A security firm determined the actual IP address of one of the Conti ransomware group’s most sensitive servers and subsequently got console access to the compromised system for more than a month, resulting in a humiliating data breach. The Conti gang instructs victims to go to the exposed server (known as a payment portal or recovery site) to negotiate ransom payments.
In a 37-page report, the Swiss security company Prodaft said that its team discovered a flaw in Conti’s recovery servers and exploited it to determine the real IP addresses of the secret service hosting the group’s recovery site. The identified server was hosted on 220.127.116.11. ITL LLC, a Ukrainian web hosting firm, owns this IP address.
Moreover, Prodaft said its researchers had access to the server for weeks. During this time, they observed network traffic for IP addresses that were linked to it. While some of the connections belonged to victims and their negotiators, Prodaft also kept an eye on SSH connections, which were almost certainly belonging to the Conti gang.
However, the researchers were out of luck because all SSH IP addresses belonged to Tor exit nodes, making it impossible to identify Conti operators. Details on the Conti server OS and its htpasswd file, which held a hashed version of the server password, were among the other vital pieces of information disclosed in the Prodaft report.
The Conti gang took notice of the report after it was released, particularly the sections concerning the breach of its payment site, the IP leak, and the sharing of their server’s hashed password—details that exposed the gang’s server to being hijacked by competing ransomware gangs.
The Conti gang had pulled its payment gateway offline, according to security researcher MalwareHunterTeam, in a chat on Thursday night, hours after Prodaft’s discoveries got public. However, the Conti payment gateway was restored late Friday night, more than 24 hours after it had been taken offline.
Prodaft said it disclosed all of its findings with law authorities so that the Conti organization and its associates may face additional legal action. However, such information is usually kept as confidential as possible to give law enforcement time to take action against cybercriminal gangs, which can take months.