by Conti members to access the server. The team was also able to determine the operating system details of the server behind the hidden service, a Debian server with host name ”dedic-cuprum-617836”. The researchers believe that the numeric value at the end of the host name is an invoice number for the server, assigned by the hosting company ITLDC.

Prodaft researchers said they shared their findings with law enforcement authorities. The team also shared the contents of htpasswd file of the subject host that can be used in future investigations on the Conti operations.

According to a researcher known as MalwareHunterTeam, shortly after Prodaft’s report was published, the Conti’s payment portal went offline, but after more than 24 hours of downtime was brought back online.


Back to the list

Latest Posts

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Dropped countries include such countries as Morocco, Mexico, Saudi Arabia, or the UAE.
26 November 2021
CronRAT: New Linux malware that hides behind February 31 to stay undetected

CronRAT: New Linux malware that hides behind February 31 to stay undetected

The malware hides in the Linux calendar system and enables server-side Magecart data theft which bypasses browser-based security solutions.
26 November 2021
New malware campaign targets crypto, NFT and DeFi communities via Discord

New malware campaign targets crypto, NFT and DeFi communities via Discord

The Babadeda crypter is able to bypass signature-based antivirus solutions and was previously observed in malicious campaigns distributing RATs, and LockBit ransomware.
26 November 2021