In retaliation for cybercriminals collaborating with Russia during Ukraine’s invasion, a Ukrainian security researcher has disclosed a new malware source code from the Conti ransomware campaign. Conti is a Russian-based threat actor’s top ransomware gang. It is regarded as one of the most active cybercrime organizations due to its involvement in the development of several malware families.
However, after the Conti Ransomware operation allied with Russia to attack Ukraine, a Ukrainian researcher known as ‘Conti Leaks‘ chose to disclose data and source code from the ransomware gang as a form of retaliation.
The researcher disclosed around 170,000 internal Conti ransomware gang chat exchanges last month, from January 21st, 2021, to February 27th, 2022. These chat messages reveal much information about what’s going on in operation and who’s involved. After that, the researcher leaked Conti ransomware’s old source code from September 15th, 2020. Even though the code was somewhat old, it allowed researchers and law enforcement to evaluate the malware and better understand how it operates.
Conti Leaks shared a link on Twitter, which directs to the source code for Conti version 3 on VirusTotal. Although the archive is password-protected, subsequent tweets might reveal the password. Similar to the old version, the source code leak is a Visual Studio solution that allows anybody with access to assemble the ransomware locker and decryptor. Other threat actors might easily modify the source code to use their public keys or add additional features by compiling it without errors.
The revelation of ransomware source code, particularly for sophisticated operations like Conti, can have catastrophic consequences for business networks and consumers. It’s because other threat actors frequently exploit the disclosed source code to develop their own ransomware attacks. In the past, a researcher released the source code for ransomware called ‘Hidden Tear,’ which was soon adopted by several threat actors to begin various operations.
While Hidden Tear can be decrypted, it sparked a wave of subsequent ransomware infestations that plagued consumers and businesses for years. A threat actor recently disclosed the source code for the Babuk ransomware on a Russian-language hacker forum. Other threat actors repurposed the source code for their own purposes within days, and additional ransomware operations, such as Rook and Pandora, were created. With the Conti ransomware gang’s source code continuing to emerge, it’s just a matter of time until other threat actors exploit it to begin their own operations.