IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Conti source code leaked by Ukrainian researcher

Source code hits the public domain as fallout continues over ransomware group's support for Russia

The researcher who leaked internal chats from the Conti ransomware group has now published its source code and appears to have doxxed one of its developers.

The leaker, going under the Twitter name @Contileaks, had originally published internal chats from the group on Sunday in response to its declaration of support for the Russian invasion of Ukraine. They followed it up by publishing the source code overnight.

The researcher published the code as a password-protected file, prompting a flurry of requests for access. They explained that they would release the password to trusted parties, saying in a tweet: "conti src password shared only with trusted ppl for now. to avoid more damage!"

However, earlier this week, another researcher appeared to have cracked the password and shared the code online.

Other code released in the ContiLeaks dumps appears to include the source for the TrickBot command dispatcher and data collector. The researcher also published access details for several storage servers used by the Conti group yesterday.

The leak also extended to personal information. The researcher tweeted what they claim is the GitHub page and Gmail address gleaned from the code. The address is flagged in the code as an developer for the Conti group, but responses to the tweet suggest that the developer did not know that he was writing back-end code for a ransomware operation.

Amid the data posts, the researcher continued to criticize the Russian government for its attack on Ukraine, posting: "more sanctions! they destroy hospitals, and a lot of ppl died! even some of my friends !"

Screenshots have appeared of the Conti recovery dashboard and the BazarLoader command and control panel used to control infected devices.

Others claimed that the source code is not the latest version. The leaked code allegedly dates back to September 2020.

Since the initial leaks occurred, various analyses have appeared online detailing the bitcoin addresses used by the group, along with lists of email addresses found it its correspondence. Other information now freely available online includes hundreds of data points detailing domains used in the ransomware's command and control infrastructure, along with the gang's active dark web chat IDs.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Ransomware now strikes one in 40 organisations per week, Check Point finds
ransomware

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion
Hardware

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022